From 17590915e316a9bacd3195b7c2c200fdd10a2ec8 Mon Sep 17 00:00:00 2001 From: Rustam Efimov Date: Sun, 12 Apr 2026 17:57:21 +0300 Subject: [PATCH 1/3] feat(users/rus07tam): remove openclaw --- users/rus07tam/hosts/velarion.nix | 4 +- users/rus07tam/modules/openclaw/default.nix | 6 --- users/rus07tam/modules/openclaw/secrets.nix | 6 --- users/rus07tam/modules/openclaw/service.nix | 48 --------------------- 4 files changed, 1 insertion(+), 63 deletions(-) delete mode 100644 users/rus07tam/modules/openclaw/default.nix delete mode 100644 users/rus07tam/modules/openclaw/secrets.nix delete mode 100644 users/rus07tam/modules/openclaw/service.nix diff --git a/users/rus07tam/hosts/velarion.nix b/users/rus07tam/hosts/velarion.nix index b319a3e..e140d9d 100644 --- a/users/rus07tam/hosts/velarion.nix +++ b/users/rus07tam/hosts/velarion.nix @@ -1,5 +1,3 @@ { - imports = [ - ./../modules/openclaw - ]; + imports = [ ]; } diff --git a/users/rus07tam/modules/openclaw/default.nix b/users/rus07tam/modules/openclaw/default.nix deleted file mode 100644 index 643132e..0000000 --- a/users/rus07tam/modules/openclaw/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./secrets.nix - ./service.nix - ]; -} diff --git a/users/rus07tam/modules/openclaw/secrets.nix b/users/rus07tam/modules/openclaw/secrets.nix deleted file mode 100644 index 16ffaf1..0000000 --- a/users/rus07tam/modules/openclaw/secrets.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - sops.secrets = { - "rus07tam/openclaw/gatewayToken" = { }; - "rus07tam/openclaw/telegramToken" = { }; - }; -} diff --git a/users/rus07tam/modules/openclaw/service.nix b/users/rus07tam/modules/openclaw/service.nix deleted file mode 100644 index 2aaa8f8..0000000 --- a/users/rus07tam/modules/openclaw/service.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ - sec, - inputs, - ... -}: { - imports = [ - inputs.nix-openclaw.homeManagerModules.openclaw - ]; - - programs.openclaw = { - enable = true; - installApp = false; - systemd.enable = true; - - bundledPlugins = { - summarize.enable = true; - }; - - instances.default = { - enable = true; - systemd.enable = true; - - config = { - agents.defaults = { - model.primary = "openrouter/qwen/qwen3-coder:free"; - sandbox.mode = "off"; - }; - - gateway = { - mode = "local"; - auth.token = sec."rus07tam/openclaw/gatewayToken".path; - }; - - channels.telegram = { - tokenFile = sec."rus07tam/openclaw/telegramToken".path; - allowFrom = [6146757977]; - groups = { - "*" = { - requireMention = true; - }; - }; - }; - - plugins.entries.telegram.enabled = true; - }; - }; - }; -} From 89c1059c9a5c93ffe2ba6a5cc13896e7e33d0b14 Mon Sep 17 00:00:00 2001 From: Rustam Efimov Date: Sun, 12 Apr 2026 18:05:55 +0300 Subject: [PATCH 2/3] feat(modules): add searxng module --- services/searxng/default.nix | 8 ++ services/searxng/firewall.nix | 39 ++++++++ services/searxng/nginx.nix | 57 ++++++++++++ services/searxng/options.nix | 17 ++++ services/searxng/service.nix | 163 ++++++++++++++++++++++++++++++++++ 5 files changed, 284 insertions(+) create mode 100644 services/searxng/default.nix create mode 100644 services/searxng/firewall.nix create mode 100644 services/searxng/nginx.nix create mode 100644 services/searxng/options.nix create mode 100644 services/searxng/service.nix diff --git a/services/searxng/default.nix b/services/searxng/default.nix new file mode 100644 index 0000000..9a28810 --- /dev/null +++ b/services/searxng/default.