feat: added basic structure for searXNG and netdata

2025-07-02 12:45:23 +02:00 · 2025-07-02 12:45:23 +02:00 · aa607747c3
commit aa607747c3
parent fa5de8f1bb
8 changed files with 1357 additions and 57 deletions
--- a/modules/services/README-SearXNG.md
+++ b/modules/services/README-SearXNG.md
@ -0,0 +1,303 @@
+# SearXNG Service Configuration Guide
+
+## Overview
+
+This module provides a secure, privacy-focused SearXNG metasearch engine configuration designed for home lab environments. Key features include:
+
+- **Privacy-first**: No query logging, private instance settings
+- **Network Security**: Only accessible from Tailscale VPN network
+- **Reverse Proxy**: Uses your reverse-proxy machine for outbound traffic
+- **Security Hardening**: Systemd security restrictions, Content Security Policy headers
+- **Easy Configuration**: Simple NixOS module with sensible defaults
+
+## Architecture
+
+```
+[Client on Tailscale] 
+    ↓ (HTTP/HTTPS)
+[SearXNG Service] 
+    ↓ (Search requests via HTTP proxy)
+[Reverse Proxy] 
+    ↓ (Outbound to internet)
+[Search Engines]
+```
+
+## Configuration
+
+### Basic Setup
+
+Add to your machine's `configuration.nix`:
+
+```nix
+{
+  imports = [ ../../modules/services/SearXNG.nix ];
+  
+  services.searxng-lab = {
+    enable = true;
+    hostName = "searxng.your-lab.internal";
+    reverseProxyHost = "reverse-proxy";  # Your reverse proxy hostname
+  };
+}
+```
+
+### Advanced Configuration
+
+```nix
+{
+  services.searxng-lab = {
+    enable = true;
+    hostName = "search.lab.local";
+    port = 8888;                    # SearXNG backend port
+    reverseProxyHost = "proxy.lab.local";
+    reverseProxyPort = 3128;        # HTTP proxy port
+    openFirewall = true;            # Open port 80 for HTTP access
+    tailscaleOnly = true;           # Restrict to Tailscale network
+    nginxVhost = true;              # Create Nginx reverse proxy
+  };
+}
+```
+
+## Reverse Proxy Configuration
+
+Your reverse-proxy machine needs to provide HTTP proxy functionality. Add this to your reverse-proxy configuration:
+
+```nix
+# On reverse-proxy machine
+services.squid = {
+  enable = true;
+  configText = ''
+    # Basic proxy configuration
+    http_port 3128
+    
+    # Allow connections from your home lab network
+    acl homelab src 192.168.1.0/24
+    acl homelab src 100.0.0.0/8  # Tailscale network
+    
+    # Allow CONNECT for HTTPS
+    acl CONNECT method CONNECT
+    acl SSL_ports port 443
+    
+    # Access rules
+    http_access allow homelab
+    http_access deny all
+    
+    # Don't log for privacy
+    access_log none
+    
+    # Hide client IP from destination servers
+    forwarded_for delete
+  '';
+};
+
+# Open firewall for proxy
+networking.firewall.allowedTCPPorts = [ 3128 ];
+```
+
+## Network Access
+
+### Tailscale Setup
+
+Ensure Tailscale is configured on both the SearXNG host and client machines:
+
+```nix
+# On SearXNG host and client machines
+services.tailscale.enable = true;
+```
+
+### DNS Configuration
+
+Add hostname resolution to your machines:
+
+```nix
+networking.hosts = {
+  "100.x.x.x" = [ "searxng.lab.local" ];  # Replace with actual Tailscale IP
+};
+```
+
+## Security Features
+
+### Network Restrictions
+
+- Only accepts connections from Tailscale network (100.0.0.0/8)
+- Nginx access controls deny non-Tailscale traffic
+- Systemd IPAddressAllow/Deny for service-level restrictions
+
+### Privacy Protection
+
+- No query logging enabled
+- Private instance (not listed publicly)
+- Rate limiting to prevent abuse
+- Secure headers (CSP, HSTS, etc.)
