jet/noisebell
jet/noisebell
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add Cloudflare tunnel hosting

Browse source
This commit is contained in:
Jet 2026-05-28 14:50:07 -07:00
parent e6c1b82679
commit 23e087ae4b
No known key found for this signature in database
15 changed files with 839 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

18
pi/README.md
View file

@ -124,11 +124,12 @@ That script:
6. writes `/etc/noisebell/noisebell.env`
7. writes `/etc/noisebell/noisebell-relay.env`
8. installs `noisebell.service` and `noisebell-relay.service`
9. enables persistent journald with a 30 day retention target
10. installs and enables `prometheus-node-exporter`
11. installs `noisebell-loki-journal.service` to ship Pi logs to Loki on `noisebell-do`
12. enables and starts the Noisebell services
13. runs `tailscale up` with the decrypted auth key
9. runs `tailscale up` with the decrypted auth key
10. installs `noisebell-tailscale-only-firewall.service`
11. enables persistent journald with a 30 day retention target
12. installs and enables `prometheus-node-exporter`
13. installs `noisebell-loki-journal.service` to ship Pi logs to Loki on `noisebell-do`
14. enables and starts the Noisebell services
## Files written on the Pi
@ -146,7 +147,9 @@ The deploy script creates:
- `/etc/noisebell/noisebell-relay.env`
- `/etc/systemd/system/noisebell.service`
- `/etc/systemd/system/noisebell-relay.service`
- `/etc/systemd/system/noisebell-tailscale-only-firewall.service`
- `/etc/systemd/system/noisebell-loki-journal.service`
- `/usr/local/sbin/noisebell-tailscale-only-firewall`
- `/usr/local/bin/noisebell-loki-journal`
- `/etc/systemd/journald.conf.d/noisebell-persistent.conf`
@ -161,9 +164,12 @@ The deploy script:
- installs the Tailscale package if missing
- enables `tailscaled`
- runs `tailscale up --auth-key=... --hostname=noisebell-pi`
- blocks non-Tailscale TCP access to SSH (`22`), the Pi app (`80`), the relay (`8090`), and node exporter (`9100`)
So Tailscale stays part of the base OS, while its auth key is still managed as an encrypted `age` secret in this repo.
After the first bootstrap, deploy over Tailscale with `pi@100.66.45.36` or `pi@noisebell-pi`. Local Wi-Fi SSH is intentionally blocked by the deploy-installed firewall.
## Later updates
Normal iteration is just rerunning the deploy script:
@ -207,6 +213,8 @@ The optional relay service accepts authenticated webhooks from cache-service and
If `.local` resolution is reliable on your Pi, you can override the deploy default with `HOME_ASSISTANT_BASE_URL=http://homeassistant.local:8123`.
The deploy default for `NOISEBELL_ENDPOINT_URL` is `http://noisebell-do:3000/webhook`, so Pi state changes go to the cache over Tailscale. Override with `NOISEBELL_CACHE_WEBHOOK_URL=...` only for testing or recovery.
Example cache target for the relay:
```nix