Add searchnx container

This commit is contained in:
Erwin Boskma 2024-12-23 16:44:36 +01:00
parent 8ea7d8cfb3
commit 04f7785457
Signed by: erwin
SSH key fingerprint: SHA256:9LmFDe1C6jSrEyqxxvX8NtJBmcbB105XoqyUZF092bg
7 changed files with 313 additions and 4 deletions

View file

@ -16,6 +16,7 @@ keys:
- &proxy age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5 - &proxy age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5
- &read age193v7jejqu7dxk4xejs9cfcatz7605wf4fmytxst424xel2e4z48qj8fflj - &read age193v7jejqu7dxk4xejs9cfcatz7605wf4fmytxst424xel2e4z48qj8fflj
- &saga age10advysga7fpkh7uuv9a7phs77c5khswf5c9q9txvrauxtqr4yu0sk2r75v - &saga age10advysga7fpkh7uuv9a7phs77c5khswf5c9q9txvrauxtqr4yu0sk2r75v
- &search age1vxxy66vw8tqqw27xtp7l4np5xstfla7ck7sr29rhhr9fysxj547qdtm6vl
- &valkyrie age139zg5z02dx3j70tl6sn2l9kq0nfz2ddkffx0grlh7gg28dafhq6qd2sj6f - &valkyrie age139zg5z02dx3j70tl6sn2l9kq0nfz2ddkffx0grlh7gg28dafhq6qd2sj6f
creation_rules: creation_rules:
- path_regex: machines/loki/[^/]+\.yaml$ - path_regex: machines/loki/[^/]+\.yaml$
@ -96,6 +97,12 @@ creation_rules:
- *erwin - *erwin
- *erwin_horus - *erwin_horus
- *saga - *saga
- path_regex: machines/search/[^/]+\.ya?ml$
key_groups:
- age:
- *erwin
- *erwin_horus
- *search
- path_regex: machines/valkyrie/[^/]+\.ya?ml$ - path_regex: machines/valkyrie/[^/]+\.ya?ml$
key_groups: key_groups:
- age: - age:

View file

@ -124,6 +124,15 @@ inputs: {
tags = [ "container" ]; tags = [ "container" ];
}; };
}; };
search = {
config = import ./search/configuration.nix inputs;
deploy = {
# host = "10.0.0.214";
host = "search.barn-beaver.ts.net";
targetUser = "erwin";
tags = [ "container" ];
};
};
thor = { thor = {
system = "aarch64-linux"; system = "aarch64-linux";
config = import ./thor/configuration.nix inputs; config = import ./thor/configuration.nix inputs;

View file

@ -0,0 +1,118 @@
{ self, ... }:
{
modulesPath,
pkgs,
config,
lib,
...
}:
{
imports = [
(modulesPath + "/virtualisation/lxc-container.nix")
../../users/root
../../users/erwin
./searxng.nix
# ./backup.nix
];
eboskma = {
users.erwin = {
enable = true;
server = true;
};
nix-common = {
enable = true;
remote-builders = true;
};
rust-motd.enable = true;
tailscale.enable = true;
};
boot = {
isContainer = true;
};
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
networking = {
hostName = "search";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
firewall.trustedInterfaces = [ "tailscale0" ];
};
systemd = {
services.logrotate-checkconf.enable = false;
network = {
enable = true;
wait-online.anyInterface = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.214/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
};
services.caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
plugins = [ "github.com/caddy-dns/cloudflare@89f16b99c18ef49c8bb470a82f895bce01cbaece" ];
hash = "sha256-Aqu2st8blQr/Ekia2KrH1AP/2BVZIN4jOJpdLc1Rr4g=";
};
virtualHosts = {
"search.datarift.nl" = {
extraConfig = ''
reverse_proxy 127.0.0.1:${config.services.searx.settings.server.port or "8888"}
tls {
dns cloudflare {env.CF_API_TOKEN}
resolvers 1.1.1.1
}
'';
};
};
};
systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
caddy-env = { };
searxng-env = { };
search-backup-ssh-key = { };
search-backup-pass = { };
};
system.stateVersion = "25.05";
}

