Commit a91ea4bbb5da
Changed files (3)
systems/okinawa/extra.nix
@@ -16,6 +16,7 @@
../common/services/networkmanager.nix
../common/services/containers.nix
../common/services/docker.nix
+ ../common/services/binfmt.nix
../common/services/prometheus-exporters-node.nix
../common/services/oomd.nix
../../modules/laptop-keyboard-inhibit
@@ -68,7 +69,7 @@
endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
};
- # Age secrets for OpenCode web
+ # Age secrets
age.secrets = {
"opencode-password" = {
file = ../../secrets/okinawa/opencode-password.age;
@@ -95,6 +96,20 @@
mode = "400";
owner = "vincent";
};
+ # Harmonia binary cache signing key
+ "harmonia-okinawa-signing-key" = {
+ file = ../../secrets/harmonia/okinawa-signing-key.age;
+ mode = "440";
+ owner = "root";
+ group = "root";
+ };
+ # ntfy notification token (shared secret)
+ "ntfy-token" = {
+ file = ../../secrets/sakhalin/ntfy-token.age;
+ mode = "440";
+ owner = "root";
+ group = "users";
+ };
};
# Daneel XMPP Research Bot
@@ -210,10 +225,11 @@
"d /run/opencode/config 0755 vincent users -"
];
- # Firewall: OpenCode web + llama-server (VPN access)
+ # Firewall: OpenCode web + llama-server (VPN access) + monitoring
networking.firewall.allowedTCPPorts = [
5555 # OpenCode web
8090 # llama-server
+ 9000 # Prometheus node exporter
];
# llama.cpp server for local LLM inference with Vulkan GPU (RX 6700S)
systems/sakhalin/extra.nix
@@ -109,6 +109,12 @@ in
mode = "400";
owner = "prometheus";
};
+ age.secrets."searxng-secret-key" = {
+ file = ../../secrets/sakhalin/searxng-secret-key.age;
+ mode = "400";
+ owner = "searx";
+ group = "searx";
+ };
# TODO make it an option ? (otherwise I'll add it for all)
users.users.vincent.linger = true;
@@ -347,6 +353,91 @@ in
};
};
+ # SearXNG metasearch engine (migrated from aomi)
+ # Private instance, API-focused for Pi agent
+ searx = {
+ enable = true;
+ environmentFile = config.age.secrets."searxng-secret-key".path;
+ settings = {
+ use_default_settings = {
+ engines.remove = [
+ "ahmia"
+ "torch"
+ ];
+ };
+ server = {
+ port = 8888;
+ bind_address = "0.0.0.0";
+ secret_key = "$SEARXNG_SECRET_KEY";
+ limiter = false; # Private instance, no rate limiting needed
+ image_proxy = false;
+ };
+ search = {
+ safe_search = 0;
+ autocomplete = "";
+ default_lang = "en";
+ formats = [
+ "html"
+ "json"
+ ];
+ };
+ # Curated engines for quality results
+ engines = [
+ {
+ name = "duckduckgo";
+ engine = "duckduckgo";
+ shortcut = "ddg";
+ disabled = false;
+ }
+ {
+ name = "google";
+ engine = "google";
+ shortcut = "g";
+ disabled = false;
+ }
+ {
+ name = "brave";
+ engine = "brave";
+ shortcut = "br";
+ disabled = false;
+ }
+ {
+ name = "wikipedia";
+ engine = "wikipedia";
+ shortcut = "wp";
+ disabled = false;
+ }
+ {
+ name = "github";
+ engine = "github";
+ shortcut = "gh";
+ disabled = false;
+ }
+ {
+ name = "stackoverflow";
+ engine = "stackexchange";
+ shortcut = "so";
+ disabled = false;
+ categories = "it";
+ }
+ {
+ name = "arch wiki";
+ engine = "archlinux";
+ shortcut = "aw";
+ disabled = false;
+ }
+ {
+ name = "nixos wiki";
+ engine = "mediawiki";
+ shortcut = "nw";
+ disabled = false;
+ base_url = "https://wiki.nixos.org/";
+ search_type = "text";
+ }
+ ];
+ };
+ };
+
tarsnap = {
enable = true;
archives = {
@@ -506,5 +597,6 @@ in
# Open firewall for services accessible from the network
networking.firewall.allowedTCPPorts = [
8000 # Paperless-ngx web interface
+ 8888 # SearXNG metasearch engine
];
}
secrets.nix
@@ -152,6 +152,7 @@ in
sakhalin
aion
aomi
+ okinawa
rhea
kerkouane
];
@@ -174,4 +175,8 @@ in
# Harmonia binary cache signing keys
"secrets/harmonia/aomi-signing-key.age".publicKeys = users ++ [ aomi ];
"secrets/harmonia/aion-signing-key.age".publicKeys = users ++ [ aion ];
+ "secrets/harmonia/okinawa-signing-key.age".publicKeys = users ++ [ okinawa ];
+
+ # SearXNG on sakhalin
+ "secrets/sakhalin/searxng-secret-key.age".publicKeys = users ++ [ sakhalin ];
}