back interdiff of round #2 and #1

fix(server): disable zsh new user welcome #71

merged
opened by a.starrysky.fyi targeting main from private/minion/push-ksqmwrryxmky
options
unified split
files
packetmix
systems
server
zsh.nix
umber
acme.nix
silverbullet.nix
tailscale.nix
workspace.josh.license
ERROR
packetmix/systems/server/zsh.nix

Failed to calculate interdiff for this file.

ERROR
packetmix/workspace.josh.license

Failed to calculate interdiff for this file.

NEW
packetmix/systems/umber/acme.nix
 
···

       

       
1

       
+

       
# SPDX-FileCopyrightText: 2025 FreshlyBakedCake


     

       

       
2

       
+

       
#


     

       

       
3

       
+

       
# SPDX-License-Identifier: MIT


     

       

       
4

       
+

       



     

       

       
5

       
+

       
{


     

       

       
6

       
+

       
  security.acme = {


     

       

       
7

       
+

       
    acceptTerms = true;


     

       

       
8

       
+

       
    defaults = {


     

       

       
9

       
+

       
      email = "acme@starrysky.fyi";


     

       

       
10

       
+

       
      dnsProvider = "cloudflare";


     

       

       
11

       
+

       
      environmentFile = "/secrets/acme/environmentFile";


     

       

       
12

       
+

       
    };


     

       

       
13

       
+

       
  };


     

       

       
14

       
+

       



     

       

       
15

       
+

       
  clicks.storage.impermanence.persist.directories = [ "/var/lib/acme" ];


     

       

       
16

       
+

       
}
NEW
packetmix/systems/umber/silverbullet.nix
 
···

       

       
1

       
+

       
# SPDX-FileCopyrightText: 2025 FreshlyBakedCake


     

       

       
2

       
+

       
#


     

       

       
3

       
+

       
# SPDX-License-Identifier: MIT


     

       

       
4

       
+

       



     

       

       
5

       
+

       
{


     

       

       
6

       
+

       
  project,


     

       

       
7

       
+

       
  system,


     

       

       
8

       
+

       
  config,


     

       

       
9

       
+

       
  ...


     

       

       
10

       
+

       
}:


     

       

       
11

       
+

       
{


     

       

       
12

       
+

       
  clicks.storage.impermanence.persist.directories = [


     

       

       
13

       
+

       
    {


     

       

       
14

       
+

       
      directory = config.services.silverbullet.spaceDir;


     

       

       
15

       
+

       
      mode = "0700";


     

       

       
16

       
+

       
      defaultPerms.mode = "0700";


     

       

       
17

       
+

       
    }


     

       

       
18

       
+

       
  ];


     

       

       
19

       
+

       



     

       

       
20

       
+

       
  services.silverbullet = {


     

       

       
21

       
+

       
    enable = true;


     

       

       
22

       
+

       
    listenPort = 1024;


     

       

       
23

       
+

       
    listenAddress = "127.0.0.1";


     

       

       
24

       
+

       
    package = project.inputs.nixos-unstable.result.${system}.silverbullet;


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       



     

       

       
27

       
+

       
  services.nginx.enable = true;


     

       

       
28

       
+

       
  services.nginx.virtualHosts."silverbullet.starrysky.fyi" = {


     

       

       
29

       
+

       
    listenAddresses = [ "localhost.tailscale" ];


     

       

       
30

       
+

       



     

       

       
31

       
+

       
    addSSL = true;


     

       

       
32

       
+

       
    enableACME = true;


     

       

       
33

       
+

       
    acmeRoot = null;


     

       

       
34

       
+

       



     

       

       
35

       
+

       
    serverAliases = [ "umber.clicks.domains" ];


     

       

       
36

       
+

       



     

       

       
37

       
+

       
    locations."/" = {


     

       

       
38

       
+

       
      proxyPass = "http://$silverbullet_upstream_minion_only";


     

       

       
39

       
+

       
      recommendedProxySettings = true;


     

       

       
40

       
+

       
    };


     

       

       
41

       
+

       
  };


     

       

       
42

       
+

       



     

       

       
43

       
+

       
  services.nginx.virtualHosts."silverbullet_access_denied" = {


     

       

       
44

       
+

       
    listen = [


     

       

       
45

       
+

       
      {


     

       

       
46

       
+

       
        addr = "127.0.0.1";


     

       

       
47

       
+

       
        port = 403;


     

       

       
48

       
+

       
      }


     

       

       
49

       
+

       
    ];


     

       

       
50

       
+

       
    locations."/".return =


     

       

       
51

       
+

       
      ''403 '403 - Access Denied: Your device is logged on to tailscale as '$http_x_webauth_user'. Unfortunately, this is a private silverbullet instance for 'minion', please use https://silverbullet.clicks.codes instead' '';


     

       

       
52

       
+

       
  };


     

       

       
53

       
+

       



     

       

       
54

       
+

       
  services.nginx.commonHttpConfig = ''


     

       

       
55

       
+

       
    map $auth_user $silverbullet_upstream_minion_only {


     

       

       
56

       
+

       
      default 127.0.0.1:403;


     

       

       
57

       
+

       
      minion 127.0.0.1:1024;


     

       

       
58

       
+

       
    }


     

       

       
59

       
+

       
  '';


     

       

       
60

       
+

       



     

       

       
61

       
+

       
  services.nginx.tailscaleAuth = {


     

       

       
62

       
+

       
    enable = true;


     

       

       
63

       
+

       
    virtualHosts = [ "silverbullet.starrysky.fyi" ];


     

       

       
64

       
+

       
  };


     

       

       
65

       
+

       
}
NEW
packetmix/systems/umber/tailscale.nix
 
···

       

       
1

       
+

       
# SPDX-FileCopyrightText: 2025 FreshlyBakedCake


     

       

       
2

       
+

       
#


     

       

       
3

       
+

       
# SPDX-License-Identifier: MIT


     

       

       
4

       
+

       



     

       

       
5

       
+

       
{


     

       

       
6

       
+

       
  networking.hosts."100.64.0.48" = [ "localhost.tailscale" ];


     

       

       
7

       
+

       



     

       

       
8

       
+

       
  services.nginx.defaultListenAddresses = [


     

       

       
9

       
+

       
    "0.0.0.0"


     

       

       
10

       
+

       
    "[::0]"


     

       

       
11

       
+

       
    "localhost.tailscale"


     

       

       
12

       
+

       
  ];


     

       

       
13

       
+

       
}