# SilverBullet deployment examples Below you'll find **user examples** on how to deploy SilverBullet using different alternatives. **NOTE**: paths, usernames and passwords are just examples and should be updated to your own personal environment **NOTE**: These deployments are based in a Linux environment though they may perfectly work in Windows and/or MacOS with minimal changes ## How to Deploy Silverbullet with Docker This example will work both if you use `docker-compose.yml` files or a management tool like [portainer](https://www.portainer.io/). We will configure SilverBullet with [caddy](https://caddyserver.com/) as reverse proxy, [redis](https://redis.io/) to store and share certificates and [authelia](https://www.authelia.com/) for authentication. ### Docker compose file **IMPORTANT**: Some volumes configured below are **bind mounts** which need to be configured providing a physical folder from your machine. Don't forget to create them before turning up the containers. **NOTE**: We are configuring SilverBullet with basic auth assuming there may be more users and applications in the server. Feel free to remove it if that is not the case, to avoid a double login requirement. ```yml silverbullet: container_name: silverbullet image: zefhemel/silverbullet volumes: - /media/silverbullet/space:/space ports: - 3000:3000 restart: unless-stopped environment: - PUID=1000 - PGID=1000 - SB_USER=${USERNAME}:${PASSWORD} #feel free to remove this if not needed redis: container_name: redis image: "redis:alpine" command: redis-server --save "" --appendonly "no" restart: always networks: - searxng tmpfs: - /var/lib/redis cap_drop: - ALL cap_add: - SETGID - SETUID - DAC_OVERRIDE caddy: container_name: caddy image: caddy:latest network_mode: host restart: always volumes: - /media/caddy/config/Caddyfile:/etc/caddy/Caddyfile:ro - caddy-data:/data:rw - caddy-config:/config:rw cap_drop: - ALL cap_add: - NET_BIND_SERVICE - DAC_OVERRIDE authelia: image: authelia/authelia container_name: authelia volumes: - /media/authelia/config:/config ports: - 9091:9091 environment: - PUID=1000 - PGID=1000 volumes: caddy-data: caddy-config: ``` In case you use SilverBullet basic auth feature, you'll need to provide the following `env` file ```shell USERNAME=User PASSWORD=REDACTED ``` ### authelia authelia requires two configuration files: `users_databases.yml` and `configuration.yml` Please check the official [documentation](https://www.authelia.com/configuration/prologue/introduction) for all the possibilities. Below you can find a very simple example that will work for our use case. #### User configuration Run the following command in `/media/authelia/config/` folder in order to generate the argon2id password ```shell docker run -v ./configuration.yml:/configuration.yml -it authelia/authelia:latest authelia crypto hash generate --config /configuration.yml ``` Then copy the password in the `/media/authelia/config/users_database.yml` file - users_database.yml ```yml users: User: disabled: false displayname: "User" password: "$argon2id$v=19$m=65536,t=3,p=4$blahblahblah" email: User@domain.com groups: - admins ``` #### configuration.yml Simplified version, with a lot of boilerplate removed. Official template can be found [here](https://github.com/authelia/authelia/blob/master/config.template.yml) `/media/authelia/config/configuration.yml` ```yml # yamllint disable rule:comments-indentation --- ############################################################################### # Authelia Configuration # ############################################################################### ## The theme to display: light, dark, grey, auto. theme: dark ## The secret used to generate JWT tokens when validating user identity by email confirmation. JWT Secret can also be ## set using a secret: https://www.authelia.com/c/secrets jwt_secret: 78sfdgg3t3gwv7avjheh43 ## Default redirection URL ## ## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end ## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use ## in such a case. ## ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication. default_redirection_url: https://google.com/ ## ## Server Configuration ## server: ## The address to listen on. host: 0.0.0.0 ## The port to listen on. port: 9091 ## Enables the pprof endpoint. enable_pprof: false ## Enables the expvars endpoint. enable_expvars: false ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0. ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist. disable_healthcheck: false ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour. tls: ## The path to the DER base64/PEM format private key. key: "" ## The path to the DER base64/PEM format public certificate. certificate: "" ## The list of certificates for client authentication. client_certificates: [] ## ## Log Configuration ## log: ## Level of verbosity for logs: info, debug, trace. level: debug ## ## Telemetry Configuration ## telemetry: ## ## Metrics Configuration ## metrics: ## Enable Metrics. enabled: false ## The address to listen on for metrics. This should be on a different port to the main server.port value. address: tcp://0.0.0.0:9959 ## ## TOTP Configuration ## ## Parameters used for TOTP generation. totp: ## Disable TOTP. disable: false ## The issuer name displayed