132
machines/search/searxng.nix Normal file
View file

@ -0,0 +1,132 @@
{ config, ... }:
{
services.searx = {
enable = true;
environmentFile = config.sops.secrets.searxng-env.path;
settings = {
general = {
instance_name = "Search";
};
search = {
safe_search = 0;
autocomplete = "google";
favicon_resolver = "google";
};
server = {
bind_address = "0.0.0.0";
base_url = "https://search.datarift.nl";
image_proxy = true;
http_protocol_version = "1.1";
method = "GET";
};
ui = {
static_use_hash = true;
results_on_new_tab = true;
};
enabled_plugins = [
"Basic Calculator"
"Hash plugin"
"Open Access DOI rewrite"
"Self Information"
"Tracker URL remover"
"Unit converter plugin"
];
engines = [
{
name = "bing";
disabled = true;
}
{
name = "cppreference";
disabled = false;
}
{
name = "tineye";
disabled = false;
}
{
name = "codeberg";
disabled = false;
}
{
name = "google videos";
disabled = true;
}
{
name = "crates.io";
disabled = false;
}
{
name = "hoogle";
disabled = true;
}
{
name = "kickass";
disabled = true;
}
{
name = "lobste.rs";
disabled = false;
}
{
name = "pinterest";
disabled = true;
}
{
name = "piratebay";
disabled = true;
}
{
name = "reddit";
disabled = false;
}
{
name = "solidtorrents";
disabled = true;
}
{
name = "torch";
disabled = true;
}
{
name = "youtube";
disabled = true;
}
{
name = "dailymotion";
disabled = true;
}
{
name = "vimeo";
disabled = true;
}
{
name = "brave";
disabled = true;
}
{
name = "brave.images";
disabled = true;
}
{
name = "brave.videos";
disabled = true;
}
{
name = "brave.news";
disabled = true;
}
{
name = "sourcehut";
disabled = false;
}
];
};
};
}

View file

@ -0,0 +1,42 @@
searxng-env: ENC[AES256_GCM,data:3Z4LI4440Uk84h+xdr1/CqIkHph5nhXnaEtX4QKUkZkVZHZC/XufFtnVWHcR0tJ8b3zXAXWqfz2yC1+RMOFICq4/eF9AamvXOVJ9GsiRFzXZFS00t3TAy7ZEP0g3mm3Yir1e/TgfyEWynUEVa+Y9FPMjjm2QZbi2KL45Zsk6ZrLqI9/0Lol8JnT/A4oB2NY=,iv:5SRBUWOLZP1KaHbJa9B8qlTNsSQeFBrOy8glxDD1fsk=,tag:xmbN0QFv+2PKrqFGwYTQDQ==,type:str]
search-backup-ssh-key: ""
search-backup-pass: ""
caddy-env: ENC[AES256_GCM,data:7tiP85SblV7T/9yiHyiJOc/ESaNWIySfSkpjzHhRHqEXFvaz/drj/HSj6eN+6FpTSrtoBSQ=,iv:i3In19LnAbfTkxDVeEAZ6h3lx9KPAXKVdim16DVTE68=,tag:RNouu7g6FdPOoO51Wby0HQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRR243TTZNaVNpS0F4WjlD
L2I3Y3RKKy9oN2JYMmM2UkM1V2JRMEZEMWc4CjRJY3pvTGhzR2NJRkY1VzhOaVNk
UDQ5VlAzajZ6YTN6SityV25CR0pNSDgKLS0tIHBCSExNMXhVTmpnanUvVzdBdzJm
YU8zRU5Db2ZkSGovRmxpRGI4T2ZnelkKV0oLDxdkmB5r6Y/HTX82CFRA4vjV0BIL
7cRA35icYl/OAMgcIzK/ev8QP9nue4sm1mZGqK6+4Q8Lxad9m9lIKw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYU5XamVjY3UvQ0xhemp0
OUNzY1MwSHBUcENyNzBuNUZwWUlmMkxCMWx3CnkxdHhVb3BONFBOcmxVMmMwMWpj
aGh6dW56ZEJtNm1idWFYUHhpeXZOUncKLS0tIFo4T2ZLT202NDlwbDVVS1ZUTVd0
TDlWMkZmWU1xeEJ0YlZzOHA3UkFva3cK33Jw/17ZVitgOPBs+bNrKuhU6UdnCaCt
zbWj3XZtkeD0gwY4tPpbK0sqBtu1O0MCKqUgN6hXcaQvIlRyIBdjwQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vxxy66vw8tqqw27xtp7l4np5xstfla7ck7sr29rhhr9fysxj547qdtm6vl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYmZuMTJhSkJXZEpQYVUr
Y2tTdk1XTURtME5OQXhha0lOd21UcHVoeEVvCmQ0VlU1RDJBNE1NQjN2cmhacDNM
bndrS1FBbHpxeGRTRXlMWSs5KzZYR2sKLS0tIDdxcUJOM25qL2ZMUi9RMXZEVGtt
Qk1CR281SUJLbXRrS1JxM3R5UE5yT1EKFu+yaUvdD29UZQM5JWc73RzwqCwtADmQ
Wj55pyifNKJ49582R5Az7Dbyfa9ONmMMl/rHoHY4MlezOvKWn46/Ow==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-20T14:08:51Z"
mac: ENC[AES256_GCM,data:8bvJf7Jr8js+KgdE5paRWo8PwJjEoXDNiA9CxKRrKv9x66+QGTkYoNVrYr9eBDZsHv/UpPpyPYUKG6BGk4ZKQhnduR6+YuFagzypy781mX1IlIVZ6E3yNrA7bbJiOGMrnOEOzhu/41CN65nM8DkJVvzri+wuBQDFroury7ebwCg=,iv:81ddHQ7lteiHo0oS4LMTE+tIRijXpjxdlJxjcaP89Jc=,tag:nCB+yjQy1+EhzddO6RmmYQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

