From 04f77854572e27a8023fc5b334bcac169e7183a2 Mon Sep 17 00:00:00 2001 From: Erwin Boskma Date: Mon, 23 Dec 2024 16:44:36 +0100 Subject: [PATCH] Add searchnx container --- .sops.yaml | 7 ++ machines/default.nix | 9 ++ machines/search/configuration.nix | 118 ++++++++++++++++++++ machines/search/searxng.nix | 132 +++++++++++++++++++++++ machines/search/secrets.yaml | 42 ++++++++ machines/valkyrie/coredns/datarift.zone | 4 +- machines/valkyrie/coredns/tailscale.zone | 5 +- 7 files changed, 313 insertions(+), 4 deletions(-) create mode 100644 machines/search/configuration.nix create mode 100644 machines/search/searxng.nix create mode 100644 machines/search/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index f278649..ee9b2c4 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -16,6 +16,7 @@ keys: - &proxy age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5 - &read age193v7jejqu7dxk4xejs9cfcatz7605wf4fmytxst424xel2e4z48qj8fflj - &saga age10advysga7fpkh7uuv9a7phs77c5khswf5c9q9txvrauxtqr4yu0sk2r75v + - &search age1vxxy66vw8tqqw27xtp7l4np5xstfla7ck7sr29rhhr9fysxj547qdtm6vl - &valkyrie age139zg5z02dx3j70tl6sn2l9kq0nfz2ddkffx0grlh7gg28dafhq6qd2sj6f creation_rules: - path_regex: machines/loki/[^/]+\.yaml$ @@ -96,6 +97,12 @@ creation_rules: - *erwin - *erwin_horus - *saga + - path_regex: machines/search/[^/]+\.ya?ml$ + key_groups: + - age: + - *erwin + - *erwin_horus + - *search - path_regex: machines/valkyrie/[^/]+\.ya?ml$ key_groups: - age: diff --git a/machines/default.nix b/machines/default.nix index 9d49f2c..538c860 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -124,6 +124,15 @@ inputs: { tags = [ "container" ]; }; }; + search = { + config = import ./search/configuration.nix inputs; + deploy = { + # host = "10.0.0.214"; + host = "search.barn-beaver.ts.net"; + targetUser = "erwin"; + tags = [ "container" ]; + }; + }; thor = { system = "aarch64-linux"; config = import ./thor/configuration.nix inputs; diff --git a/machines/search/configuration.nix b/machines/search/configuration.nix new file mode 100644 index 0000000..ffb8a64 --- /dev/null +++ b/machines/search/configuration.nix @@ -0,0 +1,118 @@ +{ self, ... }: +{ + modulesPath, + pkgs, + config, + lib, + ... +}: +{ + imports = [ + (modulesPath + "/virtualisation/lxc-container.nix") + + ../../users/root + ../../users/erwin + + ./searxng.nix + # ./backup.nix + ]; + + eboskma = { + users.erwin = { + enable = true; + server = true; + }; + + nix-common = { + enable = true; + remote-builders = true; + }; + + rust-motd.enable = true; + tailscale.enable = true; + }; + + boot = { + isContainer = true; + }; + + time.timeZone = "Europe/Amsterdam"; + + system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; + + networking = { + hostName = "search"; + useDHCP = false; + useHostResolvConf = false; + networkmanager.enable = false; + useNetworkd = true; + nftables.enable = true; + firewall.trustedInterfaces = [ "tailscale0" ]; + }; + + systemd = { + services.logrotate-checkconf.enable = false; + + network = { + enable = true; + + wait-online.anyInterface = true; + + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; + + networkConfig = { + Address = "10.0.0.214/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.206"; + DHCP = "no"; + }; + }; + }; + }; + }; + + services.caddy = { + enable = true; + package = pkgs.caddy.withPlugins { + plugins = [ "github.com/caddy-dns/cloudflare@89f16b99c18ef49c8bb470a82f895bce01cbaece" ]; + hash = "sha256-Aqu2st8blQr/Ekia2KrH1AP/2BVZIN4jOJpdLc1Rr4g="; + }; + + virtualHosts = { + "search.datarift.nl" = { + extraConfig = '' + reverse_proxy 127.0.0.1:${config.services.searx.settings.server.port or "8888"} + tls { + dns cloudflare {env.CF_API_TOKEN} + resolvers 1.1.1.1 + } + ''; + }; + }; + }; + + systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ]; + + security = { + sudo-rs = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + sudo.enable = false; + }; + + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets = { + caddy-env = { }; + searxng-env = { }; + search-backup-ssh-key = { }; + search-backup-pass = { }; + }; + + system.stateVersion = "25.05"; +} diff --git a/machines/search/searxng.nix b/machines/search/searxng.nix new file mode 100644 index 0000000..ce37eda --- /dev/null +++ b/machines/search/searxng.nix @@ -0,0 +1,132 @@ +{ config, ... }: +{ + services.searx = { + enable = true; + environmentFile = config.sops.secrets.searxng-env.path; + settings = { + general = { + instance_name = "Search"; + }; + + search = { + safe_search = 0; + autocomplete = "google"; + favicon_resolver = "google"; + }; + + server = { + bind_address = "0.0.0.0"; + base_url = "https://search.datarift.nl"; + image_proxy = true; + http_protocol_version = "1.1"; + method = "GET"; + }; + + ui = { + static_use_hash = true; + results_on_new_tab = true; + }; + + enabled_plugins = [ + "Basic Calculator" + "Hash plugin" + "Open Access DOI rewrite" + "Self Information" + "Tracker URL remover" + "Unit converter plugin" + ]; + + engines = [ + { + name = "bing"; + disabled = true; + } + { + name = "cppreference"; + disabled = false; + } + { + name = "tineye"; + disabled = false; + } + { + name = "codeberg"; + disabled = false; + } + { + name = "google videos"; + disabled = true; + } + { + name = "crates.io"; + disabled = false; + } + { + name = "hoogle"; + disabled = true; + } + { + name = "kickass"; + disabled = true; + } + { + name = "lobste.rs"; + disabled = false; + } + { + name = "pinterest"; + disabled = true; + } + { + name = "piratebay"; + disabled = true; + } + { + name = "reddit"; + disabled = false; + } + { + name = "solidtorrents"; + disabled = true; + } + { + name = "torch"; + disabled = true; + } + { + name = "youtube"; + disabled = true; + } + { + name = "dailymotion"; + disabled = true; + } + { + name = "vimeo"; + disabled = true; + } + { + name = "brave"; + disabled = true; + } + { + name = "brave.images"; + disabled = true; + } + { + name = "brave.videos"; + disabled = true; + } + { + name = "brave.news"; + disabled = true; + } + { + name = "sourcehut"; + disabled = false; + } + ]; + }; + + }; +} diff --git a/machines/search/secrets.yaml b/machines/search/secrets.yaml new file mode 100644 index 0000000..4790a14 --- /dev/null +++ b/machines/search/secrets.yaml @@ -0,0 +1,42 @@ +searxng-env: ENC[AES256_GCM,data:3Z4LI4440Uk84h+xdr1/CqIkHph5nhXnaEtX4QKUkZkVZHZC/XufFtnVWHcR0tJ8b3zXAXWqfz2yC1+RMOFICq4/eF9AamvXOVJ9GsiRFzXZFS00t3TAy7ZEP0g3mm3Yir1e/TgfyEWynUEVa+Y9FPMjjm2QZbi2KL45Zsk6ZrLqI9/0Lol8JnT/A4oB2NY=,iv:5SRBUWOLZP1KaHbJa9B8qlTNsSQeFBrOy8glxDD1fsk=,tag:xmbN0QFv+2PKrqFGwYTQDQ==,type:str] +search-backup-ssh-key: "" +search-backup-pass: "" +caddy-env: