updated

2026-05-08 14:50:12 -04:00 · 2026-04-13 15:57:27 -04:00 · 2026-04-13 15:57:27 -04:00 · 6692807229
commit 6692807229
parent cb7d7d2476
6 changed files with 140 additions and 3 deletions
--- a/system/machines/server/system.nix
+++ b/system/machines/server/system.nix
@ -7,18 +7,38 @@
  modules.system.sops.enable = true;

  # Camera RTSP credentials (used by frigate/go2rtc)
-  sops.secrets = let cameras = { sopsFile = ../../../secrets/system/cameras.yaml; }; in {
+  sops.secrets = let
+    cameras = { sopsFile = ../../../secrets/system/cameras.yaml; };
+    searxng = { sopsFile = ../../../secrets/system/searxng.yaml; };
+  in {
    "RTSP_USER" = cameras;
    "RTSP_PASS" = cameras;
+    "SEARXNG_TOKEN" = searxng;
+  };
+
+  sops.templates."nginx-searxng-location.conf" = {
+    content = ''
+      location /${config.sops.placeholder."SEARXNG_TOKEN"}/ {
+        proxy_pass http://192.168.0.23:8080/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+      }
+    '';
+    owner = "nginx";
  };

  modules.system = {
-    nginx.enable = true;
+    nginx = {
+      enable = true;
+      searxng.enable = true;
+    };
    sandpack.enable = true;
    forgejo.enable = true;
    frigate.enable = true;
    immich.enable = true;
    webdav.enable = false;
+    wstunnel.enable = true;
    wireguard = {
      enable = true;
      peers = [
@ -207,6 +227,11 @@
    enable = true;
    maxretry = 5;
    bantime = "1h";
+    ignoreIP = [
+      "127.0.0.1/8"
+      "192.168.0.0/24"
+      "10.8.0.0/24"
+    ];
  };

  services.openssh = {