SilverBullet deployment examples
Below you'll find user examples on how to deploy SilverBullet using different alternatives.NOTE: paths, usernames and passwords are just examples and should be updated to your own personal environmentNOTE: These deployments are based in a Linux environment though they may perfectly work in Windows and/or MacOS with minimal changes How to Deploy Silverbullet with Docker
This example will work both if you use docker-compose.yml files or a management tool like portainer.We will configure SilverBullet with caddy as reverse proxy, redis to store and share certificates and authelia for authentication. Docker compose file
IMPORTANT: Some volumes configured below are bind mounts which need to be configured providing a physical folder from your machine. Don't forget to create them before turning up the containers.NOTE: We are configuring SilverBullet with basic auth assuming there may be more users and applications in the server. Feel free to remove it if that is not the case, to avoid a double login requirement. silverbullet:
container_name: silverbullet
image: zefhemel/silverbullet
volumes:
- /media/silverbullet/space:/space
ports:
- 3000:3000
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- SB_USER=${USERNAME}:${PASSWORD} #feel free to remove this if not needed
redis:
container_name: redis
image: "redis:alpine"
command: redis-server --save "" --appendonly "no"
restart: always
networks:
- searxng
tmpfs:
- /var/lib/redis
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
- DAC_OVERRIDE
caddy:
container_name: caddy
image: caddy:latest
network_mode: host
restart: always
volumes:
- /media/caddy/config/Caddyfile:/etc/caddy/Caddyfile:ro
- caddy-data:/data:rw
- caddy-config:/config:rw
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
- DAC_OVERRIDE
authelia:
image: authelia/authelia
container_name: authelia
volumes:
- /media/authelia/config:/config
ports:
- 9091:9091
environment:
- PUID=1000
- PGID=1000
volumes:
caddy-data:
caddy-config:
In case you use SilverBullet basic auth feature, you'll need to provide the following env fileUSERNAME=User
PASSWORD=REDACTED
authelia
authelia requires two configuration files: users_databases.yml and configuration.yml
Please check the official documentation for all the possibilities.
Below you can find a very simple example that will work for our use case. User configuration
Run the following command in /media/authelia/config/ folder in order to generate the argon2id passworddocker run -v ./configuration.yml:/configuration.yml -it authelia/authelia:latest authelia crypto hash generate --config /configuration.yml
Then copy the password in the /media/authelia/config/users_database.yml fileusers:
User:
disabled: false
displayname: "User"
password: "$argon2id$v=19$m=65536,t=3,p=4$blahblahblah"
email: [email protected]
groups:
- admins
configuration.yml
Simplified version, with a lot of boilerplate removed. Official template can be found here/media/authelia/config/configuration.yml# yamllint disable rule:comments-indentation
---
###############################################################################
# Authelia Configuration #
###############################################################################
## The theme to display: light, dark, grey, auto.
theme: dark
## The secret used to generate JWT tokens when validating user identity by email confirmation. JWT Secret can also be
## set using a secret: https://www.authelia.com/c/secrets
jwt_secret: 78sfdgg3t3gwv7avjheh43
## Default redirection URL
##
## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end
## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use
## in such a case.
##
## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
default_redirection_url: https://google.com/
##
## Server Configuration
##
server:
## The address to listen on.
host: 0.0.0.0
## The port to listen on.
port: 9091
## Enables the pprof endpoint.
enable_pprof: false
## Enables the expvars endpoint.
enable_expvars: false
## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0.
## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
disable_healthcheck: false
## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
tls:
## The path to the DER base64/PEM format private key.
key: ""
## The path to the DER base64/PEM format public certificate.
certificate: ""
## The list of certificates for client authentication.
client_certificates: []
##
## Log Configuration
##
log:
## Level of verbosity for logs: info, debug, trace.
level: debug
##
## Telemetry Configuration
##
telemetry:
##
## Metrics Configuration
##
metrics:
## Enable Metrics.
enabled: false
## The address to listen on for metrics. This should be on a different port to the main server.port value.
address: tcp://0.0.0.0:9959
##
## TOTP Configuration
##
## Parameters used for TOTP generation.
totp:
## Disable TOTP.
disable: false
## The issuer name displayed in the Authenticator application of your choice.
issuer: authelia.com
## The TOTP algorithm to use.
## It is CRITICAL you read the documentation before changing this option:
## https://www.authelia.com/c/totp#algorithm
algorithm: sha1
## The number of digits a user has to input. Must either be 6 or 8.
## Changing this option only affects newly generated TOTP configurations.
## It is CRITICAL you read the documentation before changing this option:
## https://www.authelia.com/c/totp#digits
digits: 6
## The period in seconds a one-time password is valid for.
## Changing this option only affects newly generated TOTP configurations.
period: 30
## The skew controls number of one-time passwords either side of the current one that are valid.
## Warning: before changing skew read the docs link below.
skew: 1
## See: https://www.authelia.com/c/totp#input-validation to read
## the documentation.
## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20.
secret_size: 32
##
## WebAuthn Configuration
##
## Parameters used for WebAuthn.
webauthn:
## Disable Webauthn.
disable: false
## Adjust the interaction timeout for Webauthn dialogues.
timeout: 60s
## The display name the browser should show the user for when using Webauthn to login/register.
display_name: Authelia
## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
## Options are none, indirect, direct.
attestation_conveyance_preference: indirect
## User verification controls if the user must make a gesture or action to confirm they are present.
## Options are required, preferred, discouraged.
user_verification: preferred
##
## NTP Configuration
##
## This is used to validate the servers time is accurate enough to validate TOTP.
ntp:
## NTP server address.
address: "time.cloudflare.com:123"
## NTP version.
version: 4
## Maximum allowed time offset between the host and the NTP server.
max_desync: 3s
## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
## set this to true, and can operate in a truly offline mode.
disable_startup_check: false
## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
## will continue regardless of results.
disable_failure: false
authentication_backend:
## Password Reset Options.
password_reset:
## Disable both the HTML element and the API for reset password functionality.
disable: false
refresh_interval: 5m
file:
path: /config/users_database.yml #this is where your authorized users are stored
password:
algorithm: argon2id
iterations: 1
key_length: 32
salt_length: 16
memory: 1024
parallelism: 8
##
## Password Policy Configuration.
##
password_policy:
## The standard policy allows you to tune individual settings manually.
standard:
enabled: false
## Require a minimum length for passwords.
min_length: 8
## Require a maximum length for passwords.
max_length: 0
## Require uppercase characters.
require_uppercase: true
## Require lowercase characters.
require_lowercase: true
## Require numeric characters.
require_number: true
## Require special characters.
require_special: true
## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
zxcvbn:
enabled: false
## Configures the minimum score allowed.
min_score: 3
##
## Access Control Configuration
##
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
##
access_control:
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
## resource if there is no policy to be applied to the user.
default_policy: deny
rules:
## bypass rule
- domain: 'auth.domain.com' #This should be your authentication URL
policy: bypass
- domain: 'silverbullet.domain.com'
resources:
- '/.client/manifest.json