search dns, package reorg, opencode

This commit is contained in:
Hunter Haugen 2026-03-10 12:04:53 -07:00
parent dab6541947
commit 8fce8ae927
Signed by: hunner
GPG key ID: EF99694AA599DDAD
5 changed files with 245 additions and 44 deletions

View file

@ -104,6 +104,9 @@
security.sudo.extraConfig = ''
# Don't lecture after reboot
Defaults lecture = never
# Let hunner run commands as the agents user without a password.
hunner ALL=(agents) NOPASSWD: ALL
'';
# Add local development CA
security.pki.certificates = [
@ -275,6 +278,13 @@
just
socat
pkgs.beads
gh
pkgs.opencode
python3
clang
clangStdenv
cmake
just
];
};
users.users.hunner = {
@ -284,6 +294,41 @@
hashedPasswordFile = config.sops.secrets.hashedPassword.path;
shell = pkgs.zsh;
packages = with pkgs; [
alacritty
rofi
wofi
xss-lock
xlockmore
dzen2
arandr
xclip
scrot
xorg.xrandr
xorg.xsetroot
xorg.xset
xorg.xev
hsetroot
redshift
pkgs.unstable.code-cursor
pkgs.unstable.cursor-cli
pwvucontrol
pamixer
helvum
#hp15c
#nonpareil
kitty # for Hyprland
kdePackages.dolphin # file browser in hyprland
cliphist
xscreensaver
scarlett2
alsa-scarlett-gui
#pkgs.unstable.ndi-6
#(pkgs.unstable.flameshot.override { enableWlrSupport = true; })
hyprshot
hyprpicker
flameshot
chromium
lmstudio
fzf
neovim
asdf-vm
@ -348,6 +393,7 @@
sops
bitwarden-desktop
bitwarden-cli
itch
];
};
systemd.user.services = {
@ -381,7 +427,13 @@
nixpkgs.config.allowUnfree = true;
# Allow dynamic linked binaries
programs.nix-ld.enable = true;
programs.nix-ld = {
enable = true;
libraries = with pkgs; [
stdenv.cc.cc.lib
];
};
programs.steam = {
enable = true;
@ -406,52 +458,18 @@
file
ripgrep
powertop
alacritty
rofi
wofi
xss-lock
xlockmore
fortune
dzen2
arandr
xclip
shellcheck
scrot
fd
xorg.xrandr
xorg.xsetroot
xorg.xset
xorg.xev
hsetroot
redshift
pkgs.unstable.code-cursor
pkgs.unstable.cursor-cli
pwvucontrol
pamixer
helvum
#hp15c
#nonpareil
framework-tool
kitty # for Hyprland
kdePackages.dolphin # file browser in hyprland
cliphist
restic
xscreensaver
unzip
zip
scarlett2
alsa-scarlett-gui
#pkgs.unstable.ndi-6
xdg-utils
btrbk
devenv
lsof
#(pkgs.unstable.flameshot.override { enableWlrSupport = true; })
hyprshot
hyprpicker
flameshot
chromium
lmstudio
sg3_utils
];
services.clipmenu.enable = true;
@ -516,8 +534,8 @@
# services.openssh.enable = true;
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 8080 8081 8082 1234 ];
networking.firewall.allowedUDPPorts = [ 8080 8081 8082 1234 ];
networking.firewall.allowedTCPPorts = [ 8080 8081 8082 1234 4096 4747 ];
networking.firewall.allowedUDPPorts = [ 8080 8081 8082 1234 4096 4747 ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
systemd.services.upower.enable = true;

View file

@ -34,7 +34,7 @@
mode = "0400";
};
# HTTPS certificates for `s.hunner.dev` (works with Cloudflare Full strict).
# HTTPS certificates for `search.hunner.dev` (works with Cloudflare Full strict).
security.acme = {
acceptTerms = true;
defaults.email = "me@hunner.dev";
@ -124,15 +124,15 @@
enable = true;
configureNginx = true;
redisCreateLocally = true;
domain = "s.hunner.dev";
domain = "search.hunner.dev";
environmentFile = config.sops.secrets.searx-env.path;
settings.server.secret_key = "$SEARX_SECRET_KEY";
settings.server.limiter = true;
settings.server.base_url = lib.mkForce "https://s.hunner.dev/";
settings.server.base_url = lib.mkForce "https://search.hunner.dev/";
settings.general.open_metrics = "$SEARX_METRICS_PASSWORD";
};
services.nginx.virtualHosts."s.hunner.dev" = {
services.nginx.virtualHosts."search.hunner.dev" = {
enableACME = true;
forceSSL = true;
@ -169,11 +169,11 @@
};
};
# Catch-all vhost so only s.hunner.dev serves SearXNG.
# Catch-all vhost so only search.hunner.dev serves SearXNG.
services.nginx.virtualHosts."_" = {
default = true;
addSSL = true;
useACMEHost = "s.hunner.dev";
useACMEHost = "search.hunner.dev";
locations."/" = {
return = "200 \"This page intentionally left blank.\"";
extraConfig = ''