diff --git a/README.org b/README.org index de776f7..fd5cee6 100644 --- a/README.org +++ b/README.org @@ -41,10 +41,12 @@ This guide documents the process for a minimal installation of NixOS on a Proxmo - [[#optional-nixos-modules][Optional NixOS Modules]] - [[#reverse-proxies][Reverse Proxies]] - [[#file-servers][File Servers]] + - [[#search-engines][Search Engines]] - [[#notes-and-configuration-details][Notes and Configuration Details]] - [[#disko-configuration-for-proxmox-mbr-boot][Disko Configuration for Proxmox (MBR Boot)]] - [[#generating-hardware-configuration][Generating Hardware Configuration]] - [[#todos][TODOs]] +- [[#inspiration][Inspiration]] * Prerequisites on the Target VM Before attempting to install NixOS with =nixos-anywhere=, you must first perform a critical setup step on the target Proxmox VM. @@ -158,7 +160,7 @@ dov = { ** File Servers *** copyparty -Provides a web-based file manager. +Provides a web-based file manager. For more information, see the [[https://github.com/9001/copyparty][official documentation]]. #+begin_src nix dov = { file-server.copyparty.enable = true; @@ -172,6 +174,15 @@ dov = { }; #+end_src +** Search Engines +*** searxng +A privacy-respecting metasearch engine. For more information, see the [[https://wiki.nixos.org/wiki/SearXNG][NixOS Wiki page]]. +#+begin_src nix +dov = { + searxng.enable = true; +}; +#+end_src + * Notes and Configuration Details ** Disko Configuration for Proxmox (MBR Boot) A critical requirement for ensuring a NixOS VM can boot correctly in Proxmox is the disk partition scheme. Proxmox expects a Master Boot Record (MBR) compatible setup. @@ -224,3 +235,7 @@ nix run github:nix-community/nixos-anywhere -- \ - [ ] Refactor the =disko= configuration to make the disk device name (e.g., =/dev/sda=) a variable. This will avoid hardcoding the value and make the configuration more portable. - [ ] Create a custom ISO image to streamline the installation process, potentially pre-configuring items like the root user to avoid manual console steps. - [ ] Develop an automated installation script to handle the post-install process, such as fetching the AGE key and updating sops, based on [[https://unmovedcentre.com/posts/remote-install-nixos-config/#update-sops-file][this guide]]. + +* Inspiration +The configuration and structure of this setup were inspired by the following repository: +- [[https://github.com/notthebee/nix-config][notthebee/nix-config]] diff --git a/main/default.nix b/main/default.nix index 1903544..07d363a 100644 --- a/main/default.nix +++ b/main/default.nix @@ -151,6 +151,8 @@ in { file-server.copyparty.enable = true; samba.enable = true; + + searxng.enable = true; }; # DO NOT CHANGE AT ANY POINT! diff --git a/main/secrets/secrets.yaml b/main/secrets/secrets.yaml index 0c7afc4..4a9cfd7 100644 --- a/main/secrets/secrets.yaml +++ b/main/secrets/secrets.yaml @@ -15,6 +15,7 @@ copyparty: admin_password: ENC[AES256_GCM,data:VlHcQB1Z1/wSUi8yCEpcW+i8h3c=,iv:mystE6THTS50LzV/TPm+QtZ1C87Vxtx+W9jVzcGAnSM=,tag:8nxtbklHwJnI7VHjJA55dQ==,type:str] alex_password: ENC[AES256_GCM,data:0X5AZH8tqJRd6er5w3oMaWI0jrE=,iv:/2aLquP4LVCKCozJsMGItqX9+L9pxSM4PRpn6QnDzbE=,tag:b1GRHEBwQNYBtERj1xqjoA==,type:str] smb-secrets: ENC[AES256_GCM,data:RW8xaGU94jxE/iTocH3ylCP5uIpmnSg/MQDC+e5i9PhvlsNY+kfUiqQHoDXETgEPmNUbLr2qZSMLPhQ=,iv:5vkw0Qfa7UHYZ2ODOvFZgirehpY7muV6fvjWHAyHMu4=,tag:cuEzibaBZVf5HVlAF2xUIA==,type:str] +searxng: ENC[AES256_GCM,data:KmW0pzhjWBBC0VqQNkOmPzcuDnPBEXiZMi030x+LxcOZmS/Q4Hz8RgahWIYwef0maRyFdyB++36SQbUnXz1+Cw==,iv:PL7mby/fmsROaOafv0auCmTEpF5w8WH6Nw4wUrpXNg0=,tag:3s4E1zJh6MB1YkDFM9gBSw==,type:str] sops: age: - recipient: age19wvqtn4ju6k4vs8fxr34unl6xx4cv04jw0lx9ps20xlde927zfssgl4qke @@ -35,7 +36,7 @@ sops: NHdWQnlGbk43WS80VDkxV0o4TE5uSUUK0WSdFzR3u0pLUYHXaTMrtBm0sKKe9ZPG nF90b/jv66WGIH1n2oFaaohCkd7DZGzSpr0+KsqX6pkszYnp39YC5A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-27T18:42:07Z" - mac: ENC[AES256_GCM,data:EP1ziiWZ3hPCbjLtPdLccL4csnNmLqtQkhwn8x5bwXuqIU9Q8U6+nXIorAG2Ck28hyjnAjHyYMbJcSSrNOVHroA5Xnlps65975WuKe3akNF6n6Nz+gTDQgEzIpxwYD2rEFNutCNN4EhESzh13lvsvdkxTCsFLjZzwQ4DSuVId24=,iv:f2jM71VXiShEkTUOtfONhMIeR6JnC3xpUN2zXJvdDLo=,tag:s62lb8GtrHHBj6ferphGog==,type:str] + lastmodified: "2025-07-27T19:16:54Z" + mac: ENC[AES256_GCM,data:SlHu8gnDv7QluHvgiz4OORZ5X1ooQu3OYvw8l1xfmfA/lUSMpALzzAgzmKjniEamCVcgQubj11I5LpRpUZOKzL5VmhbCONPknxCDTGgILf1gJlV3NhmEymChGgyrxItqCABA+hjXY0RlFGdNCTdeYwWJAIi/a1jzKYcWiGURTr8=,iv:GFGUYDftz5S9OQYU/iyOJLCSye+QuLowar35hgoivlw=,tag:8kv/OLeMzR1PAK4BCj0E2Q==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/modules/default.nix b/modules/default.nix index 11c16fa..908b583 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -7,5 +7,6 @@ ./social ./file-server ./samba + ./searxng ]; } diff --git a/modules/reverse-proxy/traefik/default.nix b/modules/reverse-proxy/traefik/default.nix index 5cd3f6f..3f6710e 100644 --- a/modules/reverse-proxy/traefik/default.nix +++ b/modules/reverse-proxy/traefik/default.nix @@ -53,10 +53,10 @@ in { acme = { email = "susano@local.com"; storage = "/var/lib/traefik/acme.json"; # Where Traefik stores certs - # Use the DNS-01 challenge with the DuckDNS provider + dnsChallenge = { provider = "duckdns"; - disablePropagationCheck = true; + #disablePropagationCheck = true; }; }; }; @@ -91,6 +91,13 @@ in { service = "copyparty-service"; tls.certResolver = "duckdns"; }; + + searxng = mkIf config.dov.searxng.enable { + rule = "Host(`searxng.${domain}`)"; + entryPoints = [ "websecure" ]; + service = "serxng-service"; + tls.certResolver = "duckdns"; + }; }; services = { @@ -104,7 +111,14 @@ in { copyparty-service = mkIf config.dov.file-server.copyparty.enable { loadBalancer.servers = [ # The backend URL for Immich - { url = "http://192.168.1.85:3923"; } + { url = "http://susano:3923"; } + ]; + }; + + serxng-service = mkIf config.dov.searxng.enable { + loadBalancer.servers = [ + # The backend URL for Immich + { url = "http://susano:8888"; } ]; }; }; diff --git a/modules/searxng/default.nix b/modules/searxng/default.nix new file mode 100644 index 0000000..9737433 --- /dev/null +++ b/modules/searxng/default.nix @@ -0,0 +1,181 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.dov.searxng; + port = 8888; +in { + options.dov.searxng = { + enable = mkEnableOption "searxng config"; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ port ]; + + sops.secrets.searxng = { }; + + services.searx = { + enable = cfg.enable; + redisCreateLocally = true; + + # Rate limiting + limiterSettings = { + real_ip = { + x_for = 1; + ipv4_prefix = 32; + ipv6_prefix = 56; + }; + + botdetection = { + ip_limit = { + filter_link_local = true; + link_token = true; + }; + }; + }; + + # UWSGI configuration + runInUwsgi = true; + + uwsgiConfig = { + socket = "/run/searx/searx.sock"; + http = ":${ builtins.toString port}"; + chmod-socket = "660"; + }; + + # Searx