add silverbullet with authentik forward proxy

ansible/ansible.cfg

@@ -1,3 +1,4 @@
 [defaults]
 nocows=1
 vault_identity_list=podman_hosts@./lookup-secret-client.bash
+inventory=inventories/production/hosts.yml

ansible/main.yml

@@ -5,6 +5,21 @@
     - common
     - hardening
     - rootless_host
-    - traefik
     - backup
+  tags:
+    - host_setup
+
+- name: traefik setup
+  hosts: podman_hosts
+  roles:
+    - traefik
+  tags:
+    - traefik
+
+- name: podman services setup
+  hosts: podman_hosts
+  roles:
     - services
+  tags:
+    - services
+

ansible/roles/services/files/silverbullet/silverbullet.container

@@ -0,0 +1,20 @@
+[Unit]
+Description=Silverbullet deployment
+Wants=network-online.target
+After=network.target network-online.target
+
+[Container]
+ContainerName=silverbullet
+Image=ghcr.io/silverbulletmd/silverbullet:latest
+PublishPort=127.0.0.1:9300:3000
+Volume=/var/vol/silverbullet:/space:Z
+AutoUpdate=registry
+
+[Service]
+# Restart service when sleep finishes
+Restart=on-failure
+RestartSec=60
+
+[Install]
+# Start by default on boot
+WantedBy=multi-user.target default.target

ansible/roles/services/vars/main.yml

@@ -59,3 +59,7 @@ services:
       - database
       - staticfiles
       - mediafiles
+  silverbullet:
+    systemd_service_name: "silverbullet"
+    service_directories:
+      - space

ansible/roles/traefik/files/dynamic.yml

@@ -1,4 +1,23 @@
 http:
+  middlewares:
+    authentik:
+      forwardAuth:
+        address: http://localhost:9100/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-entitlements
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version
+
   routers:
     # Router for wekan.rohrschacht.de
     wekan-router:
@@ -108,6 +127,49 @@ http:
         certResolver: letsencrypt
       service: tandoor-service
 
+    # Router for silverbullet.rohrschacht.de
+    silverbullet-router-service-worker:
+      rule: "Host(`silverbullet.rohrschacht.de`) && PathPrefix(`/service_worker.js`)"
+      entryPoints:
+        - websecure
+      priority: 20
+      tls:
+        certResolver: letsencrypt
+      service: silverbullet-service
+
+    # Router for silverbullet.rohrschacht.de static client assets
+    silverbullet-router-client:
+      rule: "Host(`silverbullet.rohrschacht.de`) && PathPrefix(`/.client`)"
+      entryPoints:
+        - websecure
+      priority: 20
+      tls:
+        certResolver: letsencrypt
+      service: silverbullet-service
+
+    # Router for silverbullet.rohrschacht.de
+    silverbullet-router:
+      rule: "Host(`silverbullet.rohrschacht.de`)"
+#      rule: "Host(`silverbullet.rohrschacht.de`) && !PathPrefix(`/service_worker.js`) && !PathPrefix(`/.client`) && !PathPrefix(`/outpost.goauthentik.io/`)"
+      entryPoints:
+        - websecure
+      middlewares:
+        - authentik
+      priority: 10
+      tls:
+        certResolver: letsencrypt
+      service: silverbullet-service
+
+    # Router for silverbullet.rohrschacht.de authentik outpost path
+    silverbullet-router-auth:
+      rule: "Host(`silverbullet.rohrschacht.de`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      entryPoints:
+        - websecure
+      priority: 15
+      tls:
+        certResolver: letsencrypt
+      service: authentik-service
+
   services:
     # Service for wekan.rohrschacht.de
     wekan-service:
@@ -179,4 +241,10 @@ http:
     tandoor-service:
       loadBalancer:
         servers:
-          - url: "http://localhost:9200"
+          - url: "http://localhost:9200"
+
+    # Service for silverbullet.rohrschacht.de
+    silverbullet-service:
+      loadBalancer:
+        servers:
+          - url: "http://localhost:9300"