From a217517378bf5d94ef4a4ce9671a0bf9a5efbd74 Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Tue, 7 Oct 2025 20:43:44 +0000 Subject: [PATCH] feat(pm/umber): add silverbullet Change-Id: ulpuzunnkyuwsmovouuzkwtzqyputrmy firebrick was my private silverbullet instance, now the job falls to umber. There needs to be a bit of extra stuff here compared to teal since as this silverbullet instance shouldn't be accessible by anyone but me (compared to everyone on the Tailscale...) --- packetmix/systems/teal/headscale.nix | 6 +++ packetmix/systems/umber/acme.nix | 16 ++++++ packetmix/systems/umber/silverbullet.nix | 64 ++++++++++++++++++++++++ packetmix/systems/umber/tailscale.nix | 13 +++++ packetmix/workspace.josh.license | 3 ++ 5 files changed, 102 insertions(+) create mode 100644 packetmix/systems/umber/acme.nix create mode 100644 packetmix/systems/umber/silverbullet.nix create mode 100644 packetmix/systems/umber/tailscale.nix create mode 100644 packetmix/workspace.josh.license diff --git a/packetmix/systems/teal/headscale.nix b/packetmix/systems/teal/headscale.nix index 8a24ede6..eb7ce2af 100644 --- a/packetmix/systems/teal/headscale.nix +++ b/packetmix/systems/teal/headscale.nix @@ -124,6 +124,12 @@ in type = "A"; value = "100.64.0.37"; } + { + # silverbullet.starrysky.fyi -> umber + name = "silverbullet.starrysky.fyi"; + type = "A"; + value = "100.64.0.48"; + } ]; nameservers.global = [ "1.1.1.1" diff --git a/packetmix/systems/umber/acme.nix b/packetmix/systems/umber/acme.nix new file mode 100644 index 00000000..d5e1c378 --- /dev/null +++ b/packetmix/systems/umber/acme.nix @@ -0,0 +1,16 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ + security.acme = { + acceptTerms = true; + defaults = { + email = "acme@starrysky.fyi"; + dnsProvider = "cloudflare"; + environmentFile = "/secrets/acme/environmentFile"; + }; + }; + + clicks.storage.impermanence.persist.directories = [ "/var/lib/acme" ]; +} diff --git a/packetmix/systems/umber/silverbullet.nix b/packetmix/systems/umber/silverbullet.nix new file mode 100644 index 00000000..488b4711 --- /dev/null +++ b/packetmix/systems/umber/silverbullet.nix @@ -0,0 +1,64 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ + project, + system, + config, + ... +}: +{ + clicks.storage.impermanence.persist.directories = [ + { + directory = config.services.silverbullet.spaceDir; + mode = "0700"; + defaultPerms.mode = "0700"; + } + ]; + + services.silverbullet = { + enable = true; + listenPort = 1024; + listenAddress = "127.0.0.1"; + package = project.inputs.nixos-unstable.result.${system}.silverbullet; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."silverbullet.starrysky.fyi" = { + listenAddresses = [ "localhost.tailscale" ]; + + addSSL = true; + enableACME = true; + acmeRoot = null; + + serverAliases = [ "umber.clicks.domains" ]; + + locations."/" = { + proxyPass = "http://$silverbullet_upstream_minion_only"; + recommendedProxySettings = true; + }; + }; + + services.nginx.virtualHosts."silverbullet_access_denied" = { + listen = [ + { + addr = "127.0.0.1"; + port = 403; + } + ]; + locations."/".return = ''403 '403 - Access Denied: Your device is logged on to tailscale as '$http_x_webauth_user'. Unfortunately, this is a private silverbullet instance for 'minion', please use https://silverbullet.clicks.codes instead' ''; + }; + + services.nginx.commonHttpConfig = '' + map $auth_user $silverbullet_upstream_minion_only { + default 127.0.0.1:403; + minion 127.0.0.1:1024; + } + ''; + + services.nginx.tailscaleAuth = { + enable = true; + virtualHosts = [ "silverbullet.starrysky.fyi" ]; + }; +} diff --git a/packetmix/systems/umber/tailscale.nix b/packetmix/systems/umber/tailscale.nix new file mode 100644 index 00000000..3d3609ac --- /dev/null +++ b/packetmix/systems/umber/tailscale.nix @@ -0,0 +1,13 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ + networking.hosts."100.64.0.48" = [ "localhost.tailscale" ]; + + services.nginx.defaultListenAddresses = [ + "0.0.0.0" + "[::0]" + "localhost.tailscale" + ]; +} diff --git a/packetmix/workspace.josh.license b/packetmix/workspace.josh.license new file mode 100644 index 00000000..d698a125 --- /dev/null +++ b/packetmix/workspace.josh.license @@ -0,0 +1,3 @@ +SPDX-FileCopyrightText: 2025 FreshlyBakedCake + +SPDX-License-Identifier: CC0-1.0 -- 2.43.0