Blame - modules/nixos/clicks/services/silverbullet/default.nix - Infra/NixFiles

blob: 992186f757661aaa4090de1beeb310d1d6d45eed [file] [log] [blame]

Skyler Grey	700577a	2024-08-14 18:21:34 +0000	[diff] [blame^]	1	# SPDX-FileCopyrightText: 2024 Clicks Codes
				2	#
				3	# SPDX-License-Identifier: GPL-3.0-only
				4
				5	{
				6	inputs,
				7	lib,
				8	config,
				9	pkgs,
				10	system,
				11	...
				12	}:
				13	let
				14	cfg = config.clicks.services.silverbullet;
				15	in
				16	{
				17	options.clicks.services.silverbullet = {
				18	enable = lib.mkEnableOption "The silverbullet notes server";
				19	tailscaleAuth = lib.mkEnableOption "Lock silverbullet to only be accessible on your tailnet";
				20	domain = lib.mkOption {
				21	type = lib.types.str;
				22	description = "The domain to host your silverbullet server on";
				23	};
				24	addr = lib.mkOption {
				25	type = lib.types.str;
				26	description = "Where to host silverbullet";
				27	default = "127.0.0.1";
				28	};
				29	port = lib.mkOption {
				30	type = lib.types.int;
				31	description = "Port to host silverbullet on";
				32	default = 1026;
				33	};
				34	};
				35
				36	config = lib.mkIf cfg.enable {
				37	clicks = {
				38	services.nginx.enable = true;
				39	services.nginx.hosts.${cfg.domain} = {
				40	routes = {
				41	"/" = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port; # Only this gets locked behind tailscaleAuth - annoying normally but in this case handy
				42	"~ /.client/manifest.json$" = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port;
				43	"~ /.client/[a-zA-Z0-9_-]+.png$" = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port;
				44	"~ /service_worker.js$" = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port;
				45	};
				46	www = false;
				47	authWith = null; # We will set up tailscale auth manually, as we need to exclude some paths from it
				48	};
				49	services.tailscaleAuth = {
				50	enable = true;
				51	hosts = [ cfg.domain ];
				52	};
				53
				54	networking.tailscale.enable = lib.mkIf cfg.tailscaleAuth true;
				55
				56	storage.impermanence.persist.directories = [
				57	{ directory = config.services.silverbullet.spaceDir; mode = "0700"; defaultPerms.mode = "0700"; }
				58	];
				59	};
				60
				61	services.silverbullet = {
				62	enable = true;
				63	listenPort = cfg.port;
				64	listenAddress = cfg.addr;
				65	package = inputs.unstable.legacyPackages.${system}.silverbullet; # Silverbullet moves fast, the version currently in stable is unacceptably out-of-date
				66	};
				67
				68	systemd.services.silverbullet.requires = (if config.clicks.services.nginx.enable then [ "nginx.service" ] else []);
				69	systemd.services.silverbullet.after = (if config.clicks.services.nginx.enable then [ "nginx.service" ] else []);
				70	};
				71	}