11 KiB
title | date | description | featured | toc | reply | categories | tags | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SilverBullet: Self-Hosted Knowledge Management Web App | 2024-08-22T02:56:12Z | Deploying SilverBullet with Docker Compose, and accessing it from anywhere with Tailscale and Cloudflare Tunnel. | false | true | true | Self-Hosting |
|
I recently posted on my other blog about trying out SilverBullet, an open-source self-hosted web-based note-keeping app. SilverBullet has continued to impress me as I use it and learn more about its features. It really fits my multi-device use case much better than Obsidian ever did (even with its paid sync plugin).
In that post, I shared a brief overview of how I set up SilverBullet:
I deployed my instance in Docker alongside both a Tailscale sidecar and Cloudflare Tunnel sidecar. This setup lets me easily access/edit/manage my notes from any device I own by just pointing a browser at
https://silverbullet.tailnet-name.ts.net/
. And I can also hit it from any other device by using the public Cloudflare endpoint which is further protected by an email-based TOTP challenge. Either way, I don't have to worry about installing a bloated app or managing a complicated sync setup. Just log in and write.
This post will go into a bit more detail about that configuration.
Preparation
I chose to deploy SilverBullet on an Ubuntu 22.04 VM in my homelab which was already set up for serving Docker workloads so I'm not going to cover the Docker installation process here. I tend to run my Docker workloads out of /opt/
so I start this journey by creating a place to hold the SilverBullet setup:
sudo mkdir -p /opt/silverbullet # [tl! .cmd]
I set appropriate ownership of the folder and then move into it:
sudo chown john:docker /opt/silverbullet # [tl! .cmd:1]
cd /opt/silverbullet
SilverBullet Setup
The documentation offers easy-to-follow guidance on installing SilverBullet with Docker Compose, and that makes for a pretty good starting point. The only change I make here is setting the SB_USER
variable from an environment variable instead of directly in the YAML:
# torchlight! {"lineNumbers":true}
# docker-compose.yml
services:
silverbullet:
image: zefhemel/silverbullet
container_name: silverbullet
restart: unless-stopped
environment:
SB_USER: "${SB_CREDS}"
volumes:
- ./space:/space
ports:
- 3000:3000
watchtower:
image: containrrr/watchtower
container_name: silverbullet-watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
I used a password manager to generate a random password and username, and I stored those in a .env
file alongside the Docker Compose configuration; I'll need those credentials to log in to each SilverBullet session. For example:
# .env
SB_CREDS='alldiaryriver:XCTpmddGc3Ga4DkUr7DnPBYzt1b'
That's all that's needed for running SilverBullet locally, and I could go ahead and docker compose up -d
to get it running. But I really want to be able to access my notes from other systems too, so let's move on to enabling remote access right away.
Remote Access
Tailscale
It's no secret that I'm a big fan of Tailscale so I use Tailscale Serve to enable secure remote access through my tailnet. I just need to add in a Tailscale sidecar and update the silverbullet
service to share Tailscale's network:
# torchlight! {"lineNumbers":true}
# docker-compose.yml
services:
tailscale: # [tl! ++:12 **:12]
image: tailscale/tailscale:latest
container_name: silverbullet-tailscale
restart: unless-stopped
environment:
TS_AUTHKEY: ${TS_AUTHKEY:?err}
TS_HOSTNAME: ${TS_HOSTNAME:-ts-docker}
TS_EXTRA_ARGS: ${TS_EXTRA_ARGS:-}
TS_STATE_DIR: /var/lib/tailscale/
TS_SERVE_CONFIG: /config/serve-config.json
volumes:
- ./ts_data:/var/lib/tailscale/
- ./serve-config.json:/config/serve-config.json
silverbullet:
image: zefhemel/silverbullet
container_name: silverbullet
restart: unless-stopped
environment:
SB_USER: "${SB_CREDS}"
volumes:
- ./space:/space
ports: # [tl! --:1 **:1]
- 3000:3000
network_mode: service:tailscale # [tl! ++ **]
watchtower: # [tl! collapse:4]
image: containrrr/watchtower
container_name: silverbullet-watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
That of course means adding a few more items to the .env
file:
- a pre-authentication key,
- the hostname to use for the application's presence on my tailnet,
- and the
--ssh
extra argument to enable SSH access to the container (not strictly necessary, but can be handy for troubleshooting).
