Add searxng
This commit is contained in:
parent
5071ce6368
commit
978ae01302
2 changed files with 89 additions and 13 deletions
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, modulesPath, openclaw-flake, ... }:
|
{ config, lib, pkgs, modulesPath, openclaw-flake, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
|
@ -19,11 +19,25 @@
|
||||||
sops.secrets.hashedPassword-hunner.neededForUsers = true;
|
sops.secrets.hashedPassword-hunner.neededForUsers = true;
|
||||||
sops.secrets.hashedPassword-ruil.neededForUsers = true;
|
sops.secrets.hashedPassword-ruil.neededForUsers = true;
|
||||||
sops.secrets.hashedPassword-root.neededForUsers = true;
|
sops.secrets.hashedPassword-root.neededForUsers = true;
|
||||||
|
sops.secrets.searx-env = {
|
||||||
|
owner = "searx";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
sops.secrets.searx-nginx-basic-auth = {
|
||||||
|
owner = "nginx";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
sops.secrets.openclaw-env = {
|
sops.secrets.openclaw-env = {
|
||||||
owner = "ruil";
|
owner = "ruil";
|
||||||
mode = "0400";
|
mode = "0400";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# HTTPS certificates for `s.hunner.dev` (works with Cloudflare Full strict).
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "me@hunner.dev";
|
||||||
|
};
|
||||||
|
|
||||||
# SSH key from DO metadata, shared across all users
|
# SSH key from DO metadata, shared across all users
|
||||||
users.users.root = {
|
users.users.root = {
|
||||||
hashedPasswordFile = config.sops.secrets.hashedPassword-root.path;
|
hashedPasswordFile = config.sops.secrets.hashedPassword-root.path;
|
||||||
|
|
@ -54,20 +68,17 @@
|
||||||
|
|
||||||
home-manager.useGlobalPkgs = true;
|
home-manager.useGlobalPkgs = true;
|
||||||
home-manager.useUserPackages = true;
|
home-manager.useUserPackages = true;
|
||||||
home-manager.users.ruil = { ... }: {
|
home-manager.users.ruil = { lib, ... }: {
|
||||||
imports = [ openclaw-flake.homeManagerModules.openclaw ];
|
imports = [ openclaw-flake.homeManagerModules.openclaw ];
|
||||||
|
|
||||||
home.stateVersion = "25.11";
|
home.stateVersion = "25.11";
|
||||||
|
|
||||||
# Keep credentials in ruil-owned files to avoid root-only bot access.
|
# Keep credentials in ruil-owned files to avoid root-only bot access.
|
||||||
programs.openclaw = {
|
programs.openclaw.enable = true;
|
||||||
enable = true;
|
|
||||||
config = {
|
# Keep ~/.openclaw/openclaw.json user-managed (Home Manager should not touch it).
|
||||||
gateway.mode = "local";
|
home.file.".openclaw/openclaw.json".enable = lib.mkForce false;
|
||||||
channels.discord.enabled = true;
|
home.activation.openclawConfigFiles = lib.mkForce (lib.hm.dag.entryAfter [ "openclawDirs" ] "");
|
||||||
agents.defaults.model.primary = "zai/glm-4.7";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# openclaw onboarding can exceed Node's default old-space limit on 1 GiB hosts.
|
# openclaw onboarding can exceed Node's default old-space limit on 1 GiB hosts.
|
||||||
home.sessionVariables.NODE_OPTIONS = "--max-old-space-size=1536";
|
home.sessionVariables.NODE_OPTIONS = "--max-old-space-size=1536";
|
||||||
|
|
@ -106,6 +117,69 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# SearXNG
|
||||||
|
services.searx = {
|
||||||
|
enable = true;
|
||||||
|
configureNginx = true;
|
||||||
|
redisCreateLocally = true;
|
||||||
|
domain = "s.hunner.dev";
|
||||||
|
environmentFile = config.sops.secrets.searx-env.path;
|
||||||
|
settings.server.secret_key = "$SEARX_SECRET_KEY";
|
||||||
|
settings.server.limiter = true;
|
||||||
|
settings.server.base_url = lib.mkForce "https://s.hunner.dev/";
|
||||||
|
settings.general.open_metrics = "$SEARX_METRICS_PASSWORD";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."s.hunner.dev" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
# Protect metrics with nginx Basic Auth and forward the auth header so
|
||||||
|
# SearXNG can validate `general.open_metrics`.
|
||||||
|
locations."= /metrics" = {
|
||||||
|
basicAuthFile = config.sops.secrets.searx-nginx-basic-auth.path;
|
||||||
|
recommendedUwsgiSettings = true;
|
||||||
|
uwsgiPass = "unix:${config.services.uwsgi.instance.vassals.searx.socket}";
|
||||||
|
extraConfig = ''
|
||||||
|
uwsgi_param HTTP_AUTHORIZATION $http_authorization;
|
||||||
|
uwsgi_param HTTP_HOST $host;
|
||||||
|
uwsgi_param HTTP_CONNECTION $http_connection;
|
||||||
|
uwsgi_param HTTP_X_SCHEME $scheme;
|
||||||
|
uwsgi_param HTTP_X_SCRIPT_NAME "";
|
||||||
|
uwsgi_param HTTP_X_REAL_IP $remote_addr;
|
||||||
|
uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Protect stats endpoints (/stats, /stats/errors, /stats/checker).
