updated

2026-05-08 14:50:12 -04:00 · 2026-04-13 15:57:27 -04:00 · 2026-04-13 15:57:27 -04:00 · 6692807229
commit 6692807229
parent cb7d7d2476
6 changed files with 140 additions and 3 deletions
--- a/system/machines/server/modules/nginx/default.nix
+++ b/system/machines/server/modules/nginx/default.nix
@ -21,6 +21,8 @@ in
        CIDR ranges allowed to access private vhosts (LAN + WireGuard).
      '';
    };
+
+    searxng.enable = mkEnableOption "Publicly exposed SearXNG endpoint with secret path via sops";
  };

  config = mkIf cfg.enable {
@ -28,6 +30,36 @@ in

    systemd.services.nginx.serviceConfig.LimitNOFILE = 65536;

+    environment.etc."fail2ban/filter.d/nginx-404.conf".text = ''
+      [Definition]
+      failregex = ^<HOST> - .+ "(GET|POST|HEAD|PUT|DELETE|PATCH) .+ HTTP/[0-9.]+" 404
+      ignoreregex =
+    '';
+
+    environment.etc."fail2ban/filter.d/nginx-401.conf".text = ''
+      [Definition]
+      failregex = ^<HOST> - .+ "(GET|POST|HEAD|PUT|DELETE|PATCH) .+ HTTP/[0-9.]+" 401
+      ignoreregex =
+    '';
+
+    services.fail2ban.jails.nginx-404 = ''
+      enabled   = true
+      filter    = nginx-404
+      logpath   = /var/log/nginx/access.log
+      maxretry  = 10
+      findtime  = 10m
+      bantime   = 24h
+    '';
+
+    services.fail2ban.jails.nginx-401 = ''
+      enabled   = true
+      filter    = nginx-401
+      logpath   = /var/log/nginx/access.log
+      maxretry  = 5
+      findtime  = 10m
+      bantime   = 24h
+    '';
+
    security.acme = {
      acceptTerms = true;
      defaults.email = config.user.email;
@ -71,6 +103,28 @@ in
        };
      };

+      virtualHosts."wg.${domain}" = {
+        useACMEHost = domain;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.modules.system.wstunnel.listenPort}";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_read_timeout 3600s;
+            proxy_send_timeout 3600s;
+          '';
+        };
+      };
+
+      virtualHosts."searxng.${domain}" = mkIf cfg.searxng.enable {
+        useACMEHost = domain;
+        forceSSL = true;
+        locations."/".return = "404";
+        extraConfig = ''
+          include ${config.sops.templates."nginx-searxng-location.conf".path};
+        '';
+      };
+
      virtualHosts."chat.${domain}" = {
        useACMEHost = domain;
        forceSSL = true;
@ -87,7 +141,6 @@ in
        locations."/" = {
          proxyPass = "http://192.168.0.23:8000";
          proxyWebsockets = true;
-          extraConfig = privateAccessRules;
        };
      };

--- a/system/machines/server/modules/wireguard/default.nix
+++ b/system/machines/server/modules/wireguard/default.nix
@ -65,6 +65,7 @@ in

  config = mkIf cfg.enable {
    networking.firewall.allowedUDPPorts = [ cfg.listenPort ];
+    networking.firewall.trustedInterfaces = [ "wg0" ];
    networking.nat.internalInterfaces = mkAfter [ "wg0" ];

    systemd.tmpfiles.rules = [
--- a/system/machines/server/modules/wstunnel/default.nix
+++ b/system/machines/server/modules/wstunnel/default.nix
@ -0,0 +1,37 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.wstunnel;
+in
+{
+  options.modules.system.wstunnel = {
+    enable = mkEnableOption "wstunnel WebSocket transport for WireGuard";
+
+    listenPort = mkOption {
+      type = types.port;
+      default = 8080;
+      description = "Local port wstunnel server listens on (nginx proxies to this)";
+    };
+
+    wireguardPort = mkOption {
+      type = types.port;
+      default = 51820;
+      description = "Local WireGuard port to forward traffic to";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.wstunnel = {
+      description = "wstunnel WebSocket server for WireGuard transport";
+      after = [ "network.target" "wireguard-wg0.service" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.wstunnel}/bin/wstunnel server ws://127.0.0.1:${toString cfg.listenPort} --restrict-to 127.0.0.1:${toString cfg.wireguardPort}";
+        Restart = "on-failure";
+        RestartSec = 5;
+        DynamicUser = true;
+      };
+    };
+  };
+}
--- a/system/machines/server/system.nix
+++ b/system/machines/server/system.nix
@ -7,18 +7,38 @@
  modules.system.sops.enable = true;

  # Camera RTSP credentials (used by frigate/go2rtc)
-  sops.secrets = let cameras = { sopsFile = ../../../secrets/system/cameras.yaml; }; in {
+  sops.secrets = let
+    cameras = { sopsFile = ../../../secrets/system/cameras.yaml; };
+    searxng = { sopsFile = ../../../secrets/system/searxng.yaml; };
+  in {
    "RTSP_USER" = cameras;
    "RTSP_PASS" = cameras;
+    "SEARXNG_TOKEN" = searxng;
+  };
+
+  sops.templates."nginx-searxng-location.conf" = {
+    content = ''
+      location /${config.sops.placeholder."SEARXNG_TOKEN"}/ {
+        proxy_pass http://192.168.0.23:8080/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+      }
+    '';
+    owner = "nginx";
  };

  modules.system = {
-    nginx.enable = true;
+    nginx = {
+      enable = true;
+      searxng.enable = true;
+    };
    sandpack.enable = true;
    forgejo.enable = true;
    frigate.enable = true;
    immich.enable = true;
    webdav.enable = false;
+    wstunnel.enable = true;
    wireguard = {
      enable = true;
      peers = [
@ -207,6 +227,11 @@
    enable = true;
    maxretry = 5;
    bantime = "1h";
+    ignoreIP = [
+      "127.0.0.1/8"
+      "192.168.0.0/24"
+      "10.8.0.0/24"
+    ];
  };

  services.openssh = {