View file

@ -1,6 +1,6 @@
$ORIGIN datarift.nl. $ORIGIN datarift.nl.
$TTL 3600 $TTL 3600
@ IN SOA gabe.ns.cloudflare.com. dns.cloudflare.com. 8 3600 900 86400 1800 @ IN SOA gabe.ns.cloudflare.com. dns.cloudflare.com. 9 3600 900 86400 1800
home IN A 10.0.0.251 home IN A 10.0.0.251
factorio IN A 159.69.211.175 factorio IN A 159.69.211.175
@ -15,6 +15,6 @@ mqtt IN A 10.0.0.254
nix-cache IN A 10.0.0.209 nix-cache IN A 10.0.0.209
read IN A 10.0.0.207 read IN A 10.0.0.207
saga IN A 10.0.0.251 saga IN A 10.0.0.251
search IN A 10.0.0.214
vidz IN A 10.0.0.211 vidz IN A 10.0.0.211
unifi IN A 10.0.0.1 unifi IN A 10.0.0.1

View file

@ -1,5 +1,5 @@
$TTL 3600 $TTL 3600
@ IN SOA gabe.ns.cloudflare.com. dns.cloudflare.com. 17 3600 900 86400 1800 @ IN SOA gabe.ns.cloudflare.com. dns.cloudflare.com. 19 3600 900 86400 1800
home.datarift.nl. IN CNAME proxy.barn-beaver.ts.net. home.datarift.nl. IN CNAME proxy.barn-beaver.ts.net.
frigate.datarift.nl. IN CNAME frigate.barn-beaver.ts.net. frigate.datarift.nl. IN CNAME frigate.barn-beaver.ts.net.
@ -11,6 +11,7 @@ mqtt.datarift.nl. IN CNAME homeassistant.barn-beaver.ts.net.
nix-cache.datarift.nl. IN CNAME nix-cache.barn-beaver.ts.net. nix-cache.datarift.nl. IN CNAME nix-cache.barn-beaver.ts.net.
read.datarift.nl. IN CNAME read.barn-beaver.ts.net. read.datarift.nl. IN CNAME read.barn-beaver.ts.net.
saga.datarift.nl. IN CNAME saga.barn-beaver.ts.net. saga.datarift.nl. IN CNAME saga.barn-beaver.ts.net.
search.datarift.nl. IN CNAME search.barn-beaver.ts.net.
vidz.datarift.nl. IN CNAME vidz.barn-beaver.ts.net. vidz.datarift.nl. IN CNAME vidz.barn-beaver.ts.net.
heimdall.datarift.nl. IN CNAME heimdall.barn-beaver.ts.net. heimdall.datarift.nl. IN CNAME heimdall.barn-beaver.ts.net.
meili.datarift.nl. IN CNAME meili.barn-beaver.ts.net. meili.datarift.nl. IN CNAME meili.barn-beaver.ts.net.
@ -20,4 +21,4 @@ garfield.datarift.nl. IN CNAME heimdall.barn-beaver.ts.net.
factorio.datarift.nl. IN CNAME heimdall.barn-beaver.ts.net. factorio.datarift.nl. IN CNAME heimdall.barn-beaver.ts.net.
unifi.datarift.nl. IN A 10.0.0.1 unifi.datarift.nl. IN A 10.0.0.1
unifi.datarift.nl. IN AAAA fdcd:eae3:8553::1