Add searxng
This commit is contained in:
parent
5071ce6368
commit
978ae01302
2 changed files with 89 additions and 13 deletions
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, modulesPath, openclaw-flake, ... }:
|
||||
{ config, lib, pkgs, modulesPath, openclaw-flake, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
|
|
@ -19,11 +19,25 @@
|
|||
sops.secrets.hashedPassword-hunner.neededForUsers = true;
|
||||
sops.secrets.hashedPassword-ruil.neededForUsers = true;
|
||||
sops.secrets.hashedPassword-root.neededForUsers = true;
|
||||
sops.secrets.searx-env = {
|
||||
owner = "searx";
|
||||
mode = "0400";
|
||||
};
|
||||
sops.secrets.searx-nginx-basic-auth = {
|
||||
owner = "nginx";
|
||||
mode = "0400";
|
||||
};
|
||||
sops.secrets.openclaw-env = {
|
||||
owner = "ruil";
|
||||
mode = "0400";
|
||||
};
|
||||
|
||||
# HTTPS certificates for `s.hunner.dev` (works with Cloudflare Full strict).
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "me@hunner.dev";
|
||||
};
|
||||
|
||||
# SSH key from DO metadata, shared across all users
|
||||
users.users.root = {
|
||||
hashedPasswordFile = config.sops.secrets.hashedPassword-root.path;
|
||||
|
|
@ -54,20 +68,17 @@
|
|||
|
||||
home-manager.useGlobalPkgs = true;
|
||||
home-manager.useUserPackages = true;
|
||||
home-manager.users.ruil = { ... }: {
|
||||
home-manager.users.ruil = { lib, ... }: {
|
||||
imports = [ openclaw-flake.homeManagerModules.openclaw ];
|
||||
|
||||
home.stateVersion = "25.11";
|
||||
|
||||
# Keep credentials in ruil-owned files to avoid root-only bot access.
|
||||
programs.openclaw = {
|
||||
enable = true;
|
||||
config = {
|
||||
gateway.mode = "local";
|
||||
channels.discord.enabled = true;
|
||||
agents.defaults.model.primary = "zai/glm-4.7";
|
||||
};
|
||||
};
|
||||
programs.openclaw.enable = true;
|
||||
|
||||
# Keep ~/.openclaw/openclaw.json user-managed (Home Manager should not touch it).
|
||||
home.file.".openclaw/openclaw.json".enable = lib.mkForce false;
|
||||
home.activation.openclawConfigFiles = lib.mkForce (lib.hm.dag.entryAfter [ "openclawDirs" ] "");
|
||||
|
||||
# openclaw onboarding can exceed Node's default old-space limit on 1 GiB hosts.
|
||||
home.sessionVariables.NODE_OPTIONS = "--max-old-space-size=1536";
|
||||
|
|
@ -106,6 +117,69 @@
|
|||
];
|
||||
};
|
||||
|
||||
# SearXNG
|
||||
services.searx = {
|
||||
enable = true;
|
||||
configureNginx = true;
|
||||
redisCreateLocally = true;
|
||||
domain = "s.hunner.dev";
|
||||
environmentFile = config.sops.secrets.searx-env.path;
|
||||
settings.server.secret_key = "$SEARX_SECRET_KEY";
|
||||
settings.server.limiter = true;
|
||||
settings.server.base_url = lib.mkForce "https://s.hunner.dev/";
|
||||
settings.general.open_metrics = "$SEARX_METRICS_PASSWORD";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."s.hunner.dev" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
# Protect metrics with nginx Basic Auth and forward the auth header so
|
||||
# SearXNG can validate `general.open_metrics`.
|
||||
locations."= /metrics" = {
|
||||
basicAuthFile = config.sops.secrets.searx-nginx-basic-auth.path;
|
||||
recommendedUwsgiSettings = true;
|
||||
uwsgiPass = "unix:${config.services.uwsgi.instance.vassals.searx.socket}";
|
||||
extraConfig = ''
|
||||
uwsgi_param HTTP_AUTHORIZATION $http_authorization;
|
||||
uwsgi_param HTTP_HOST $host;
|
||||
uwsgi_param HTTP_CONNECTION $http_connection;
|
||||
uwsgi_param HTTP_X_SCHEME $scheme;
|
||||
uwsgi_param HTTP_X_SCRIPT_NAME "";
|
||||
uwsgi_param HTTP_X_REAL_IP $remote_addr;
|
||||
uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
|
||||
'';
|
||||
};
|
||||
|
||||
# Protect stats endpoints (/stats, /stats/errors, /stats/checker).
|
||||
locations."^~ /stats" = {
|
||||
basicAuthFile = config.sops.secrets.searx-nginx-basic-auth.path;
|
||||
recommendedUwsgiSettings = true;
|
||||
uwsgiPass = "unix:${config.services.uwsgi.instance.vassals.searx.socket}";
|
||||
extraConfig = ''
|
||||
uwsgi_param HTTP_HOST $host;
|
||||
uwsgi_param HTTP_CONNECTION $http_connection;
|
||||
uwsgi_param HTTP_X_SCHEME $scheme;
|
||||
uwsgi_param HTTP_X_SCRIPT_NAME "";
|
||||
uwsgi_param HTTP_X_REAL_IP $remote_addr;
|
||||
uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
# Catch-all vhost so only s.hunner.dev serves SearXNG.
|
||||
services.nginx.virtualHosts."_" = {
|
||||
default = true;
|
||||
addSSL = true;
|
||||
useACMEHost = "s.hunner.dev";
|
||||
locations."/" = {
|
||||
return = "200 \"This page intentionally left blank.\"";
|
||||
extraConfig = ''
|
||||
default_type text/plain;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
programs.zsh.enable = true;
|
||||
|
||||
# Add swap on small VPS instances to avoid OOM-kill loops.
|
||||
|
|
@ -119,6 +193,6 @@
|
|||
# Firewall
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 22 ];
|
||||
allowedTCPPorts = [ 22 80 443 ];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue