geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: added basic structure for searXNG and netdata

Browse source
This commit is contained in:
Geir Okkenhaug Jerstad 2025-07-02 12:45:23 +02:00
parent fa5de8f1bb
commit aa607747c3
8 changed files with 1357 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

270
.taskmaster/tasks/tasks.json
View file

@ -802,6 +802,274 @@
"testStrategy": "Run tests using a testing framework compatible with Guile Scheme." "testStrategy": "Run tests using a testing framework compatible with Guile Scheme."
} }
] ]
},
{
"id": 32,
"title": "Implement Netdata Monitoring Infrastructure",
"description": "Set up Netdata monitoring infrastructure for home lab based on research findings, including parent-child architecture with grey-area as the parent node, deploying children on other machines, configuring streaming, and setting up basic alerting.",
"details": "1. **Install Netdata**: Begin by installing Netdata on all relevant machines in the home lab environment.\n2. **Configure Parent-Child Architecture**: Set up grey-area as the parent node and configure child nodes to stream data to it.\n3. **Deploy Children**: Deploy Netdata children on other machines, ensuring they are correctly configured to send data to the parent node.\n4. **Configure Streaming**: Configure streaming settings in Netdata to ensure data is efficiently transferred from child nodes to the parent node.\n5. **Set Up Basic Alerting**: Implement basic alerting mechanisms within Netdata to monitor critical metrics and notify administrators of any issues.",
"testStrategy": "1. Verify that Netdata is installed on all relevant machines.\n2. Check that grey-area is correctly configured as the parent node.\n3. Ensure that child nodes are streaming data to the parent node.\n4. Test alerting mechanisms for critical metrics.\n5. Perform performance benchmarking to ensure data transfer rates meet expectations.",
"status": "pending",
"dependencies": [
1,
6
],
"priority": "high",
"subtasks": [
{
"id": 1,
"title": "Install Netdata on all relevant machines",
"description": "Ensure Netdata is installed on each machine in the home lab environment.",
"dependencies": [],
"details": "Use the official installation script or package manager for Netdata. Verify installation on each machine.",
"status": "pending",
"testStrategy": "Check if Netdata service is running and accessible via web interface."
},
{
"id": 2,
"title": "Configure grey-area as parent node",
"description": "Set up the grey-area machine to act as the parent node in the Netdata architecture.",
"dependencies": [
1
],
"details": "Edit the Netdata configuration file on the grey-area machine to enable parent-node mode. Restart Netdata service.",
"status": "pending",
"testStrategy": "Verify that the grey-area machine is listed as a parent node in the Netdata web interface."
},
{
"id": 3,
"title": "Deploy children on other machines",
"description": "Install and configure Netdata on other machines to act as child nodes.",
"dependencies": [
1
],
"details": "Follow the same installation steps as for the parent node. Configure each child machine to stream data to the grey-area parent node.",
"status": "pending",
"testStrategy": "Check that each child node is listed under the grey-area in the Netdata web interface."
},
{
"id": 4,
"title": "Configure streaming settings",
"description": "Set up streaming configurations in Netdata to ensure data transfer from child nodes to the parent node.",
"dependencies": [
3
],
"details": "Edit the Netdata configuration files on both parent and child machines. Configure the necessary parameters for streaming.",
"status": "pending",
"testStrategy": "Monitor network traffic between parent and child nodes to ensure data is being transferred."
},
{
"id": 5,
"title": "Set up basic alerting mechanisms",
"description": "Implement basic alerting within Netdata to monitor critical metrics and notify administrators of issues.",
"dependencies": [
1
],
"details": "Configure alerting rules in the Netdata configuration file. Choose appropriate thresholds for monitoring key metrics.",
"status": "pending",
"testStrategy": "Simulate a scenario that triggers an alert and verify that notifications are received as expected."
},
{
"id": 6,
"title": "Verify overall functionality",
"description": "Test the entire Netdata monitoring infrastructure to ensure it is working as intended.",
"dependencies": [
2,
3,
4,
5
],
"details": "Check all parent and child nodes for correct data streaming. Simulate various scenarios to test alerting mechanisms.",
"status": "pending",
"testStrategy": "Review logs and notifications from Netdata to confirm that everything is functioning correctly."
}
]
},
{
"id": 33,
"title": "Create NixOS Modules for Netdata Deployment",
"description": "Develop NixOS modules to integrate Netdata across all machines in the home lab, including configuration templates for parent and child nodes, firewall rules, and service definitions.",
"details": "1. **Parent Node Module**: Create a NixOS module for the parent Netdata node that includes configuration settings for streaming data from child nodes.\n2. **Child Node Module**: Develop a NixOS module for child Netdata nodes that specifies how to send data to the parent node.\n3. **Firewall Rules**: Define firewall rules in NixOS to allow communication between parent and child Netdata instances.\n4. **Service Definitions**: Write service definitions to ensure Netdata services are started and managed declaratively through NixOS.\n5. **Configuration Templates**: Provide configuration templates for both parent and child nodes that can be customized as needed.",
"testStrategy": "1. **Unit Testing**: Test individual components of the NixOS modules to ensure they function correctly in isolation.\n2. **Integration Testing**: Perform integration testing by deploying Netdata on a simulated home lab environment with parent and child nodes.\n3. **Validation**: Verify that data is being streamed from child nodes to the parent node as expected.\n4. **Performance Testing**: Benchmark the performance of the Netdata setup under various load conditions.\n5. **Documentation Review**: Ensure all configuration templates and documentation are accurate and complete.",
"status": "pending",
"dependencies": [
1,
6
],
"priority": "medium",
"subtasks": [
{
"id": 1,
"title": "Create Parent Node Module",
"description": "Develop a NixOS module specifically for the parent Netdata node, including configuration settings for data streaming from child nodes.",
