From fe3a62c6a5799919d8901479a2866980a2034845 Mon Sep 17 00:00:00 2001
From: Tobias Petrich <tobias@rohrschacht.de>
Date: Thu, 30 Apr 2026 18:50:07 +0200
Subject: [PATCH] add silverbullet with authentik forward proxy

---
 ansible/ansible.cfg                           |  1 +
 ansible/main.yml                              | 17 ++++-
 .../files/silverbullet/silverbullet.container | 20 ++++++
 ansible/roles/services/vars/main.yml          |  4 ++
 ansible/roles/traefik/files/dynamic.yml       | 70 ++++++++++++++++++-
 5 files changed, 110 insertions(+), 2 deletions(-)
 create mode 100644 ansible/roles/services/files/silverbullet/silverbullet.container

diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index f706229..bd7ddcf 100644
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -1,3 +1,4 @@
 [defaults]
 nocows=1
 vault_identity_list=podman_hosts@./lookup-secret-client.bash
+inventory=inventories/production/hosts.yml
diff --git a/ansible/main.yml b/ansible/main.yml
index bf2d64e..f490410 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -5,6 +5,21 @@
     - common
     - hardening
     - rootless_host
-    - traefik
     - backup
+  tags:
+    - host_setup
+
+- name: traefik setup
+  hosts: podman_hosts
+  roles:
+    - traefik
+  tags:
+    - traefik
+
+- name: podman services setup
+  hosts: podman_hosts
+  roles:
     - services
+  tags:
+    - services
+
diff --git a/ansible/roles/services/files/silverbullet/silverbullet.container b/ansible/roles/services/files/silverbullet/silverbullet.container
new file mode 100644
index 0000000..e46b24d
--- /dev/null
+++ b/ansible/roles/services/files/silverbullet/silverbullet.container
@@ -0,0 +1,20 @@
+[Unit]
+Description=Silverbullet deployment
+Wants=network-online.target
+After=network.target network-online.target
+
+[Container]
+ContainerName=silverbullet
+Image=ghcr.io/silverbulletmd/silverbullet:latest
+PublishPort=127.0.0.1:9300:3000
+Volume=/var/vol/silverbullet:/space:Z
+AutoUpdate=registry
+
+[Service]
+# Restart service when sleep finishes
+Restart=on-failure
+RestartSec=60
+
+[Install]
+# Start by default on boot
+WantedBy=multi-user.target default.target
diff --git a/ansible/roles/services/vars/main.yml b/ansible/roles/services/vars/main.yml
index 2128b14..c0010d6 100644
--- a/ansible/roles/services/vars/main.yml
+++ b/ansible/roles/services/vars/main.yml
@@ -59,3 +59,7 @@ services:
       - database
       - staticfiles
       - mediafiles
+  silverbullet:
+    systemd_service_name: "silverbullet"
+    service_directories:
+      - space
diff --git a/ansible/roles/traefik/files/dynamic.yml b/ansible/roles/traefik/files/dynamic.yml
index de6a06d..4c2dcfe 100644
--- a/ansible/roles/traefik/files/dynamic.yml
+++ b/ansible/roles/traefik/files/dynamic.yml
@@ -1,4 +1,23 @@
 http:
+  middlewares:
+    authentik:
+      forwardAuth:
+        address: http://localhost:9100/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-entitlements
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version
+
   routers:
     # Router for wekan.rohrschacht.de
     wekan-router:
@@ -108,6 +127,49 @@ http:
         certResolver: letsencrypt
       service: tandoor-service
 
+    # Router for silverbullet.rohrschacht.de
+    silverbullet-router-service-worker:
+      rule: "Host(`silverbullet.rohrschacht.de`) && PathPrefix(`/service_worker.js`)"
+      entryPoints:
+        - websecure
+      priority: 20
+      tls:
+        certResolver: letsencrypt
+      service: silverbullet-service
+
+    # Router for silverbullet.rohrschacht.de static client assets
+    silverbullet-router-client:
+      rule: "Host(`silverbullet.rohrschacht.de`) && PathPrefix(`/.client`)"
+      entryPoints:
+        - websecure
+      priority: 20
+      tls:
+        certResolver: letsencrypt
+      service: silverbullet-service
+
+    # Router for silverbullet.rohrschacht.de
+    silverbullet-router:
+      rule: "Host(`silverbullet.rohrschacht.de`)"
+#      rule: "Host(`silverbullet.rohrschacht.de`) && !PathPrefix(`/service_worker.js`) && !PathPrefix(`/.client`) && !PathPrefix(`/outpost.goauthentik.io/`)"
+      entryPoints:
+        - websecure
+      middlewares:
+        - authentik
+      priority: 10
+      tls:
+        certResolver: letsencrypt
+      service: silverbullet-service
+
+    # Router for silverbullet.rohrschacht.de authentik outpost path
+    silverbullet-router-auth:
+      rule: "Host(`silverbullet.rohrschacht.de`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      entryPoints:
+        - websecure
+      priority: 15
+      tls:
+        certResolver: letsencrypt
+      service: authentik-service
+
   services:
     # Service for wekan.rohrschacht.de
     wekan-service:
@@ -179,4 +241,10 @@ http:
     tandoor-service:
       loadBalancer:
         servers:
-          - url: "http://localhost:9200"
\ No newline at end of file
+          - url: "http://localhost:9200"
+
+    # Service for silverbullet.rohrschacht.de
+    silverbullet-service:
+      loadBalancer:
+        servers:
+          - url: "http://localhost:9300"
\ No newline at end of file