|
||||||
|
locations."^~ /stats" = {
|
||||||
|
basicAuthFile = config.sops.secrets.searx-nginx-basic-auth.path;
|
||||||
|
recommendedUwsgiSettings = true;
|
||||||
|
uwsgiPass = "unix:${config.services.uwsgi.instance.vassals.searx.socket}";
|
||||||
|
extraConfig = ''
|
||||||
|
uwsgi_param HTTP_HOST $host;
|
||||||
|
uwsgi_param HTTP_CONNECTION $http_connection;
|
||||||
|
uwsgi_param HTTP_X_SCHEME $scheme;
|
||||||
|
uwsgi_param HTTP_X_SCRIPT_NAME "";
|
||||||
|
uwsgi_param HTTP_X_REAL_IP $remote_addr;
|
||||||
|
uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Catch-all vhost so only s.hunner.dev serves SearXNG.
|
||||||
|
services.nginx.virtualHosts."_" = {
|
||||||
|
default = true;
|
||||||
|
addSSL = true;
|
||||||
|
useACMEHost = "s.hunner.dev";
|
||||||
|
locations."/" = {
|
||||||
|
return = "200 \"This page intentionally left blank.\"";
|
||||||
|
extraConfig = ''
|
||||||
|
default_type text/plain;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
programs.zsh.enable = true;
|
programs.zsh.enable = true;
|
||||||
|
|
||||||
# Add swap on small VPS instances to avoid OOM-kill loops.
|
# Add swap on small VPS instances to avoid OOM-kill loops.
|
||||||
|
|
@ -119,6 +193,6 @@
|
||||||
# Firewall
|
# Firewall
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
allowedTCPPorts = [ 22 ];
|
allowedTCPPorts = [ 22 80 443 ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,6 +2,8 @@ hashedPassword-hunner: ENC[AES256_GCM,data:fvgYWStE5XyHF1b9lntEfnml9cFbwaz5YCJRi
|
||||||
hashedPassword-ruil: ENC[AES256_GCM,data:fwBU+24byBOTKljdABTvk2VxR5PGR18R3oozB/wSlORz12oQwjqAtdVBLSR2JZqA7yOWM5V//Ig60GCE4XmYc5pwVsEWqdY8JA==,iv:yuMNzQc+YfPyCFNYgNsh+xEJyLIFRUj0Er5TtYdcG18=,tag:dQpTM937EHEcEDJto4BVog==,type:str]
|
hashedPassword-ruil: ENC[AES256_GCM,data:fwBU+24byBOTKljdABTvk2VxR5PGR18R3oozB/wSlORz12oQwjqAtdVBLSR2JZqA7yOWM5V//Ig60GCE4XmYc5pwVsEWqdY8JA==,iv:yuMNzQc+YfPyCFNYgNsh+xEJyLIFRUj0Er5TtYdcG18=,tag:dQpTM937EHEcEDJto4BVog==,type:str]
|
||||||
hashedPassword-root: ENC[AES256_GCM,data:E/T3LBreiSZaC/qZ2QNxz3prGHoj47zS3ILsa7lmPzJDfLQ5yALxjWo4GyPHT9+kAU7uGOBG5/Ab5VqWxw+1cyk/YwT2dyMB+Q==,iv:eMav5Lnrm9SmQgHSDFiTKP6n9mADSsunlWyrSrIgA4E=,tag:fcMt6wiOClb30Vfkd9Dxmw==,type:str]
|
hashedPassword-root: ENC[AES256_GCM,data:E/T3LBreiSZaC/qZ2QNxz3prGHoj47zS3ILsa7lmPzJDfLQ5yALxjWo4GyPHT9+kAU7uGOBG5/Ab5VqWxw+1cyk/YwT2dyMB+Q==,iv:eMav5Lnrm9SmQgHSDFiTKP6n9mADSsunlWyrSrIgA4E=,tag:fcMt6wiOClb30Vfkd9Dxmw==,type:str]
|
||||||