"dependencies": [],
"details": "Use Nix expressions to define the module. Include options for configuring Netdata's streaming capabilities and firewall rules.",
"status": "pending",
"testStrategy": "Manually test the module on a development machine by deploying it and verifying that data streams correctly between parent and child nodes."
},
{
"id": 2,
"title": "Develop Child Node Module",
"description": "Create a NixOS module for child Netdata nodes, specifying how to send data to the parent node.",
"dependencies": [
1
],
"details": "Build on the parent node module. Define options for configuring Netdata's data submission settings and ensure it correctly connects to the parent node.",
"status": "pending",
"testStrategy": "Test the child node module in a controlled environment by deploying it and confirming that data is submitted to the parent node."
},
{
"id": 3,
"title": "Define Firewall Rules",
"description": "Create firewall rules in NixOS to allow communication between parent and child Netdata instances.",
"dependencies": [
1,
2
],
"details": "Use Nix expressions to define iptables or nftables rules that permit traffic on the necessary ports for Netdata communication.",
"status": "pending",
"testStrategy": "Simulate network conditions by blocking and unblocking ports and observe whether data flows correctly between parent and child nodes."
},
{
"id": 4,
"title": "Write Service Definitions",
"description": "Develop service definitions to ensure Netdata services are started and managed declaratively through NixOS.",
"dependencies": [
1,
2,
3
],
"details": "Create NixOS service units for both parent and child nodes. Ensure they correctly start Netdata and apply the necessary configurations.",
"status": "pending",
"testStrategy": "Restart the Netdata services on a test machine and verify that they are running with the correct settings and data flow."
},
{
"id": 5,
"title": "Provide Configuration Templates",
"description": "Create configuration templates for both parent and child nodes that can be customized as needed.",
"dependencies": [
1,
2,
3,
4
],
"details": "Generate template files with placeholders for customization. Ensure the templates are easily editable and compatible with NixOS's module system.",
"status": "pending",
"testStrategy": "Deploy the configuration templates on a test machine, make changes to verify they take effect, and ensure that Netdata functions as expected."
}
]
},
{
"id": 34,
"title": "Set up Netdata reverse proxy integration through grey-area machine",
"description": "Configure SSL termination, proper routing, and security settings to expose the Netdata monitoring dashboard securely via a reverse proxy.",
"details": "1. **Install Nginx**: Install Nginx on the grey-area machine if it's not already installed.\n2. **Configure Reverse Proxy**: Set up an Nginx configuration file to route requests from the external domain to the Netdata service running on the grey-area machine.\n3. **SSL Termination**: Obtain SSL certificates (e.g., via Let's Encrypt) and configure Nginx to terminate SSL connections, forwarding plain HTTP traffic to Netdata.\n4. **Security Configuration**: Ensure proper security configurations in Nginx, including restrictions on allowed IP addresses and enabling HSTS for added security.\n5. **Testing**: Verify that the reverse proxy is correctly routing requests, SSL termination is functioning, and the dashboard is accessible via the external domain.",
"testStrategy": "1. Test SSL termination by accessing the Netdata dashboard over HTTPS.\n2. Ensure that requests are being routed correctly to the Netdata service through Nginx.\n3. Verify that only authorized IP addresses can access the reverse proxy.\n4. Perform security audits and penetration testing to ensure no vulnerabilities exist.",
"status": "pending",
"dependencies": [
1,
33
],
"priority": "medium",
"subtasks": []
},
{
"id": 35,
"title": "Configure Netdata alerting and notification system with multiple channels including email, Discord, and potentially other notification methods",
"description": "Set up 400+ pre-configured alert templates, custom alert rules for home lab specific scenarios, and proper escalation procedures.",
"details": "1. **Install Required Packages**: Install necessary packages such as `netdata`, `mailutils` (for email), `discord-webhook` (for Discord), and any other required libraries or tools.\n2. **Configure Alert Channels**:\n - Configure email alerts by setting up SMTP credentials in Netdata configuration.\n - Set up Discord alerts by creating webhooks and configuring them in Netdata.\n3. **Create Pre-configured Alert Templates**: Develop 400+ pre-configured alert templates covering various scenarios specific to the home lab environment.\n4. **Define Custom Alert Rules**: Create custom alert rules tailored for home lab-specific metrics and conditions.\n5. **Implement Escalation Procedures**: Establish escalation procedures that trigger alerts based on severity levels and notify multiple recipients if necessary.",
"testStrategy": "1. Test email alerts by simulating a critical metric breach and verifying the email is received.\n2. Verify Discord webhook integration by triggering an alert and checking if it posts in the correct channel.\n3. Ensure all pre-configured templates are correctly applied and can be triggered manually.\n4. Simulate different severity levels of alerts to test escalation procedures.",
"status": "pending",
"dependencies": [
1,
32
],
"priority": "medium",
"subtasks": []
},
{
"id": 37,
"title": "Research and Evaluate Netdata's beta MCP (Model Context Protocol) server for AI integration",
"description": "Evaluate Netdata's beta MCP server for potential integration with the existing MCP infrastructure, focusing on its capabilities and compatibility.",
"details": "1. **Install Netdata**: Ensure Netdata is installed on a test machine in the home lab environment.\n2. **Configure Beta MCP Server**: Set up the Netdata beta MCP server and configure it according to documentation.\n3. **Test Capabilities**: Perform functional tests to evaluate the capabilities of the beta MCP server, including data collection, processing, and communication.\n4. **Integrate with Current Setup**: Plan and document the integration process with the existing TaskMaster AI and Context7 MCP setup for AI-powered monitoring insights.\n5. **Document Findings**: Compile a detailed report outlining the evaluation results, any limitations observed, and proposed next steps for integration.",
"testStrategy": "1. **Unit Testing**: Test individual components of the beta MCP server to ensure they function correctly.\n2. **Integration Testing**: Perform end-to-end testing with the existing TaskMaster AI and Context7 MCP setup to verify compatibility and data flow.\n3. **Performance Testing**: Benchmark the system under various load conditions to assess performance and scalability.\n4. **Security Review**: Conduct a security audit to identify any potential vulnerabilities or risks associated with integrating the beta MCP server.",
"status": "pending",
"dependencies": [
1,
6
],
"priority": "high",
"subtasks": [
{
"id": 1,
"title": "Install Netdata on Test Machine",
"description": "Ensure Netdata is installed on a test machine in the home lab environment.",
"dependencies": [],
"details": "Download the latest version of Netdata from their official website. Follow the installation instructions provided for your operating system.",
"status": "pending",
"testStrategy": ""
},
{
"id": 2,
"title": "Configure Beta MCP Server",
"description": "Set up the Netdata beta MCP server and configure it according to documentation.",
"dependencies": [
1
],
"details": "Access the Netdata configuration files and set up the MCP server parameters as per the provided documentation. Ensure all necessary plugins and modules are enabled.",
"status": "pending",
"testStrategy": ""
},
{
"id": 3,
"title": "Test Capabilities of Beta MCP Server",
"description": "Perform functional tests to evaluate the capabilities of the beta MCP server, including data collection, processing, and communication.",
"dependencies": [
2
],
"details": "Create test scenarios that cover data collection from various sources, processing of data, and communication between Netdata and other systems. Use tools like `netcat` or custom scripts to simulate different network conditions.",
"status": "pending",
"testStrategy": ""
},
{
"id": 4,
"title": "Integrate with Current Setup",
"description": "Plan and document the integration process with the existing TaskMaster AI and Context7 MCP setup for AI-powered monitoring insights.",
"dependencies": [
3
],
"details": "Develop a plan to integrate Netdata's beta MCP server with the current infrastructure, including any necessary API calls or data formats. Document all steps and configurations required for successful integration.",
"status": "pending",
"testStrategy": ""
}
]
},
{
"id": 38,
"title": "Develop Custom Web Dashboard Integration Using Netdata's REST API",
"description": "Integrate Netdata's REST API into a unified monitoring interface for real-time data visualization and multi-node monitoring.",
"details": "1. **Understand API Endpoints**: Review the comprehensive API documentation provided by Netdata to identify necessary endpoints for real-time data retrieval.\n2. **Design Dashboard Layout**: Create a layout that includes custom widgets, real-time data visualizations, and sections for multi-node monitoring.\n3. **Implement Data Fetching**: Develop code to fetch data from Netdata's REST API using HTTP requests.\n4. **Integrate with Web Framework**: Use the Artanis web framework to create routes and views that display the fetched data in a user-friendly manner.\n5. **Real-Time Updates**: Implement WebSocket or Server-Sent Events (SSE) to enable real-time updates on the dashboard.\n6. **Testing**: Write unit tests for API calls, integration tests for fetching and displaying data, and end-to-end tests for the entire dashboard functionality.",
"testStrategy": "1. **Unit Testing**: Test individual functions that handle API requests and data parsing.\n2. **Integration Testing**: Ensure that data is fetched correctly from Netdata's REST API and displayed on the dashboard.\n3. **End-to-End Testing**: Simulate user interactions with the dashboard to verify real-time updates and overall functionality.",
"status": "pending",
"dependencies": [
22
],
"priority": "medium",
"subtasks": []
},
{
"id": 39,
"title": "Integrate Netdata's Built-in ML Capabilities with MCP-based AI Infrastructure",
"description": "Integrate Netdata's built-in machine learning capabilities with the MCP-based AI infrastructure to create natural language queries for infrastructure metrics, automated root cause analysis, and intelligent alerting with AI-generated insights.",
"details": "1. **Install Required Packages**: Ensure all necessary packages are installed on the system where Netdata is running, including any required libraries or tools for machine learning integration.\n2. **Configure Netdata for ML Integration**: Modify Netdata's configuration to enable and configure its built-in machine learning capabilities.\n3. **Develop Natural Language Queries**: Implement code to generate natural language queries based on infrastructure metrics using Netdata's ML models.\n4. **Automated Root Cause Analysis**: Integrate Netdata's ML algorithms with the MCP-based AI infrastructure to perform automated root cause analysis for issues detected in the infrastructure.\n5. **Intelligent Alerting**: Develop intelligent alerting mechanisms that use AI-generated insights from Netdata's ML capabilities to provide more accurate and actionable alerts.\n6. **Testing and Validation**: Thoroughly test each component of the integration, including natural language query generation, root cause analysis, and alerting, to ensure they function correctly and meet the project requirements.",
"testStrategy": "1. **Unit Testing**: Write unit tests for each function or module developed during the integration process to verify their correctness.\n2. **Integration Testing**: Perform end-to-end testing to ensure that all components of the integration work together seamlessly.\n3. **Performance Testing**: Benchmark the performance of the integrated system, including natural language query generation time, root cause analysis accuracy, and alerting response time.\n4. **Validation**: Validate the functionality of the integrated system by simulating various scenarios and verifying that the correct actions are taken based on AI-generated insights.",
"status": "pending",
"dependencies": [
1,
32
],
"priority": "medium",
"subtasks": []
} }
], ],
"metadata": { "metadata": {
@ -815,7 +1083,7 @@
"home-lab", "home-lab",
"nixos" "nixos"
], ],
"updated": "2025-06-18T18:24:41.608Z" "updated": "2025-07-01T14:15:45.970Z"
} }
} }
} }

6
flake.lock generated
View file

@ -54,11 +54,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1751011381, "lastModified": 1751271578,
"narHash": "sha256-krGXKxvkBhnrSC/kGBmg5MyupUUT5R6IBCLEzx9jhMM=", "narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "30e2e2857ba47844aa71991daa6ed1fc678bcbb7", "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df",
"type": "github" "type": "github"
}, },
"original": { "original": {

7
machines/little-rascal/configuration.nix
View file

@ -34,9 +34,9 @@
../../modules/users/shell-aliases.nix ../../modules/users/shell-aliases.nix
# Virtualization # Virtualization
../../modules/virtualization/libvirt.nix # ../../modules/virtualization/libvirt.nix
../../modules/virtualization/incus.nix # ../../modules/virtualization/incus.nix
../../modules/virtualization/podman.nix # ../../modules/virtualization/podman.nix
# Audio # Audio
../../modules/sound/pipewire.nix ../../modules/sound/pipewire.nix
@ -104,7 +104,6 @@
# Essential services # Essential services
tailscale.enable = true; tailscale.enable = true;
blueman.enable = true; blueman.enable = true;
printing.enable = true;
# Firmware updates # Firmware updates
fwupd.enable = true; fwupd.enable = true;

60
machines/little-rascal/hardware-configuration.nix
View file

@ -29,25 +29,12 @@
}; };
kernelModules = [ kernelModules = [
"kvm-amd" # AMD Ryzen system "kvm-amd"
# HID and input modules for touchpad "amdgpu"
"hid_generic"
"hid_multitouch"
"i2c_hid"
"i2c_hid_acpi"
# Additional HID drivers that might help
"hid_input"
"evdev"
]; ];
# Use LTS kernel for better hardware compatibility
kernelPackages = pkgs.linuxPackages_5_15;
extraModulePackages = []; extraModulePackages = [];
}; };
# Filesystem configuration - TEMPLATE
# Update these paths and UUIDs after running nixos-generate-config
fileSystems = { fileSystems = {
"/" = { "/" = {
device = "/dev/disk/by-label/nixos"; device = "/dev/disk/by-label/nixos";
@ -61,12 +48,6 @@
}; };
}; };
# Swap configuration - TEMPLATE
# Uncomment and update if using swap partition
# swapDevices = [
# { device = "/dev/disk/by-uuid/REPLACE-WITH-SWAP-UUID"; }
# ];
# Hardware-specific configuration for Lenovo Yoga Slim 7 14ARE05 # Hardware-specific configuration for Lenovo Yoga Slim 7 14ARE05
hardware = { hardware = {
# CPU configuration - AMD Ryzen 7 4700U # CPU configuration - AMD Ryzen 7 4700U
@ -75,19 +56,9 @@
# Enable firmware updates # Enable firmware updates
enableRedistributableFirmware = true; enableRedistributableFirmware = true;
# Graphics configuration - AMD Radeon Vega (integrated)
# Using open source driver without ROCm and 32-bit support
graphics = { graphics = {
enable = true; enable = true;
enable32Bit = false; # Disabled 32-bit support enable32Bit = false;
# AMD open source graphics drivers only
extraPackages = with pkgs; [
amdvlk # AMD Vulkan driver
# Removed ROCm packages for simpler configuration
];
# No 32-bit support packages needed
}; };
# Bluetooth support for Intel AX200 # Bluetooth support for Intel AX200
@ -118,27 +89,18 @@
linux-firmware linux-firmware
]; ];
# AMD-specific optimizations
boot.kernelParams = [ boot.kernelParams = [
# Enable AMD graphics performance
"amdgpu.ppfeaturemask=0xffffffff"
# I2C HID touchpad parameters
"i2c_hid.debug=1"
# Ensure ACPI devices are properly detected
"acpi_enforce_resources=lax"
# Force ITE touchpad to be recognized as input device
"i2c_hid_acpi.probe_defer=1"
]; ];
# TLP for better power management (alternative to power-profiles-daemon) # TLP for better power management (alternative to power-profiles-daemon)
services.tlp = { # services.tlp = {
enable = false; # Using power-profiles-daemon instead # enable = false; # Using power-profiles-daemon instead
settings = { # settings = {
# Would be configured here if enabled # # Would be configured here if enabled
CPU_SCALING_GOVERNOR_ON_AC = "performance"; # CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; # CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
}; # };
}; # };
# Notes for this specific hardware: # Notes for this specific hardware:
# - Lenovo Yoga Slim 7 14ARE05 # - Lenovo Yoga Slim 7 14ARE05

