modules/nixos/clicks/services/silverbullet/default.nix - Infra/NixFiles - Gitiles

 # SPDX-FileCopyrightText: 2024 Clicks Codes
 #
 # SPDX-License-Identifier: GPL-3.0-only

 {
   inputs,
   lib,
   config,
   pkgs,
   system,
   ...
 }:
 let
   cfg = config.clicks.services.silverbullet;
 in
 {
   options.clicks.services.silverbullet = {
     enable = lib.mkEnableOption "The silverbullet notes server";
     tailscaleAuth = lib.mkEnableOption "Lock silverbullet to only be accessible on your tailnet";
     domain = lib.mkOption {
       type = lib.types.str;
       description = "The domain to host your silverbullet server on";
     };
     addr = lib.mkOption {
       type = lib.types.str;
       description = "Where to host silverbullet";
       default = "127.0.0.1";
     };
     port = lib.mkOption {
       type = lib.types.int;
       description = "Port to host silverbullet on";
       default = 1026;
     };
   };

   config = lib.mkIf cfg.enable {
     clicks = {
       services.nginx.enable = true;
       services.nginx.hosts.${cfg.domain} = {
         routes = {
           "/" = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port; # Only this gets locked behind tailscaleAuth - annoying normally but in this case handy
           "~ /.client/manifest.json$" = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port;
           "~ /.client/[a-zA-Z0-9_-]+.png$" = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port;
           "~ /service_worker.js$" = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port;
         };
         www = false;
         authWith = null; # We will set up tailscale auth manually, as we need to exclude some paths from it
       };
       services.tailscaleAuth = {
         enable = true;
         hosts = [ cfg.domain ];
       };

       networking.tailscale.enable = lib.mkIf cfg.tailscaleAuth true;

       storage.impermanence.persist.directories = [
         { directory = config.services.silverbullet.spaceDir; mode = "0700"; defaultPerms.mode = "0700"; }
       ];
     };

     services.silverbullet = {
       enable = true;
       listenPort = cfg.port;
       listenAddress = cfg.addr;
       package = inputs.unstable.legacyPackages.${system}.silverbullet; # Silverbullet moves fast, the version currently in stable is unacceptably out-of-date
     };

     systemd.services.silverbullet.requires = (if config.clicks.services.nginx.enable then [ "nginx.service" ] else []);
     systemd.services.silverbullet.after = (if config.clicks.services.nginx.enable then [ "nginx.service" ] else []);
   };
 }
	# SPDX-FileCopyrightText: 2024 Clicks Codes
	#
	# SPDX-License-Identifier: GPL-3.0-only

	{
	inputs,
	lib,
	config,
	pkgs,
	system,
	...
	}:
	let
	cfg = config.clicks.services.silverbullet;
	in
	{
	options.clicks.services.silverbullet = {
	enable = lib.mkEnableOption "The silverbullet notes server";
	tailscaleAuth = lib.mkEnableOption "Lock silverbullet to only be accessible on your tailnet";
	domain = lib.mkOption {
	type = lib.types.str;
	description = "The domain to host your silverbullet server on";
	};
	addr = lib.mkOption {
	type = lib.types.str;
	description = "Where to host silverbullet";
	default = "127.0.0.1";
	};
	port = lib.mkOption {
	type = lib.types.int;
	description = "Port to host silverbullet on";
	default = 1026;
	};
	};

	config = lib.mkIf cfg.enable {
	clicks = {
	services.nginx.enable = true;
	services.nginx.hosts.${cfg.domain} = {
	routes = {
	"/" = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port; # Only this gets locked behind tailscaleAuth - annoying normally but in this case handy
	"~ /.client/manifest.json$" = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port;
	"~ /.client/[a-zA-Z0-9_-]+.png$" = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port;
	"~ /service_worker.js$" = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port;
	};
	www = false;
	authWith = null; # We will set up tailscale auth manually, as we need to exclude some paths from it
	};
	services.tailscaleAuth = {
	enable = true;
	hosts = [ cfg.domain ];
	};

	networking.tailscale.enable = lib.mkIf cfg.tailscaleAuth true;

	storage.impermanence.persist.directories = [
	{ directory = config.services.silverbullet.spaceDir; mode = "0700"; defaultPerms.mode = "0700"; }
	];
	};

	services.silverbullet = {
	enable = true;
	listenPort = cfg.port;
	listenAddress = cfg.addr;
	package = inputs.unstable.legacyPackages.${system}.silverbullet; # Silverbullet moves fast, the version currently in stable is unacceptably out-of-date
	};

	systemd.services.silverbullet.requires = (if config.clicks.services.nginx.enable then [ "nginx.service" ] else []);
	systemd.services.silverbullet.after = (if config.clicks.services.nginx.enable then [ "nginx.service" ] else []);
	};
	}