ENC[AES256_GCM,data:7tiP85SblV7T/9yiHyiJOc/ESaNWIySfSkpjzHhRHqEXFvaz/drj/HSj6eN+6FpTSrtoBSQ=,iv:i3In19LnAbfTkxDVeEAZ6h3lx9KPAXKVdim16DVTE68=,tag:RNouu7g6FdPOoO51Wby0HQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRR243TTZNaVNpS0F4WjlD + L2I3Y3RKKy9oN2JYMmM2UkM1V2JRMEZEMWc4CjRJY3pvTGhzR2NJRkY1VzhOaVNk + UDQ5VlAzajZ6YTN6SityV25CR0pNSDgKLS0tIHBCSExNMXhVTmpnanUvVzdBdzJm + YU8zRU5Db2ZkSGovRmxpRGI4T2ZnelkKV0oLDxdkmB5r6Y/HTX82CFRA4vjV0BIL + 7cRA35icYl/OAMgcIzK/ev8QP9nue4sm1mZGqK6+4Q8Lxad9m9lIKw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYU5XamVjY3UvQ0xhemp0 + OUNzY1MwSHBUcENyNzBuNUZwWUlmMkxCMWx3CnkxdHhVb3BONFBOcmxVMmMwMWpj + aGh6dW56ZEJtNm1idWFYUHhpeXZOUncKLS0tIFo4T2ZLT202NDlwbDVVS1ZUTVd0 + TDlWMkZmWU1xeEJ0YlZzOHA3UkFva3cK33Jw/17ZVitgOPBs+bNrKuhU6UdnCaCt + zbWj3XZtkeD0gwY4tPpbK0sqBtu1O0MCKqUgN6hXcaQvIlRyIBdjwQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vxxy66vw8tqqw27xtp7l4np5xstfla7ck7sr29rhhr9fysxj547qdtm6vl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYmZuMTJhSkJXZEpQYVUr + Y2tTdk1XTURtME5OQXhha0lOd21UcHVoeEVvCmQ0VlU1RDJBNE1NQjN2cmhacDNM + bndrS1FBbHpxeGRTRXlMWSs5KzZYR2sKLS0tIDdxcUJOM25qL2ZMUi9RMXZEVGtt + Qk1CR281SUJLbXRrS1JxM3R5UE5yT1EKFu+yaUvdD29UZQM5JWc73RzwqCwtADmQ + Wj55pyifNKJ49582R5Az7Dbyfa9ONmMMl/rHoHY4MlezOvKWn46/Ow== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-20T14:08:51Z" + mac: ENC[AES256_GCM,data:8bvJf7Jr8js+KgdE5paRWo8PwJjEoXDNiA9CxKRrKv9x66+QGTkYoNVrYr9eBDZsHv/UpPpyPYUKG6BGk4ZKQhnduR6+YuFagzypy781mX1IlIVZ6E3yNrA7bbJiOGMrnOEOzhu/41CN65nM8DkJVvzri+wuBQDFroury7ebwCg=,iv:81ddHQ7lteiHo0oS4LMTE+tIRijXpjxdlJxjcaP89Jc=,tag:nCB+yjQy1+EhzddO6RmmYQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/machines/valkyrie/coredns/datarift.zone b/machines/valkyrie/coredns/datarift.zone index a29ac79..bd142f6 100644 --- a/machines/valkyrie/coredns/datarift.zone +++ b/machines/valkyrie/coredns/datarift.zone @@ -1,6 +1,6 @@ $ORIGIN datarift.nl. $TTL 3600 -@ IN SOA gabe.ns.cloudflare.com. dns.cloudflare.com. 8 3600 900 86400 1800 +@ IN SOA gabe.ns.cloudflare.com. dns.cloudflare.com. 9 3600 900 86400 1800 home IN A 10.0.0.251 factorio IN A 159.69.211.175 @@ -15,6 +15,6 @@ mqtt IN A 10.0.0.254 nix-cache IN A 10.0.0.209 read IN A 10.0.0.207 saga IN A 10.0.0.251 +search IN A 10.0.0.214 vidz IN A 10.0.0.211 unifi IN A 10.0.0.1 - diff --git a/machines/valkyrie/coredns/tailscale.zone b/machines/valkyrie/coredns/tailscale.zone index 274cf8e..c454760 100644 --- a/machines/valkyrie/coredns/tailscale.zone +++ b/machines/valkyrie/coredns/tailscale.zone @@ -1,5 +1,5 @@ $TTL 3600 -@ IN SOA gabe.ns.cloudflare.com. dns.cloudflare.com. 17 3600 900 86400 1800 +@ IN SOA gabe.ns.cloudflare.com. dns.cloudflare.com. 19 3600 900 86400 1800 home.datarift.nl. IN CNAME proxy.barn-beaver.ts.net. frigate.datarift.nl. IN CNAME frigate.barn-beaver.ts.net. @@ -11,6 +11,7 @@ mqtt.datarift.nl. IN CNAME homeassistant.barn-beaver.ts.net. nix-cache.datarift.nl. IN CNAME nix-cache.barn-beaver.ts.net. read.datarift.nl. IN CNAME read.barn-beaver.ts.net. saga.datarift.nl. IN CNAME saga.barn-beaver.ts.net. +search.datarift.nl. IN CNAME search.barn-beaver.ts.net. vidz.datarift.nl. IN CNAME vidz.barn-beaver.ts.net. heimdall.datarift.nl. IN CNAME heimdall.barn-beaver.ts.net. meili.datarift.nl. IN CNAME meili.barn-beaver.ts.net. @@ -20,4 +21,4 @@ garfield.datarift.nl. IN CNAME heimdall.barn-beaver.ts.net. factorio.datarift.nl. IN CNAME heimdall.barn-beaver.ts.net. unifi.datarift.nl. IN A 10.0.0.1 - +unifi.datarift.nl. IN AAAA fdcd:eae3:8553::1