303
modules/services/README-SearXNG.md Normal file
View file

@ -0,0 +1,303 @@
# SearXNG Service Configuration Guide
## Overview
This module provides a secure, privacy-focused SearXNG metasearch engine configuration designed for home lab environments. Key features include:
- **Privacy-first**: No query logging, private instance settings
- **Network Security**: Only accessible from Tailscale VPN network
- **Reverse Proxy**: Uses your reverse-proxy machine for outbound traffic
- **Security Hardening**: Systemd security restrictions, Content Security Policy headers
- **Easy Configuration**: Simple NixOS module with sensible defaults
## Architecture
```
[Client on Tailscale]
↓ (HTTP/HTTPS)
[SearXNG Service]
↓ (Search requests via HTTP proxy)
[Reverse Proxy]
↓ (Outbound to internet)
[Search Engines]
```
## Configuration
### Basic Setup
Add to your machine's `configuration.nix`:
```nix
{
imports = [ ../../modules/services/SearXNG.nix ];
services.searxng-lab = {
enable = true;
hostName = "searxng.your-lab.internal";
reverseProxyHost = "reverse-proxy"; # Your reverse proxy hostname
};
}
```
### Advanced Configuration
```nix
{
services.searxng-lab = {
enable = true;
hostName = "search.lab.local";
port = 8888; # SearXNG backend port
reverseProxyHost = "proxy.lab.local";
reverseProxyPort = 3128; # HTTP proxy port
openFirewall = true; # Open port 80 for HTTP access
tailscaleOnly = true; # Restrict to Tailscale network
nginxVhost = true; # Create Nginx reverse proxy
};
}
```
## Reverse Proxy Configuration
Your reverse-proxy machine needs to provide HTTP proxy functionality. Add this to your reverse-proxy configuration:
```nix
# On reverse-proxy machine
services.squid = {
enable = true;
configText = ''
# Basic proxy configuration
http_port 3128
# Allow connections from your home lab network
acl homelab src 192.168.1.0/24
acl homelab src 100.0.0.0/8 # Tailscale network
# Allow CONNECT for HTTPS
acl CONNECT method CONNECT
acl SSL_ports port 443
# Access rules
http_access allow homelab
http_access deny all
# Don't log for privacy
access_log none
# Hide client IP from destination servers
forwarded_for delete
'';
};
# Open firewall for proxy
networking.firewall.allowedTCPPorts = [ 3128 ];
```
## Network Access
### Tailscale Setup
Ensure Tailscale is configured on both the SearXNG host and client machines:
```nix
# On SearXNG host and client machines
services.tailscale.enable = true;
```
### DNS Configuration
Add hostname resolution to your machines:
```nix
networking.hosts = {
"100.x.x.x" = [ "searxng.lab.local" ]; # Replace with actual Tailscale IP
};
```
## Security Features
### Network Restrictions
- Only accepts connections from Tailscale network (100.0.0.0/8)
- Nginx access controls deny non-Tailscale traffic
- Systemd IPAddressAllow/Deny for service-level restrictions
### Privacy Protection
- No query logging enabled
- Private instance (not listed publicly)
- Rate limiting to prevent abuse
- Secure headers (CSP, HSTS, etc.)
### Systemd Hardening
- NoNewPrivileges: Prevents privilege escalation
- PrivateTmp: Isolated temporary directory
- ProtectSystem: Read-only system directories
- RestrictAddressFamilies: Only IPv4/IPv6 allowed
## Usage
1. **Deploy the Configuration**:
```bash
nixos-rebuild switch
```
2. **Check Service Status**:
```bash
systemctl status searxng
systemctl status nginx
```
3. **Access the Interface**:
Navigate to `http://searxng.lab.local` from a Tailscale-connected device
4. **Test Search**:
Try searching for something to verify it works and uses the proxy
## Troubleshooting
### Check Service Logs
```bash
journalctl -u searxng -f
journalctl -u nginx -f
```
### Test Network Connectivity
```bash
# Test if SearXNG is running
curl -s http://localhost:8888 | head
# Test proxy connectivity from SearXNG host
curl -x http://reverse-proxy:3128 http://httpbin.org/ip
# Test Tailscale connectivity
ping 100.x.x.x # Replace with your Tailscale IP
```
### Verify Proxy Usage
Check that searches go through your reverse proxy by monitoring its logs:
```bash
# On reverse-proxy machine
journalctl -u squid -f
```
### Debug Network Access
```bash
# Test access restriction
curl -H "Host: searxng.lab.local" http://your-tailscale-ip/
# Check Nginx access logs
tail -f /var/log/nginx/access.log
```
## Customization
### Search Engines
Modify the `searxngSettings` in the module to enable/disable specific search engines:
```nix
# In the module configuration
engines = [
{
name = "google";
disabled = false;
}
{
name = "bing";
disabled = true;
}
];
```
### Themes and UI
Change the UI theme and settings:
```nix
ui = {
default_theme = "oscar"; # Other options: simple, oscar, pix-art
infinite_scroll = true;
center_alignment = true;
};
```
### Rate Limiting
Adjust rate limiting settings:
```nix
server = {
limiter = true;
public_instance = false;
method = "POST";
};
```
## Integration with Other Services
### Monitoring
Add Prometheus monitoring (optional):
```nix
services.prometheus.exporters.nginx.enable = true;
services.prometheus.scrapeConfigs = [
{
job_name = "searxng";
static_configs = [
{ targets = [ "localhost:8888" ]; }
];
}
];
```
### Backup
Include SearXNG data in your backup strategy:
```nix
# Add to your backup configuration
"/var/lib/searxng"
```
## Security Considerations
1. **Keep Updated**: Regularly update SearXNG package
2. **Monitor Access**: Review Nginx access logs periodically
3. **Proxy Security**: Ensure reverse proxy is properly secured
4. **Tailscale Security**: Use Tailscale ACLs to further restrict access
5. **Instance Privacy**: Never expose this instance publicly
## Performance Tuning
### For High Usage
```nix
# Increase worker processes
systemd.services.searxng.serviceConfig.MemoryMax = "1G";
# Nginx caching
services.nginx.virtualHosts."searxng.lab.local".locations."/static/" = {
expires = "1d";
extraConfig = "add_header Cache-Control public;";
};
```
### For Low Resources
```nix
# Reduce memory usage
systemd.services.searxng.serviceConfig.MemoryMax = "256M";
# Disable image proxy if not needed
server.image_proxy = false;
```