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./firewall.nix + ./nginx.nix + ./options.nix + ./service.nix + ]; +} diff --git a/services/searxng/firewall.nix b/services/searxng/firewall.nix new file mode 100644 index 0000000..df51a26 --- /dev/null +++ b/services/searxng/firewall.nix @@ -0,0 +1,39 @@ +{ + config, + lib, + ... +}: +let + inherit (config.machine.prosody) + enable + ; +in +with lib; +mkIf enable { + networking.firewall = { + allowedTCPPorts = [ + # HTTP filer + 80 + 443 + + # C2S + 5222 + 5223 + + # S2S + 5269 + 5270 + + # WebSockets / BOSH + 5280 + 5281 + ] + ++ concatLists ( + with config.services.prosody; + [ + httpPorts + httpsPorts + ] + ); + }; +} diff --git a/services/searxng/nginx.nix b/services/searxng/nginx.nix new file mode 100644 index 0000000..254b1e1 --- /dev/null +++ b/services/searxng/nginx.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + ... +}: +let + inherit (config.machine.prosody) + enable + domain + ; + + localhost = "http://localhost:5280"; +in +with lib; +mkIf enable { + security.acme.certs."${domain}".extraDomainNames = [ + "conference.${domain}" + "upload.${domain}" + ]; + users.groups.acme.members = [ + "prosody" + ]; + services.nginx.virtualHosts = + with lib; + mkIf (domain != null) { + "${domain}".locations = { + "= /xmpp-websocket" = { + proxyPass = localhost; + proxyWebsockets = true; + }; + "= /http-bind".proxyPass = localhost; + "/push".proxyPass = localhost; + "= /.well-known/host-meta".proxyPass = localhost; + "= /.well-known/host-meta.json".proxyPass = localhost; + }; + "conference.${domain}" = { + http3 = true; + quic = true; + forceSSL = true; + kTLS = true; + useACMEHost = domain; + sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; + sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem"; + locations."/".proxyPass = localhost; + }; + "upload.${domain}" = { + http3 = true; + quic = true; + forceSSL = true; + kTLS = true; + useACMEHost = domain; + sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; + sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem"; + locations."/".proxyPass = localhost; + }; + }; +} diff --git a/services/searxng/options.nix b/services/searxng/options.nix new file mode 100644 index 0000000..264de26 --- /dev/null +++ b/services/searxng/options.nix @@ -0,0 +1,17 @@ +{ lib, ... }: +with lib; +{ + options.machine.searxng = { + enable = mkEnableOption "SearXNG"; + domain = mkOption { + type = types.nullOr types.str; + default = null; + description = "Domain name. If not set, will be disabled, and use the localhost."; + }; + port = mkOption { + type = types.port; + default = 4000; + description = "Listen port."; + }; + }; +} diff --git a/services/searxng/service.nix b/services/searxng/service.nix new file mode 100644 index 0000000..c5d6e4b --- /dev/null +++ b/services/searxng/service.nix @@ -0,0 +1,163 @@ +{ + config, + pkgs, + lib, + ... +}: +let + cfg = config.machine.searxng; +in +with lib; +mkIf enable { + services.searx = { + enable = true; + redisCreateLocally = true; + + # Rate limiting + limiterSettings = { + real_ip = { + x_for = 1; + ipv4_prefix = 32; + ipv6_prefix = 56; + }; + + botdetection = { + ip_limit = { + filter_link_local = true; + link_token = true; + }; + }; + }; + + settings = { + # Instance settings + general = { + debug = false; + instance_name = "SearXNG Instance"; + donation_url = false; + contact_url = false; + privacypolicy_url = false; + enable_metrics = false; + }; + + # User interface + ui = { + static_use_hash = true; + default_locale = "en"; + query_in_title = true; + infinite_scroll = false; + center_alignment = true; + default_theme = "simple"; + theme_args.simple_style = "auto"; + search_on_category_select = false; + hotkeys = "vim"; + }; + + # Search engine settings + search = { + safe_search = 2; + autocomplete_min = 2; + autocomplete = "duckduckgo"; + ban_time_on_fail = 5; + max_ban_time_on_fail = 120; + }; + + # Server configuration + server = { + base_url = cfg.domain != null ? "https://${cfg.domain}" : null; + port = cfg.port; + bind_address = "127.0.0.1"; + limiter = true; + public_instance = true; + image_proxy = true; + method = "GET"; + }; + + # Search engines + engines = lib.mapAttrsToList (name: value: { inherit name; } // value) { + "duckduckgo".disabled = true; + "brave".disabled = true; + "bing".disabled = false; + "mojeek".disabled = true; + "mwmbl".disabled = false; + "mwmbl".weight = 0.4; + "qwant".disabled = true; + "crowdview".disabled = false; + "crowdview".weight = 0.5; + "curlie".disabled = true; + "ddg definitions".disabled = false; + "ddg definitions".weight = 2; + "wikibooks".disabled = false; + "wikidata".disabled = false; + "wikiquote".disabled = true; + "wikisource".disabled = true; + "wikispecies".disabled = false; + "wikispecies".weight = 0.5; + "wikiversity".disabled = false; + "wikiversity".weight = 0.5; + "wikivoyage".disabled = false; + "wikivoyage".weight = 0.5; + "currency".disabled = true; + "dictzone".disabled = true; + "lingva".disabled = true; + "bing images".disabled = false; + "brave.images".disabled = true; + "duckduckgo images".disabled = true; + "google images".disabled = false; + "qwant images".disabled = true; + "1x".disabled = true; + "artic".disabled = false; + "deviantart".disabled = false; + "flickr".disabled = true; + "imgur".disabled = false; + "library of congress".disabled = false; + "material icons".disabled = true; + "material icons".weight = 0.2; + "openverse".disabled = false; + "pinterest".disabled = true; + "svgrepo".disabled = false; + "unsplash".disabled = false; + "wallhaven".disabled = false; + "wikicommons.images".disabled = false; + "yacy images".disabled = true; + "bing videos".disabled = false; + "brave.videos".disabled = true; + "duckduckgo videos".disabled = true; + "google videos".disabled = false; + "qwant videos".disabled = false; + "dailymotion".disabled = true; + "google play movies".disabled = true; + "invidious".disabled = true; + "odysee".disabled = true; + "peertube".disabled = false; + "piped".disabled = true; + "rumble".disabled = false; + "sepiasearch".disabled = false; + "vimeo".disabled = true; + "youtube".disabled = false; + "brave.news".disabled = true; + "google news".disabled = true; + }; + + # Outgoing requests + outgoing = { + request_timeout = 5.0; + max_request_timeout = 15.0; + pool_connections = 100; + pool_maxsize = 15; + enable_http2 = true; + }; + + # Enabled plugins + enabled_plugins = [ + "Basic Calculator" + "Hash plugin" + "Tor check plugin" + "Open Access DOI rewrite" + "Hostnames plugin" + "Unit converter plugin" + "Tracker URL remover" + ]; + }; + }; +} From 1c8bc1d422d8f8b200ceafcebde10ba13a418488 Mon Sep 17 00:00:00 2001 From: Rustam Efimov Date: Sun, 12 Apr 2026 18:06:42 +0300 Subject: [PATCH 3/3] feat(hosts/velarion): enable SearXNG --- hosts/velarion/machine.nix | 6 ++++ services/default.nix | 1 + services/searxng/default.nix | 3 +- services/searxng/firewall.nix | 39 ------------------------ services/searxng/network.nix | 26 ++++++++++++++++ services/searxng/nginx.nix | 57 ----------------------------------- services/searxng/options.nix | 2 +- 7 files changed, 35 insertions(+), 99 deletions(-) delete mode 100644 services/searxng/firewall.nix create mode 100644 services/searxng/network.nix delete mode 100644 services/searxng/nginx.nix diff --git a/hosts/velarion/machine.nix b/hosts/velarion/machine.nix index d438145..145b0e6 100644 --- a/hosts/velarion/machine.nix +++ b/hosts/velarion/machine.nix @@ -51,6 +51,7 @@ in matrix = ns1; chat = ns1; turn = ns1; + search = ns1; }; TXT = [ @@ -136,6 +137,11 @@ in enable = true; domain = "roundcube.