+
+### Systemd Hardening
+
+- NoNewPrivileges: Prevents privilege escalation
+- PrivateTmp: Isolated temporary directory
+- ProtectSystem: Read-only system directories
+- RestrictAddressFamilies: Only IPv4/IPv6 allowed
+
+## Usage
+
+1. **Deploy the Configuration**:
+
+   ```bash
+   nixos-rebuild switch
+   ```
+
+2. **Check Service Status**:
+
+   ```bash
+   systemctl status searxng
+   systemctl status nginx
+   ```
+
+3. **Access the Interface**:
+   Navigate to `http://searxng.lab.local` from a Tailscale-connected device
+
+4. **Test Search**:
+   Try searching for something to verify it works and uses the proxy
+
+## Troubleshooting
+
+### Check Service Logs
+
+```bash
+journalctl -u searxng -f
+journalctl -u nginx -f
+```
+
+### Test Network Connectivity
+
+```bash
+# Test if SearXNG is running
+curl -s http://localhost:8888 | head
+
+# Test proxy connectivity from SearXNG host
+curl -x http://reverse-proxy:3128 http://httpbin.org/ip
+
+# Test Tailscale connectivity
+ping 100.x.x.x  # Replace with your Tailscale IP
+```
+
+### Verify Proxy Usage
+
+Check that searches go through your reverse proxy by monitoring its logs:
+
+```bash
+# On reverse-proxy machine
+journalctl -u squid -f
+```
+
+### Debug Network Access
+
+```bash
+# Test access restriction
+curl -H "Host: searxng.lab.local" http://your-tailscale-ip/
+
+# Check Nginx access logs
+tail -f /var/log/nginx/access.log
+```
+
+## Customization
+
+### Search Engines
+
+Modify the `searxngSettings` in the module to enable/disable specific search engines:
+
+```nix
+# In the module configuration
+engines = [
+  {
+    name = "google";
+    disabled = false;
+  }
+  {
+    name = "bing"; 
+    disabled = true;
+  }
+];
+```
+
+### Themes and UI
+
+Change the UI theme and settings:
+
+```nix
+ui = {
+  default_theme = "oscar";  # Other options: simple, oscar, pix-art
+  infinite_scroll = true;
+  center_alignment = true;
+};
+```
+
+### Rate Limiting
+
+Adjust rate limiting settings:
+
+```nix
+server = {
+  limiter = true;
+  public_instance = false;
+  method = "POST";
+};
+```
+
+## Integration with Other Services
+
+### Monitoring
+
+Add Prometheus monitoring (optional):
+
+```nix
+services.prometheus.exporters.nginx.enable = true;
+services.prometheus.scrapeConfigs = [
+  {
+    job_name = "searxng";
+    static_configs = [
+      { targets = [ "localhost:8888" ]; }
+    ];
+  }
+];
+```
+
+### Backup
+
+Include SearXNG data in your backup strategy:
+
+```nix
+# Add to your backup configuration
+"/var/lib/searxng"
+```
+
+## Security Considerations
+
+1. **Keep Updated**: Regularly update SearXNG package
+2. **Monitor Access**: Review Nginx access logs periodically  
+3. **Proxy Security**: Ensure reverse proxy is properly secured
+4. **Tailscale Security**: Use Tailscale ACLs to further restrict access
+5. **Instance Privacy**: Never expose this instance publicly
+
+## Performance Tuning
+
+### For High Usage
+
+```nix
+# Increase worker processes
+systemd.services.searxng.serviceConfig.MemoryMax = "1G";
+
+# Nginx caching
+services.nginx.virtualHosts."searxng.lab.local".locations."/static/" = {
+  expires = "1d";
+  extraConfig = "add_header Cache-Control public;";
+};
+```
+
+### For Low Resources
+
+```nix
+# Reduce memory usage
+systemd.services.searxng.serviceConfig.MemoryMax = "256M";
+
+# Disable image proxy if not needed
+server.image_proxy = false;
+```