47
modules/services/SearXNG-example.nix Normal file
View file

@ -0,0 +1,47 @@
# Example SearXNG Configuration for NixOS Home Lab
#
# This example shows how to enable SearXNG on one of your machines
# with proper reverse proxy integration and Tailscale-only access.
#
# Add this to your machine's configuration.nix:
{
imports = [
../../modules/services/SearXNG.nix
];
services.searxng-lab = {
enable = true;
hostName = "searxng.lab.local";
# Configure reverse proxy for outbound traffic
reverseProxyHost = "reverse-proxy";
reverseProxyPort = 3128;
# Security settings
tailscaleOnly = true; # Only allow Tailscale network access
openFirewall = true; # Open HTTP port
nginxVhost = true; # Create Nginx virtual host
};
# Optional: Add hostname to /etc/hosts for easy access
networking.hosts = {
"127.0.0.1" = ["searxng.lab.local"];
};
}
# Reverse Proxy Configuration (add to reverse-proxy machine)
#
# services.squid = {
# enable = true;
# configText = ''
# http_port 3128
# acl homelab src 100.0.0.0/8
# acl homelab src 192.168.1.0/24
# http_access allow homelab
# http_access deny all
# access_log none
# forwarded_for delete
# '';
# };
#
# networking.firewall.allowedTCPPorts = [ 3128 ];

