From d752d70220486c48d3c43f8ccce82499ced439af Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Tue, 7 Oct 2025 20:43:44 +0000 Subject: [PATCH] feat(pm/umber): add silverbullet Change-Id: ulpuzunnkyuwsmovouuzkwtzqyputrmy firebrick was my private silverbullet instance, now the job falls to umber. There needs to be a bit of extra stuff here compared to teal since as this silverbullet instance shouldn't be accessible by anyone but me (compared to everyone on the Tailscale...) --- packetmix/systems/umber/acme.nix | 16 ++++++ packetmix/systems/umber/silverbullet.nix | 65 ++++++++++++++++++++++++ packetmix/systems/umber/tailscale.nix | 13 +++++ 3 files changed, 94 insertions(+) create mode 100644 packetmix/systems/umber/acme.nix create mode 100644 packetmix/systems/umber/silverbullet.nix create mode 100644 packetmix/systems/umber/tailscale.nix diff --git a/packetmix/systems/umber/acme.nix b/packetmix/systems/umber/acme.nix new file mode 100644 index 00000000..d5e1c378 --- /dev/null +++ b/packetmix/systems/umber/acme.nix @@ -0,0 +1,16 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ + security.acme = { + acceptTerms = true; + defaults = { + email = "acme@starrysky.fyi"; + dnsProvider = "cloudflare"; + environmentFile = "/secrets/acme/environmentFile"; + }; + }; + + clicks.storage.impermanence.persist.directories = [ "/var/lib/acme" ]; +} diff --git a/packetmix/systems/umber/silverbullet.nix b/packetmix/systems/umber/silverbullet.nix new file mode 100644 index 00000000..4123d575 --- /dev/null +++ b/packetmix/systems/umber/silverbullet.nix @@ -0,0 +1,65 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ + project, + system, + config, + ... +}: +{ + clicks.storage.impermanence.persist.directories = [ + { + directory = config.services.silverbullet.spaceDir; + mode = "0700"; + defaultPerms.mode = "0700"; + } + ]; + + services.silverbullet = { + enable = true; + listenPort = 1024; + listenAddress = "127.0.0.1"; + package = project.inputs.nixos-unstable.result.${system}.silverbullet; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."silverbullet.starrysky.fyi" = { + listenAddresses = [ "localhost.tailscale" ]; + + addSSL = true; + enableACME = true; + acmeRoot = null; + + serverAliases = [ "umber.clicks.domains" ]; + + locations."/" = { + proxyPass = "http://$silverbullet_upstream_minion_only"; + recommendedProxySettings = true; + }; + }; + + services.nginx.virtualHosts."silverbullet_access_denied" = { + listen = [ + { + addr = "127.0.0.1"; + port = 403; + } + ]; + locations."/".return = + ''403 '403 - Access Denied: Your device is logged on to tailscale as '$http_x_webauth_user'. Unfortunately, this is a private silverbullet instance for 'minion', please use https://silverbullet.clicks.codes instead' ''; + }; + + services.nginx.commonHttpConfig = '' + map $auth_user $silverbullet_upstream_minion_only { + default 127.0.0.1:403; + minion 127.0.0.1:1024; + } + ''; + + services.nginx.tailscaleAuth = { + enable = true; + virtualHosts = [ "silverbullet.starrysky.fyi" ]; + }; +} diff --git a/packetmix/systems/umber/tailscale.nix b/packetmix/systems/umber/tailscale.nix new file mode 100644 index 00000000..3d3609ac --- /dev/null +++ b/packetmix/systems/umber/tailscale.nix @@ -0,0 +1,13 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ + networking.hosts."100.64.0.48" = [ "localhost.tailscale" ]; + + services.nginx.defaultListenAddresses = [ + "0.0.0.0" + "[::0]" + "localhost.tailscale" + ]; +} -- 2.43.0