Commit `5ec7f2135c73`

Vincent Demeester <vincent@sbr.pm>

2026-04-12 22:07:41

feat(carthage): add microsocks SOCKS5 proxy for SearXNG

Added microsocks service and firewall rule that were present on kerkouane but missing after the migration to carthage. SearXNG on sakhalin uses this proxy for round-robin request distribution to avoid search engine rate limiting.

main

1 parent fd11e30

Changed files (1)

systems

carthage

extra.nix

@@ -459,6 +459,15 @@ in
     peers = libx.generateWireguardPeers globals.machines;
   };
 
+  # SOCKS5 proxy for SearXNG outgoing requests (VPN-only)
+  # Allows searx on sakhalin to route queries through carthage's IP
+  # for round-robin proxy rotation to avoid search engine rate limiting
+  services.microsocks = {
+    enable = true;
+    ip = builtins.head globals.machines.carthage.net.vpn.ips;
+    port = 1080;
+  };
+
   services.gosmee = {
     enable = true;
     public-url = "https://webhook.sbr.pm";
@@ -491,6 +500,9 @@ in
       # Allow node exporter (9000) only from VPN network
       iptables -A nixos-fw -p tcp -s 10.100.0.0/24 --dport 9000 -j nixos-fw-accept
 
+      # Allow microsocks SOCKS5 proxy (1080) only from VPN network
+      iptables -A nixos-fw -p tcp -s 10.100.0.0/24 --dport 1080 -j nixos-fw-accept
+
       # Block known SYN flood source (USBINF INFORMATICA LTDA, Brazil)
       iptables -I nixos-fw 1 -s 45.233.176.0/22 -j DROP
       ip6tables -I nixos-fw 1 -s ::ffff:45.233.176.0/118 -j DROP

Commit 5ec7f2135c73

Commit `5ec7f2135c73`