316
modules/services/SearXNG.nix
View file

@ -0,0 +1,316 @@
# SearXNG Service Configuration for Home Lab
#
# This module provides SearXNG configuration for private metasearch engine
# SearXNG aggregates results from various search engines while preserving privacy
#
# Features:
# - Uses reverse proxy for outbound traffic to search engines
# - Web UI only accessible from Tailscale network
# - No logging of user queries for privacy
# - Nginx reverse proxy with security headers
# - Rate limiting and security hardening
#
# Usage:
# In your machine's configuration.nix, add:
# imports = [ ../../modules/services/SearXNG.nix ];
# services.searxng-lab = {
# enable = true;
# hostName = "searxng.your-domain.com";
# reverseProxyHost = "reverse-proxy";
# };
{
config,
lib,
pkgs,
...
}: let
cfg = config.services.searxng-lab;
# Generate a unique secret key for this instance
secretKeyFile = pkgs.writeText "searxng-secret" (builtins.hashString "sha256" cfg.hostName);
# SearXNG settings configuration
searxngSettings = {
use_default_settings = true;
server = {
port = cfg.port;
bind_address = "127.0.0.1";
secret_key = "@SECRET_KEY@"; # Will be replaced at runtime
base_url = "http://${cfg.hostName}";
image_proxy = true;
public_instance = false;
limiter = true;
method = "POST";
default_http_headers = {
X-Content-Type-Options = "nosniff";
X-Download-Options = "noopen";
X-Robots-Tag = "noindex, nofollow";
Referrer-Policy = "no-referrer";
X-Frame-Options = "DENY";
X-XSS-Protection = "1; mode=block";
};
};
general = {
debug = false;
instance_name = "Private Search - ${cfg.hostName}";
privacypolicy_url = false;
donation_url = false;
contact_url = false;
enable_metrics = false;
};
search = {
safe_search = 0;
autocomplete = "";
default_lang = "en";
ban_time_on_fail = 5;
max_ban_time_on_fail = 120;
formats = ["html" "json"];
};
ui = {
static_use_hash = true;
default_locale = "en";
query_in_title = false;
infinite_scroll = false;
center_alignment = false;
default_theme = "simple";
hotkeys = "default";
search_on_category_select = true;
};
# Configure outbound requests through reverse proxy
outgoing = {
request_timeout = 3.0;
useragent_suffix = "";
pool_connections = 100;
pool_maxsize = 10;
enable_http2 = true;
using_tor_proxy = false;
# Use reverse proxy for all outbound requests
proxies = {
http = "http://${cfg.reverseProxyHost}:${toString cfg.reverseProxyPort}";
https = "http://${cfg.reverseProxyHost}:${toString cfg.reverseProxyPort}";
};
};
};
# Convert settings to YAML format
settingsFile = pkgs.writeText "searxng-settings.yml" (lib.generators.toYAML {} searxngSettings);
in {
options.services.searxng-lab = {
enable = lib.mkEnableOption "SearXNG metasearch engine for home lab";
hostName = lib.mkOption {
type = lib.types.str;
default = "searxng.local";
example = "search.example.com";
description = "Hostname for the SearXNG instance";
};
port = lib.mkOption {
type = lib.types.port;
default = 8888;
description = "Port for SearXNG to listen on";
};
reverseProxyHost = lib.mkOption {
type = lib.types.str;
default = "reverse-proxy";
example = "proxy.internal.lan";
description = "Hostname of the reverse proxy for outbound traffic";
};
reverseProxyPort = lib.mkOption {
type = lib.types.port;
default = 3128;
description = "Port of the reverse proxy for outbound traffic";
};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether to open firewall for HTTP access";
};
tailscaleOnly = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether to restrict access to Tailscale network only";
};
nginxVhost = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether to create Nginx virtual host";
};
};
config = lib.mkIf cfg.enable {
# Create SearXNG user and group
users.users.searxng = {
isSystemUser = true;
group = "searxng";
home = "/var/lib/searxng";
createHome = true;
description = "SearXNG metasearch engine user";
};
users.groups.searxng = {};
# Install SearXNG package
environment.systemPackages = with pkgs; [
searxng
];
# Create configuration directory and files
environment.etc."searxng/settings.yml" = {
source = settingsFile;
mode = "0644";
};
# SearXNG systemd service
systemd.services.searxng = {
description = "SearXNG metasearch engine";
after = ["network-online.target"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
environment = {
SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml";
PYTHONPATH = "${pkgs.searxng.pythonPath}";
};
serviceConfig = {
Type = "exec";
User = "searxng";
Group = "searxng";
ExecStart = "${pkgs.searxng}/bin/searxng-run";
Restart = "always";
RestartSec = "10s";
# Security hardening
NoNewPrivileges = true;
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
ReadWritePaths = ["/var/lib/searxng" "/tmp"];
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
# Process limits
LimitNOFILE = 4096;
MemoryMax = "512M";
# Network restrictions for Tailscale-only access
IPAddressDeny = lib.mkIf cfg.tailscaleOnly "any";
IPAddressAllow = lib.mkIf cfg.tailscaleOnly [
"100.0.0.0/8" # Tailscale network
"127.0.0.0/8" # Localhost
"::1/128" # IPv6 localhost
];
};
preStart = ''
# Generate secret key and update settings
SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)
${pkgs.gnused}/bin/sed -i "s/@SECRET_KEY@/$SECRET_KEY/g" /etc/searxng/settings.yml
# Ensure proper permissions
mkdir -p /var/lib/searxng/cache
chown -R searxng:searxng /var/lib/searxng
'';
};
# Nginx reverse proxy configuration
services.nginx = lib.mkIf cfg.nginxVhost {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."${cfg.hostName}" = {
listen = [
{
addr = "0.0.0.0";
port = 80;
}
];
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
extraConfig = ''
# Proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Hide server information
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
${lib.optionalString cfg.tailscaleOnly ''
# Restrict access to Tailscale network only
allow 100.0.0.0/8; # Tailscale network
allow 127.0.0.1; # Localhost
allow ::1; # IPv6 localhost
deny all; # Deny all other access
''}
'';
};
# Security headers for all responses
extraConfig = ''
# Security headers
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Content Security Policy for SearXNG
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self';" always;
# Hide server information
server_tokens off;
more_clear_headers Server;
'';
};
};
# Firewall configuration
networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [80];
# Tailscale-specific firewall rules
extraCommands = lib.optionalString cfg.tailscaleOnly ''
# Allow Tailscale network access to HTTP
iptables -I nixos-fw -i tailscale0 -p tcp --dport 80 -j ACCEPT
iptables -I nixos-fw -s 100.0.0.0/8 -p tcp --dport 80 -j ACCEPT
'';
extraStopCommands = lib.optionalString cfg.tailscaleOnly ''
# Clean up Tailscale rules
iptables -D nixos-fw -i tailscale0 -p tcp --dport 80 -j ACCEPT 2>/dev/null || true
iptables -D nixos-fw -s 100.0.0.0/8 -p tcp --dport 80 -j ACCEPT 2>/dev/null || true
'';
};
# Ensure required directories exist
systemd.tmpfiles.rules = [
"d /var/lib/searxng 0755 searxng searxng -"
"d /var/lib/searxng/cache 0755 searxng searxng -"
];
# Add any additional packages needed
environment.systemPackages = with pkgs; [
curl # For health checks
jq # For JSON processing if needed
];
};
}