in the Authenticator application of your choice. issuer: authelia.com ## The TOTP algorithm to use. ## It is CRITICAL you read the documentation before changing this option: ## https://www.authelia.com/c/totp#algorithm algorithm: sha1 ## The number of digits a user has to input. Must either be 6 or 8. ## Changing this option only affects newly generated TOTP configurations. ## It is CRITICAL you read the documentation before changing this option: ## https://www.authelia.com/c/totp#digits digits: 6 ## The period in seconds a one-time password is valid for. ## Changing this option only affects newly generated TOTP configurations. period: 30 ## The skew controls number of one-time passwords either side of the current one that are valid. ## Warning: before changing skew read the docs link below. skew: 1 ## See: https://www.authelia.com/c/totp#input-validation to read ## the documentation. ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. secret_size: 32 ## ## WebAuthn Configuration ## ## Parameters used for WebAuthn. webauthn: ## Disable Webauthn. disable: false ## Adjust the interaction timeout for Webauthn dialogues. timeout: 60s ## The display name the browser should show the user for when using Webauthn to login/register. display_name: Authelia ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. ## Options are none, indirect, direct. attestation_conveyance_preference: indirect ## User verification controls if the user must make a gesture or action to confirm they are present. ## Options are required, preferred, discouraged. user_verification: preferred ## ## NTP Configuration ## ## This is used to validate the servers time is accurate enough to validate TOTP. ntp: ## NTP server address. address: "time.cloudflare.com:123" ## NTP version. version: 4 ## Maximum allowed time offset between the host and the NTP server. max_desync: 3s ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you ## set this to true, and can operate in a truly offline mode. disable_startup_check: false ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup ## will continue regardless of results. disable_failure: false authentication_backend: ## Password Reset Options. password_reset: ## Disable both the HTML element and the API for reset password functionality. disable: false refresh_interval: 5m file: path: /config/users_database.yml #this is where your authorized users are stored password: algorithm: argon2id iterations: 1 key_length: 32 salt_length: 16 memory: 1024 parallelism: 8 ## ## Password Policy Configuration. ## password_policy: ## The standard policy allows you to tune individual settings manually. standard: enabled: false ## Require a minimum length for passwords. min_length: 8 ## Require a maximum length for passwords. max_length: 0 ## Require uppercase characters. require_uppercase: true ## Require lowercase characters. require_lowercase: true ## Require numeric characters. require_number: true ## Require special characters. require_special: true ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings. zxcvbn: enabled: false ## Configures the minimum score allowed. min_score: 3 ## ## Access Control Configuration ## ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users. ## access_control: ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any ## resource if there is no policy to be applied to the user. default_policy: deny rules: ## bypass rule - domain: 'auth.domain.com' #This should be your authentication URL policy: bypass - domain: 'silverbullet.domain.com' resources: - '/.client/manifest.json$' - '/.client/[a-zA-Z0-9_-]+.png$' - '/service_worker.js$' policy: bypass - domain: 'silverbullet.domain.com' subject: - 'group:admins' policy: one_factor ## ## Session Provider Configuration ## ## The session cookies identify the user once logged in. ## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined. session: ## The name of the session cookie. name: authelia_session ## The domain to protect. ## Note: the authenticator must also be in that domain. ## If empty, the cookie is restricted to the subdomain of the issuer. domain: domain.com ## Sets the Cookie SameSite value. Possible options are none, lax, or strict. ## Please read https://www.authelia.com/c/session#same_site same_site: lax ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel. ## Secret can also be set using a secret: https://www.authelia.com/c/secrets secret: 3sdffgsdgs33452j2jhgjs9gdfg ## The value for expiration, inactivity, and remember_me_duration are in seconds or the duration notation format. ## See: https://www.authelia.com/c/common#duration-notation-format ## All three of these values affect the cookie/session validity period. Longer periods are considered less secure ## because a stolen cookie will last longer giving attackers more time to spy or attack. ## The time before the cookie expires and the session is destroyed if remember me IS NOT selected. expiration: 1h ## The inactivity time before the session is reset. If expiration is set to 1h, and this is set to 5m, if the user ## does not select the remember me option their session will get destroyed after 1h, or after 5m since the last time ## Authelia detected user activity. inactivity: 5m ## The time before the cookie expires and the session is