openclaw-env: ENC[AES256_GCM,data:pJq+HdqlNjx0qeVHhPcnZk9FNm7/eMWm8vZ3ROnQ00qR4lXo3f86wL3vH9UQjVtdKSGDQj171b88nCVWqLY/h9YP2ld/1AwI7K06bzCRTjAYXzcpCfLyDEc0x3olSNTwsyKN4avI1x+9xciE36b53VVFpLNhGsRz9pT+jWx1jeVIUNbh6OGu4CGA1I2L4TaAiGEfEh29mDrAzqPLzIkyaSvay3+fun4X0SbpbE0bLnd6NnVUjff0HCgiDDDckc/O33G/k6OcLaN04hDnnCVIfGxPkRQKB02QC33mb35T5N4T,iv:DNNbwHGfQjY9Uvw4QXUz6IqtNQWZKLDD0GtvnoowxB0=,tag:+cu3ZVjo2xUg/wyIlUvD0Q==,type:str]
|
openclaw-env: ENC[AES256_GCM,data:pJq+HdqlNjx0qeVHhPcnZk9FNm7/eMWm8vZ3ROnQ00qR4lXo3f86wL3vH9UQjVtdKSGDQj171b88nCVWqLY/h9YP2ld/1AwI7K06bzCRTjAYXzcpCfLyDEc0x3olSNTwsyKN4avI1x+9xciE36b53VVFpLNhGsRz9pT+jWx1jeVIUNbh6OGu4CGA1I2L4TaAiGEfEh29mDrAzqPLzIkyaSvay3+fun4X0SbpbE0bLnd6NnVUjff0HCgiDDDckc/O33G/k6OcLaN04hDnnCVIfGxPkRQKB02QC33mb35T5N4T,iv:DNNbwHGfQjY9Uvw4QXUz6IqtNQWZKLDD0GtvnoowxB0=,tag:+cu3ZVjo2xUg/wyIlUvD0Q==,type:str]
|
||||||
|
searx-env: ENC[AES256_GCM,data:dJ8JGxTWBdrli340Yjs5bA7X25NjExj5Mxp2T49jVEv/pafTtyMWf7Tvonzv+krCe1k/Zsh7KuWoJxXXOOGjRLPP1eQMMJunoL/P6JXruX+ZkBN5XbYB/UdWdkUrcvdDSyMcofZwgqYdDUy6J5ZlvcnmvuIM,iv:DuzG234PInaT/2CYQp9fzGh0EBYrxA7cto5uI4tGSkQ=,tag:1PNQKboKl6N7SULlUeAcgA==,type:str]
|
||||||
|
searx-nginx-basic-auth: ENC[AES256_GCM,data:v22LhW/PksCnfheQ5dYF4n0pLNdGEe8q/bp0aoP/ZRcUFsSWZSdt6Wuj3BdpW7Hl/vJiWysxDX/0mi1GQ7flZz0+lmIWe29hSroJljAccMrafL6CY7r2awk+IC5Z2hNmbvLxbHzyN9U8mExazeNuWq0=,iv:OpSkH4C0eAF6CrRJRmQRtC9j+0WEKLM1a0rNeGtROaY=,tag:7nbFtk02bgB0glANehZXTw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
age:
|
age:
|
||||||
- recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45
|
- recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45
|
||||||
|
|
@ -22,7 +24,7 @@ sops:
|
||||||
VHorQzNrMFJLaFpSalZZdjNraXhlSVUKwWLesTzMxsEB45hWWzhZGWc1cDm/gmvF
|
VHorQzNrMFJLaFpSalZZdjNraXhlSVUKwWLesTzMxsEB45hWWzhZGWc1cDm/gmvF
|
||||||
MAytSLiBcieAkRKZoklyk/llbnq7kycvpZCU/sQrjKqmoHkC+TF3BQ==
|
MAytSLiBcieAkRKZoklyk/llbnq7kycvpZCU/sQrjKqmoHkC+TF3BQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2026-02-14T08:58:11Z"
|
lastmodified: "2026-02-24T07:16:51Z"
|
||||||
mac: ENC[AES256_GCM,data:7OTjKMqKjHqJUA67dafkr/Vo2Bvetla10ZSjie1ZL+UXUINEOczop9YY/tTONboZYn0Ihqe1fYapPHied/+q2a2jp9DUSMlvnUj4oDj6IigAzwlOsARPNmtk7p+gV+ROmoAudBalB/M/AI4kfj7h9o+vYfaSpcfBLPYTPVpS8GQ=,iv:sQiBQU0V4oAOxo4UdEkehLJBYhu/kmjOMM+6X/hkWIg=,tag:XYRpDeVpr2MQadKpD62nFA==,type:str]
|
mac: ENC[AES256_GCM,data:sOhZnDFUDSEgoAuj3JKntckpu/2wQ2GrNxU7As855i+zT8zkEJlatf5Lw4Mr5NnYQMu6Jtgq26+6ucY7VcMxlqEdm0+jWMSA9Q2iPFZspgvZHqfoqpKlAjqKP90IcPYuieZm53FQSBdTvD0TlCk5ZNG7DyErAdfPSjqozPPsuk4=,iv:QNXCvwcUvug+rfPJnVGnVs42/hBHOnaEd9FpwhJMJkU=,tag:h8v/W+gt9LFspAty/3zZrg==,type:str]
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.11.0
|
version: 3.11.0
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue