I have a TrueNAS server at home and wanted a simple way to host Silver Bullet there with either local network or external access. I didn’t find anything that fit the bill exactly, so I put together a compose file to be run var Portainer.
I am looking for feedback: did I do anything stupid? can I do anything better? would this be useful to post in the guides section?
Here’s the general flow of what I did:
- Get certificates through TrueNAS. I have certs for *.foobar.com and *.home.foobar.com which seem generally useful for me.
- Use Portainer to make a new stack for SilverBullet that also includes Caddy for reverse proxy (with the certs coming from TrueNAS). The Caddyfile is included as part of the compose file.
services:
silverbullet:
image: ghcr.io/silverbulletmd/silverbullet:latest
restart: unless-stopped
environment:
- SB_USER=user:password
volumes:
- ./space:/space
ports:
- 3000:3000
caddy:
image: caddy:2.10.2-alpine
restart: unless-stopped
ports:
- 30232:30232
configs:
- source: caddyfile
target: /etc/caddy/Caddyfile
volumes:
- caddy_data:/data
- /etc/certificates/home-foobar-com-cert.crt:/etc/caddy/certs/home-foobar-com-cert.crt:ro
- /etc/certificates/home-foobar-com-cert.key:/etc/caddy/certs/home-foobar-com-cert.key:ro
- /etc/certificates/foobar-com-cert.crt:/etc/caddy/certs/foobar-com-cert.crt:ro
- /etc/certificates/foobar-com-cert.key:/etc/caddy/certs/foobar-com-cert.key:ro
depends_on:
- silverbullet
configs:
caddyfile:
content: |
notes.foobar.com:30232 {
tls /etc/caddy/certs/foobar-com-cert.crt /etc/caddy/certs/foobar-com-cert.key
reverse_proxy silverbullet:3000
}
nas.home.foobar.com:30232 {
tls /etc/caddy/certs/home-foobar-com-cert.crt /etc/caddy/certs/home-foobar-com-cert.key
reverse_proxy silverbullet:3000
}
volumes:
caddy_data:
- Create a port forward in your router, e.g., any source on port 30232 to your TrueNAS machine on port 30232.
- Use DDNS in router to update
home.foobar.com - Add a Cloudflare CNAME DNS rule for
notestohome.foobar.com. This means that requests tonotes.foobar.comwill really go tohome.foobar.com, i.e., your router. - Add a Cloudflare Origin Rule for
r”https://notes.foobar.com/*“to rewrite destination port to 30232. This converts the browser’s default 443 port forhttps://notes.foobar.comto the correct 30232 port.
(http.request.full_uri wildcard r"https://notes.foobar.com/*")
The final flow (as I understand it) is something like this:
- Request to
https://notes.foobar.comuses default https port of 443 - Cloudflare rule rewrites the port to 30232
- DNS for
notes.foobar.comresolves to DNS forhome.foobar.comwhich is set via DDNS to home IP. - Request is made to home IP on port 30232, router forwards it to TrueNAS machine.
- Caddy gets the request and serves the correct certificate along with proxying to SB.
I also include nas.home.foobar.com as a valid route for SilverBullet and create an A record for nas.home to point to the local network address of the TrueNAS machine (e.g., 192.168.1.100, which is static for the machine) in the DNS. This means I can also access SB at nas.home.foobar.com:30232. If all one wanted was local network access and planned to use a VPN like WireGuard, I think a bunch of steps can be removed.
Is exposing SB to the full internet a bad idea here? Seems pretty contained, on account of the container and whatnot.
If I write this up as a guide I would add more detail and cover the two use-cases (externally accessible and local network only), but I’d only do that if it seems useful.