configuration + settings = { + # Instance settings + general = { + debug = false; + instance_name = "NixOS SearXNG"; + donation_url = false; + contact_url = false; + privacypolicy_url = false; + enable_metrics = false; + }; + + # User interface + ui = { + static_use_hash = true; + default_locale = "en"; + query_in_title = true; + infinite_scroll = false; + center_alignment = true; + default_theme = "simple"; + theme_args.simple_style = "auto"; + search_on_category_select = false; + hotkeys = "vim"; + }; + + # Search engine settings + search = { + safe_search = 2; + autocomplete_min = 2; + autocomplete = "duckduckgo"; + ban_time_on_fail = 5; + max_ban_time_on_fail = 120; + }; + + # Server configuration + server = { + base_url = "https://searng.susano-nixos.duckdns.org"; + port = port; + bind_address = "127.0.0.1"; + secret_key = config.sops.secrets.searxng.path; + limiter = true; + public_instance = true; + image_proxy = true; + method = "GET"; + }; + + # Search engines + engines = lib.mapAttrsToList (name: value: { inherit name; } // value) { + "duckduckgo".disabled = true; + "brave".disabled = true; + "bing".disabled = false; + "mojeek".disabled = true; + "mwmbl".disabled = false; + "mwmbl".weight = 0.4; + "qwant".disabled = true; + "crowdview".disabled = false; + "crowdview".weight = 0.5; + "curlie".disabled = true; + "ddg definitions".disabled = false; + "ddg definitions".weight = 2; + "wikibooks".disabled = false; + "wikidata".disabled = false; + "wikiquote".disabled = true; + "wikisource".disabled = true; + "wikispecies".disabled = false; + "wikispecies".weight = 0.5; + "wikiversity".disabled = false; + "wikiversity".weight = 0.5; + "wikivoyage".disabled = false; + "wikivoyage".weight = 0.5; + "currency".disabled = true; + "dictzone".disabled = true; + "lingva".disabled = true; + "bing images".disabled = false; + "brave.images".disabled = true; + "duckduckgo images".disabled = true; + "google images".disabled = false; + "qwant images".disabled = true; + "1x".disabled = true; + "artic".disabled = false; + "deviantart".disabled = false; + "flickr".disabled = true; + "imgur".disabled = false; + "library of congress".disabled = false; + "material icons".disabled = true; + "material icons".weight = 0.2; + "openverse".disabled = false; + "pinterest".disabled = true; + "svgrepo".disabled = false; + "unsplash".disabled = false; + "wallhaven".disabled = false; + "wikicommons.images".disabled = false; + "yacy images".disabled = true; + "bing videos".disabled = false; + "brave.videos".disabled = true; + "duckduckgo videos".disabled = true; + "google videos".disabled = false; + "qwant videos".disabled = false; + "dailymotion".disabled = true; + "google play movies".disabled = true; + "invidious".disabled = true; + "odysee".disabled = true; + "peertube".disabled = false; + "piped".disabled = true; + "rumble".disabled = false; + "sepiasearch".disabled = false; + "vimeo".disabled = true; + "youtube".disabled = false; + "brave.news".disabled = true; + "google news".disabled = true; + }; + + # Outgoing requests + outgoing = { + request_timeout = 5.0; + max_request_timeout = 15.0; + pool_connections = 100; + pool_maxsize = 15; + enable_http2 = true; + }; + + # Enabled plugins + enabled_plugins = [ + "Basic Calculator" + "Hash plugin" + "Tor check plugin" + "Open Access DOI rewrite" + "Hostnames plugin" + "Unit converter plugin" + "Tracker URL remover" + ]; + }; + }; + }; +}