1
0
silverbullet/website/Deployments.md
2023-07-06 12:16:08 +02:00

538 lines
18 KiB
Markdown

# SilverBullet deployment examples
Below you'll find **user examples** on how to deploy SilverBullet using different alternatives.
**NOTE**: paths, usernames and passwords are just examples and should be updated to your own personal environment
**NOTE**: These deployments are based in a Linux environment though they may perfectly work in Windows and/or MacOS with minimal changes
## How to Deploy Silverbullet with Docker
This example will work both if you use `docker-compose.yml` files or a management tool like [portainer](https://www.portainer.io/).
We will configure SilverBullet with [caddy](https://caddyserver.com/) as reverse proxy, [redis](https://redis.io/) to store and share certificates and [authelia](https://www.authelia.com/) for authentication.
### Docker compose file
**IMPORTANT**: Some volumes configured below are **bind mounts** which need to be configured providing a physical folder from your machine. Don't forget to create them before turning up the containers.
**NOTE**: We are configuring SilverBullet with basic auth assuming there may be more users and applications in the server. Feel free to remove it if that is not the case, to avoid a double login requirement.
```yml
silverbullet:
container_name: silverbullet
image: zefhemel/silverbullet
volumes:
- /media/silverbullet/space:/space
ports:
- 3000:3000
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- SB_USER=${USERNAME}:${PASSWORD} #feel free to remove this if not needed
redis:
container_name: redis
image: "redis:alpine"
command: redis-server --save "" --appendonly "no"
restart: always
networks:
- searxng
tmpfs:
- /var/lib/redis
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
- DAC_OVERRIDE
caddy:
container_name: caddy
image: caddy:latest
network_mode: host
restart: always
volumes:
- /media/caddy/config/Caddyfile:/etc/caddy/Caddyfile:ro
- caddy-data:/data:rw
- caddy-config:/config:rw
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
- DAC_OVERRIDE
authelia:
image: authelia/authelia
container_name: authelia
volumes:
- /media/authelia/config:/config
ports:
- 9091:9091
environment:
- PUID=1000
- PGID=1000
volumes:
caddy-data:
caddy-config:
```
In case you use SilverBullet basic auth feature, you'll need to provide the following `env` file
```shell
USERNAME=User
PASSWORD=REDACTED
```
### authelia
authelia requires two configuration files: `users_databases.yml` and `configuration.yml`
Please check the official [documentation](https://www.authelia.com/configuration/prologue/introduction) for all the possibilities.
Below you can find a very simple example that will work for our use case.
#### User configuration
Run the following command in `/media/authelia/config/` folder in order to generate the argon2id password
```shell
docker run -v ./configuration.yml:/configuration.yml -it authelia/authelia:latest authelia crypto hash generate --config /configuration.yml
```
Then copy the password in the `/media/authelia/config/users_database.yml` file
- users_database.yml
```yml
users:
User:
disabled: false
displayname: "User"
password: "$argon2id$v=19$m=65536,t=3,p=4$blahblahblah"
email: User@domain.com
groups:
- admins
```
#### configuration.yml
Simplified version, with a lot of boilerplate removed. Official template can be found [here](https://github.com/authelia/authelia/blob/master/config.template.yml)
`/media/authelia/config/configuration.yml`
```yml
# yamllint disable rule:comments-indentation
---
###############################################################################
# Authelia Configuration #
###############################################################################
## The theme to display: light, dark, grey, auto.
theme: dark
## The secret used to generate JWT tokens when validating user identity by email confirmation. JWT Secret can also be
## set using a secret: https://www.authelia.com/c/secrets
jwt_secret: 78sfdgg3t3gwv7avjheh43
## Default redirection URL
##
## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end
## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use
## in such a case.
##
## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
default_redirection_url: https://google.com/
##
## Server Configuration
##
server:
## The address to listen on.
host: 0.0.0.0
## The port to listen on.
port: 9091
## Enables the pprof endpoint.
enable_pprof: false
## Enables the expvars endpoint.
enable_expvars: false
## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0.
## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
disable_healthcheck: false
## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
tls:
## The path to the DER base64/PEM format private key.
key: ""
## The path to the DER base64/PEM format public certificate.
certificate: ""
## The list of certificates for client authentication.
client_certificates: []
##
## Log Configuration
##
log:
## Level of verbosity for logs: info, debug, trace.
level: debug
##
## Telemetry Configuration
##
telemetry:
##
## Metrics Configuration
##
metrics:
## Enable Metrics.
enabled: false
## The address to listen on for metrics. This should be on a different port to the main server.port value.
address: tcp://0.0.0.0:9959
##
## TOTP Configuration
##
## Parameters used for TOTP generation.
totp:
## Disable TOTP.
disable: false
## The issuer name displayed in the Authenticator application of your choice.
issuer: authelia.com
## The TOTP algorithm to use.
## It is CRITICAL you read the documentation before changing this option:
## https://www.authelia.com/c/totp#algorithm
algorithm: sha1
## The number of digits a user has to input. Must either be 6 or 8.
## Changing this option only affects newly generated TOTP configurations.
## It is CRITICAL you read the documentation before changing this option:
## https://www.authelia.com/c/totp#digits
digits: 6
## The period in seconds a one-time password is valid for.
## Changing this option only affects newly generated TOTP configurations.
period: 30
## The skew controls number of one-time passwords either side of the current one that are valid.
## Warning: before changing skew read the docs link below.
skew: 1
## See: https://www.authelia.com/c/totp#input-validation to read
## the documentation.
## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20.
secret_size: 32
##
## WebAuthn Configuration
##
## Parameters used for WebAuthn.
webauthn:
## Disable Webauthn.
disable: false
## Adjust the interaction timeout for Webauthn dialogues.
timeout: 60s
## The display name the browser should show the user for when using Webauthn to login/register.
display_name: Authelia
## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
## Options are none, indirect, direct.
attestation_conveyance_preference: indirect
## User verification controls if the user must make a gesture or action to confirm they are present.
## Options are required, preferred, discouraged.
user_verification: preferred
##
## NTP Configuration
##
## This is used to validate the servers time is accurate enough to validate TOTP.
ntp:
## NTP server address.
address: "time.cloudflare.com:123"
## NTP version.
version: 4
## Maximum allowed time offset between the host and the NTP server.
max_desync: 3s
## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
## set this to true, and can operate in a truly offline mode.
disable_startup_check: false
## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
## will continue regardless of results.
disable_failure: false
authentication_backend:
## Password Reset Options.
password_reset:
## Disable both the HTML element and the API for reset password functionality.
disable: false
refresh_interval: 5m
file:
path: /config/users_database.yml #this is where your authorized users are stored
password:
algorithm: argon2id
iterations: 1
key_length: 32
salt_length: 16
memory: 1024
parallelism: 8
##
## Password Policy Configuration.
##
password_policy:
## The standard policy allows you to tune individual settings manually.
standard:
enabled: false
## Require a minimum length for passwords.
min_length: 8
## Require a maximum length for passwords.
max_length: 0
## Require uppercase characters.
require_uppercase: true
## Require lowercase characters.
require_lowercase: true
## Require numeric characters.
require_number: true
## Require special characters.
require_special: true
## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
zxcvbn:
enabled: false
## Configures the minimum score allowed.
min_score: 3
##
## Access Control Configuration
##
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
##
access_control:
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
## resource if there is no policy to be applied to the user.
default_policy: deny
rules:
## bypass rule
- domain: 'auth.domain.com' #This should be your authentication URL
policy: bypass
- domain: 'silverbullet.domain.com'
resources:
- '/.client/manifest.json$'
- '/.client/[a-zA-Z0-9_-]+.png$'
- '/service_worker.js$'
policy: bypass
- domain: 'silverbullet.domain.com'
subject:
- 'group:admins'
policy: one_factor
##
## Session Provider Configuration
##
## The session cookies identify the user once logged in.
## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
session:
## The name of the session cookie.
name: authelia_session
## The domain to protect.
## Note: the authenticator must also be in that domain.
## If empty, the cookie is restricted to the subdomain of the issuer.
domain: domain.com
## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
## Please read https://www.authelia.com/c/session#same_site
same_site: lax
## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel.
## Secret can also be set using a secret: https://www.authelia.com/c/secrets
secret: 3sdffgsdgs33452j2jhgjs9gdfg
## The value for expiration, inactivity, and remember_me_duration are in seconds or the duration notation format.
## See: https://www.authelia.com/c/common#duration-notation-format
## All three of these values affect the cookie/session validity period. Longer periods are considered less secure
## because a stolen cookie will last longer giving attackers more time to spy or attack.
## The time before the cookie expires and the session is destroyed if remember me IS NOT selected.
expiration: 1h
## The inactivity time before the session is reset. If expiration is set to 1h, and this is set to 5m, if the user
## does not select the remember me option their session will get destroyed after 1h, or after 5m since the last time
## Authelia detected user activity.
inactivity: 5m
## The time before the cookie expires and the session is destroyed if remember me IS selected.
## Value of -1 disables remember me.
remember_me_duration: 1M
##
## Regulation Configuration
##
## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made
## in a short period of time.
regulation:
## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
max_retries: 3
## The time range during which the user can attempt login before being banned. The user is banned if the
## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation.
## See: https://www.authelia.com/c/common#duration-notation-format
find_time: 2m
## The length of time before a banned user can login again. Ban Time accepts duration notation.
## See: https://www.authelia.com/c/common#duration-notation-format
ban_time: 5m
##
## Storage Provider Configuration
##
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
storage:
local:
path: /config/db.sqlite3 #this is your databse. You could use a mysql database if you wanted, but we're going to use this one.
encryption_key: 345f2f5v6c54vg2ewesd
##
## Notification Provider
##
## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration.
## The available providers are: filesystem, smtp. You must use only one of these providers.
notifier:
## You can disable the notifier startup check by setting this to true.
disable_startup_check: true #true/false
smtp:
username: user@gmail.com #your email address
password: apppassword #your email password
host: smtp.gmail.com #email smtp server
port: 587 #email smtp port
sender: user@gmail.com
subject: "[Authelia] {title}" #email subject
...
```
### caddy (reverse proxy)
Example of `/media/caddy/config/Caddyfile`
```yml
{
admin off
}
## It is important to read the following document before enabling this section:
## https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies
(trusted_proxy_list) {
## Uncomment & adjust the following line to configure specific ranges which should be considered as trustworthy.
trusted_proxies 192.168.0.0/16
}
# Authelia Portal.
auth.domain.com {
reverse_proxy localhost:9091 {
## This import needs to be included if you're relying on a trusted proxies configuration.
import trusted_proxy_list
}
}
silverbullet.domain.com {
forward_auth localhost:9091 {
uri /api/verify?rd=https://auth.domain.com/
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
## This import needs to be included if you're relying on a trusted proxies configuration.
import trusted_proxy_list
}
reverse_proxy localhost:3000 {
## This import needs to be included if you're relying on a trusted proxies configuration.
import trusted_proxy_list
}
}
```
### Syncing SilverBullet with Git
- Once the server is up and running we can install git [Plug](https://github.com/silverbulletmd/silverbullet/blob/main/website/%F0%9F%94%8C%20Plugs.md) (if not installed by default)
```yaml
- github:silverbulletmd/silverbullet-git/git.plug.js
```
- we need to create a git repository to sync automatically
- Example: `https://github.com/user/silverbullet`
- Create a [github token](https://github.com/settings/tokens) to run `git pull` and `git push` within silverbullet
- Example token: ghp_sdfasdfsdfZFwJGHFGDSF554a
- Now we initialize the repo and create a first push
```shell
cd /media/silverbullet/space
git init
git add index.md
git commit -m "first commit"
git branch -M main
git remote add origin https://ghp_sdfasdfsdfZFwJGHFGDSF554a@github.com/user/silverbullet.git
git push -u origin main
git branch --set-upstream-to=origin/main main
```
- Once we confirm github sync works from the terminal, we need to add our github identity inside the container
- Connect through portainer or the command line to the silverbullet console
```shell
docker exec -it silverbullet /bin/sh
cd /space
git config user.email "user@gmail.com"
git config --global user.name "user"
```
And we are **DONE**!
We can now use SilverBullet and run `Git Sync` everytime we would like to commit and sync our changes to github.
## How to Deploy Silverbullet with Deno
- We will use **cargo** to install deno for this use case
```shell
cargo install deno --locked
```
**NOTE**: Please refer to the [official documentation](https://deno.land/manual@v1.7.5/getting_started/setup_your_environment) to set up properly your environment.
- Now we proceed to install SilverBullet
```shell
deno install -f --name silverbullet -A https://get.silverbullet.md
```
### How to run SilverBullet at boot with systemd
- Based on: [Start SilverBullet on boot using systemctl](https://github.com/silverbulletmd/silverbullet/pull/388)
- Create `/usr/local/bin/silverbullet.sh` file and make it executable:
```sh
#!/bin/bash
## Script to start SilverBullet through Deno
/home/user/.cargo/bin/deno run --allow-all --no-config https://get.silverbullet.md/ /home/user/silverbullet > /home/user/sb.log 2> /home/user/sb.err
```
- Create `/etc/systemd/system/silverbullet.service` file:
```sh
[Unit]
Description=SilverBullet
[Service]
User=user
Type=simple
ExecStart=/usr/local/bin/silverbullet.sh
[Install]
WantedBy=multi-user.target
```
- Enable and start the service
```shell
sudo systemctl enable silverbullet.service
sudo systemctl start silverbullet.service
```
- Once SilverBullet is up and running, you'll have access to the logs and errors through the `sb.log` and `sb.err` files located in `/home/user`