${domain}"; }; + searxng = { + enable = true; + domain = "search.${domain}"; + port = 8888; + }; synapse = { enable = true; element = { diff --git a/services/default.nix b/services/default.nix index 8760ef3..410d70f 100644 --- a/services/default.nix +++ b/services/default.nix @@ -15,6 +15,7 @@ ./prosody ./redis ./roundcube + ./searxng ./synapse ./uptime-kuma ./vaultwarden diff --git a/services/searxng/default.nix b/services/searxng/default.nix index 9a28810..16b18a3 100644 --- a/services/searxng/default.nix +++ b/services/searxng/default.nix @@ -1,7 +1,6 @@ { imports = [ - ./firewall.nix - ./nginx.nix + ./network.nix ./options.nix ./service.nix ]; diff --git a/services/searxng/firewall.nix b/services/searxng/firewall.nix deleted file mode 100644 index df51a26..0000000 --- a/services/searxng/firewall.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - config, - lib, - ... -}: -let - inherit (config.machine.prosody) - enable - ; -in -with lib; -mkIf enable { - networking.firewall = { - allowedTCPPorts = [ - # HTTP filer - 80 - 443 - - # C2S - 5222 - 5223 - - # S2S - 5269 - 5270 - - # WebSockets / BOSH - 5280 - 5281 - ] - ++ concatLists ( - with config.services.prosody; - [ - httpPorts - httpsPorts - ] - ); - }; -} diff --git a/services/searxng/network.nix b/services/searxng/network.nix new file mode 100644 index 0000000..d7953f5 --- /dev/null +++ b/services/searxng/network.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: +let + cfg = config.machine.searxng; +in +with lib; +mkIf enable { + networking.firewall = { + allowedTCPPorts = [ cfg.port ]; + }; + + services.nginx.virtualHosts = + mkIf (cfg.domain != null) { + "${cfg.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://[::1]:${toString cfg.port}"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/services/searxng/nginx.nix b/services/searxng/nginx.nix deleted file mode 100644 index 254b1e1..0000000 --- a/services/searxng/nginx.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ - config, - lib, - ... -}: -let - inherit (config.machine.prosody) - enable - domain - ; - - localhost = "http://localhost:5280"; -in -with lib; -mkIf enable { - security.acme.certs."${domain}".extraDomainNames = [ - "conference.${domain}" - "upload.${domain}" - ]; - users.groups.acme.members = [ - "prosody" - ]; - services.nginx.virtualHosts = - with lib; - mkIf (domain != null) { - "${domain}".locations = { - "= /xmpp-websocket" = { - proxyPass = localhost; - proxyWebsockets = true; - }; - "= /http-bind".proxyPass = localhost; - "/push".proxyPass = localhost; - "= /.well-known/host-meta".proxyPass = localhost; - "= /.well-known/host-meta.json".proxyPass = localhost; - }; - "conference.${domain}" = { - http3 = true; - quic = true; - forceSSL = true; - kTLS = true; - useACMEHost = domain; - sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; - sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem"; - locations."/".proxyPass = localhost; - }; - "upload.${domain}" = { - http3 = true; - quic = true; - forceSSL = true; - kTLS = true; - useACMEHost = domain; - sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; - sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem"; - locations."/".proxyPass = localhost; - }; - }; -} diff --git a/services/searxng/options.nix b/services/searxng/options.nix index 264de26..9823334 100644 --- a/services/searxng/options.nix +++ b/services/searxng/options.nix @@ -10,7 +10,7 @@ with lib; }; port = mkOption { type = types.port; - default = 4000; + default = 8888; description = "Listen port."; }; };