destroyed if remember me IS selected. ## Value of -1 disables remember me. remember_me_duration: 1M ## ## Regulation Configuration ## ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made ## in a short period of time. regulation: ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. max_retries: 3 ## The time range during which the user can attempt login before being banned. The user is banned if the ## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation. ## See: https://www.authelia.com/c/common#duration-notation-format find_time: 2m ## The length of time before a banned user can login again. Ban Time accepts duration notation. ## See: https://www.authelia.com/c/common#duration-notation-format ban_time: 5m ## ## Storage Provider Configuration ## ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. storage: local: path: /config/db.sqlite3 #this is your databse. You could use a mysql database if you wanted, but we're going to use this one. encryption_key: 345f2f5v6c54vg2ewesd ## ## Notification Provider ## ## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration. ## The available providers are: filesystem, smtp. You must use only one of these providers. notifier: ## You can disable the notifier startup check by setting this to true. disable_startup_check: true #true/false smtp: username: user@gmail.com #your email address password: apppassword #your email password host: smtp.gmail.com #email smtp server port: 587 #email smtp port sender: user@gmail.com subject: "[Authelia] {title}" #email subject ... ``` ### caddy (reverse proxy) Example of `/media/caddy/config/Caddyfile` ```yml { admin off } ## It is important to read the following document before enabling this section: ## https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies (trusted_proxy_list) { ## Uncomment & adjust the following line to configure specific ranges which should be considered as trustworthy. trusted_proxies 192.168.0.0/16 } # Authelia Portal. auth.domain.com { reverse_proxy localhost:9091 { ## This import needs to be included if you're relying on a trusted proxies configuration. import trusted_proxy_list } } silverbullet.domain.com { forward_auth localhost:9091 { uri /api/verify?rd=https://auth.domain.com/ copy_headers Remote-User Remote-Groups Remote-Name Remote-Email ## This import needs to be included if you're relying on a trusted proxies configuration. import trusted_proxy_list } reverse_proxy localhost:3000 { ## This import needs to be included if you're relying on a trusted proxies configuration. import trusted_proxy_list } } ``` ### Syncing SilverBullet with Git - Once the server is up and running we can install git [Plug](https://github.com/silverbulletmd/silverbullet/blob/main/website/%F0%9F%94%8C%20Plugs.md) (if not installed by default) ```yaml - github:silverbulletmd/silverbullet-git/git.plug.js ``` - we need to create a git repository to sync automatically - Example: `https://github.com/user/silverbullet` - Create a [github token](https://github.com/settings/tokens) to run `git pull` and `git push` within silverbullet - Example token: ghp_sdfasdfsdfZFwJGHFGDSF554a - Now we initialize the repo and create a first push ```shell cd /media/silverbullet/space git init git add index.md git commit -m "first commit" git branch -M main git remote add origin https://ghp_sdfasdfsdfZFwJGHFGDSF554a@github.com/user/silverbullet.git git push -u origin main git branch --set-upstream-to=origin/main main ``` - Once we confirm github sync works from the terminal, we need to add our github identity inside the container - Connect through portainer or the command line to the silverbullet console ```shell docker exec -it silverbullet /bin/sh cd /space git config user.email "user@gmail.com" git config --global user.name "user" ``` And we are **DONE**! We can now use SilverBullet and run `Git Sync` everytime we would like to commit and sync our changes to github. ## How to Deploy Silverbullet with Deno - We will use **cargo** to install deno for this use case ```shell cargo install deno --locked ``` **NOTE**: Please refer to the [official documentation](https://deno.land/manual@v1.7.5/getting_started/setup_your_environment) to set up properly your environment. - Now we proceed to install SilverBullet ```shell deno install -f -g --name silverbullet --no-lock -A https://get.silverbullet.md ``` ### How to run SilverBullet at boot with systemd - Based on: [Start SilverBullet on boot using systemctl](https://github.com/silverbulletmd/silverbullet/pull/388) - Create `/usr/local/bin/silverbullet.sh` file and make it executable: ```sh #!/bin/bash ## Script to start SilverBullet through Deno /home/user/.cargo/bin/deno run --allow-all --no-config https://get.silverbullet.md/ /home/user/silverbullet > /home/user/sb.log 2> /home/user/sb.err ``` - Create `/etc/systemd/system/silverbullet.service` file: ```sh [Unit] Description=SilverBullet [Service] User=user Type=simple ExecStart=/usr/local/bin/silverbullet.sh [Install] WantedBy=multi-user.target ``` - Enable and start the service ```shell sudo systemctl enable silverbullet.service sudo systemctl start silverbullet.service ``` - Once SilverBullet is up and running, you'll have access to the logs and errors through the `sb.log` and `sb.err` files located in `/home/user`