# .env
SB_CREDS='alldiaryriver:XCTpmddGc3Ga4DkUr7DnPBYzt1b'
TS_AUTHKEY=tskey-auth-[...] # [tl! ++:2 **:2]
TS_HOSTNAME=silverbullet
TS_EXTRA_ARGS=--ssh
And I need to create a serve-config.json
file to configure Tailscale Serve to proxy port 443
on the tailnet to port 3000
on the container:
// torchlight! {"lineNumbers":true}
// serve-config.json
{
"TCP": {
"443": {
"HTTPS": true
}
},
"Web": {
"silverbullet.tailnet-name.ts.net:443": {
"Handlers": {
"/": {
"Proxy": "http://127.0.0.1:3000"
}
}
}
}
}
Cloudflare Tunnel
But what if I want to consult my notes from outside of my tailnet? Sure, I could use Tailscale Funnel to publish the SilverBullet service on the internet, but (1) funnel would require me to use a URL like https://silverbullet.tailnet-name.ts.net
instead of simply https://silverbullet.example.com
and (2) I've seen enough traffic logs to not want to expose a login page directly to the public internet if I can avoid it.
Cloudflare Tunnel is able to address those concerns without a lot of extra work. I can set up a tunnel at silverbullet.example.com
and use Cloudflare Access to put an additional challenge in front of the login page.
I just have to add a cloudflared
container to my stack:
# torchlight! {"lineNumbers":true}
# docker-compose.yml
services:
tailscale: # [tl! collapse:12]
image: tailscale/tailscale:latest
container_name: silverbullet-tailscale
restart: unless-stopped
environment:
TS_AUTHKEY: ${TS_AUTHKEY:?err}
TS_HOSTNAME: ${TS_HOSTNAME:-ts-docker}
TS_EXTRA_ARGS: ${TS_EXTRA_ARGS:-}
TS_STATE_DIR: /var/lib/tailscale/
TS_SERVE_CONFIG: /config/serve-config.json
volumes:
- ./ts_data:/var/lib/tailscale/
- ./serve-config.json:/config/serve-config.json
cloudflared: # [tl! ++:9 **:9]
image: cloudflare/cloudflared
restart: unless-stopped
container_name: silverbullet-cloudflared
command:
- tunnel
- run
- --token
- ${CLOUDFLARED_TOKEN}
network_mode: service:tailscale
silverbullet:
image: zefhemel/silverbullet
container_name: silverbullet
restart: unless-stopped
environment:
SB_USER: "${SB_CREDS}"
volumes:
- ./space:/space
network_mode: service:tailscale
watchtower: # [tl! collapse:4]
image: containrrr/watchtower
container_name: silverbullet-watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
To get the required $CLOUDFLARED_TOKEN
, I create a new cloudflared
tunnel in the Cloudflare dashboard and add the generated token value to my .env
file:
# .env
SB_CREDS='alldiaryriver:XCTpmddGc3Ga4DkUr7DnPBYzt1b'
TS_AUTHKEY=tskey-auth-[...]
TS_HOSTNAME=silverbullet
TS_EXTRA_ARGS=--ssh
CLOUDFLARED_TOKEN=eyJhIjo[...]BNSJ9 # [tl! ++ **]
Back in the Cloudflare Tunnel setup flow, I select my desired public hostname (silverbullet.example.com
) and then specify that the backend service is http://localhost:3000
.
Now I'm finally ready to start up my containers:
docker compose up -d # [tl! .cmd .nocopy:1,5]
[+] Running 5/5
✔ Network silverbullet_default Created
✔ Container silverbullet-watchtower Started
✔ Container silverbullet-tailscale Started
✔ Container silverbullet Started
✔ Container silverbullet-cloudflared Started
Cloudflare Access
The finishing touch will be configuring a bit of extra protection in front of the public-facing login page, and Cloudflare Access makes that very easy. I'll just use the wizard to add a new web application through the Cloudflare Zero Trust dashboard.
The first part of that workflow asks "What type of application do you want to add?". I select Self-hosted.
The next part asks for a name (SilverBullet), Session Duration (24 hours), and domain (silverbullet.example.com
). I leave the defaults for the rest of the Configuration Application step and move on to the next one.
I'm then asked to Add Policies, and I have to start by giving a name for my policy. I opt to name it Email OTP because I'm going to set up email-based one-time passcodes. In the Configure Rules section, I choose Emails as the selector and enter my own email address as the single valid value.
And then I just click through the rest of the defaults.
Recap
So now I have SilverBullet running in Docker Compose on a server in my homelab. I can access it from any device on my tailnet at https://silverbullet.tailnet-name.ts.net
(thanks to the magic of Tailscale Serve). I can also get to it from outside my tailnet at https://silverbullet.example.com
(thanks to Cloudflare Tunnel), and but I'll use a one-time passcode sent to my approved email address before also authenticating through the SilverBullet login page (thanks to Cloudflare Access).
I think it's a pretty sweet setup that gives me full control and ownership of my notes and lets me read/write my notes from multiple devices without having to worry about synchronization.