405
research/SearXNG-Architecture-Comparison.md Normal file
View file

@ -0,0 +1,405 @@
# SearXNG Networking Architecture Comparison
## Executive Summary
This document compares two networking architectures for SearXNG deployment in a home lab environment:
1. **Current Architecture**: SearXNG + Tailscale VPN + Internal Reverse Proxy
2. **Alternative Architecture**: SearXNG + Self-hosted WireGuard VPN + Tailscale Exit Node
Both solutions provide privacy and security, but with different trade-offs in complexity, control, maintenance, and features.
## Architecture Comparison
### Current Architecture: SearXNG + Tailscale + Internal Proxy
```
[Client Device]
↓ (Tailscale VPN - encrypted mesh)
[Home Lab Network]
↓ (Internal HTTP/HTTPS)
[SearXNG Service]
↓ (HTTP proxy requests)
[Internal Reverse Proxy]
↓ (Outbound NAT to internet)
[Search Engines]
```
### Alternative Architecture: WireGuard + Tailscale Exit Node
```
[Client Device]
↓ (Self-hosted WireGuard VPN)
[Home Lab Network]
↓ (Internal HTTP/HTTPS)
[SearXNG Service]
↓ (Direct or via local proxy)
[Reverse Proxy as Tailscale Exit Node]
↓ (Tailscale tunnel to internet)
[Search Engines]
```
## Detailed Analysis
### 1. Privacy & Anonymity
#### Current Architecture (Tailscale + Internal Proxy)
**Benefits:**
- ✅ Complete traffic isolation within home network
- ✅ No external VPN provider sees your search traffic
- ✅ Search engines see your reverse proxy's IP, not client IP
- ✅ Tailscale encrypted mesh network for client access
- ✅ Zero-log proxy configuration possible
**Limitations:**
- ⚠️ Depends on Tailscale service availability
- ⚠️ Tailscale company could theoretically see connection metadata
#### Alternative Architecture (WireGuard + Exit Node)
**Benefits:**
- ✅ Complete control over VPN infrastructure
- ✅ No third-party VPN service dependencies
- ✅ Search engines see Tailscale exit node IP
- ✅ Full traffic encryption with WireGuard
- ✅ Open-source VPN solution
**Limitations:**
- ⚠️ Search traffic still routes through Tailscale infrastructure
- ⚠️ More complex key management and client configuration
### 2. Security
#### Current Architecture
**Strengths:**
- 🔒 Tailscale's battle-tested security (WireGuard-based)
- 🔒 Network access controlled by Tailscale ACLs
- 🔒 Internal HTTP proxy reduces attack surface
- 🔒 Service-level IP restrictions (systemd)
- 🔒 Defense in depth with multiple layers
**Vulnerabilities:**
- 🚨 Single point of failure if Tailscale keys compromised
- 🚨 Dependency on Tailscale's infrastructure security
#### Alternative Architecture
**Strengths:**
- 🔒 Self-controlled WireGuard ensures no external dependencies
- 🔒 Tailscale exit node provides IP obfuscation
- 🔒 Full control over VPN server hardening
- 🔒 Can implement custom authentication/authorization
**Vulnerabilities:**
- 🚨 Self-managed security requires more expertise
- 🚨 Manual key rotation and certificate management
- 🚨 Potential for misconfiguration without managed service
### 3. Operational Complexity
#### Current Architecture
**Complexity Level:** 🟢 **Low-Medium**
**Setup Requirements:**
- Install Tailscale on devices (simple)
- Configure SearXNG service (NixOS module)
- Configure internal HTTP proxy (Squid/Nginx)
- Set firewall rules for internal access
**Ongoing Maintenance:**
- Tailscale handles device management
- Automatic key rotation and updates
- Monitor proxy and SearXNG services
- Regular NixOS system updates
**Time Investment:**
- Initial setup: 2-4 hours
- Monthly maintenance: 30 minutes
#### Alternative Architecture
**Complexity Level:** 🟡 **Medium-High**
**Setup Requirements:**
- Deploy and configure WireGuard server
- Generate and distribute client configurations
- Configure Tailscale exit node on reverse proxy
- Set up proper routing and firewall rules
- Implement client key management system
**Ongoing Maintenance:**
- Manual WireGuard key rotation
- Client configuration updates
- Monitor VPN server performance
- Troubleshoot connectivity issues
- Maintain exit node Tailscale connection
**Time Investment:**
- Initial setup: 8-16 hours
- Monthly maintenance: 2-3 hours
### 4. Performance
#### Current Architecture
**Performance Characteristics:**
- 🚀 Single VPN hop (Tailscale)
- 🚀 Low latency for internal services
- 🚀 Mesh networking optimizes routes
- 🚀 HTTP proxy adds minimal overhead
- 📊 Bandwidth: ~95% of base connection
**Network Path:**
```
Client → Tailscale → Home Lab → Internet
(1 encryption layer, optimized routing)
```
#### Alternative Architecture
**Performance Characteristics:**
- 🐌 Double VPN tunneling overhead
- 🐌 Additional latency from two hops
- 🐌 More complex routing decisions
- 🐌 Potential bandwidth limitations
- 📊 Bandwidth: ~80-85% of base connection
**Network Path:**
```
Client → WireGuard → Home Lab → Tailscale Exit → Internet
(2 encryption layers, suboptimal routing)
```
### 5. Reliability & Availability
#### Current Architecture
**Availability Factors:**
- ✅ Tailscale has 99.9%+ uptime
- ✅ Redundant Tailscale infrastructure
- ✅ Local services independent of external connectivity
- ✅ Automatic failover and reconnection
- ⚠️ Single point of failure: Tailscale service
**Failure Scenarios:**
- Tailscale outage → No external access to SearXNG
- Internal proxy failure → No search functionality
- Home internet outage → Complete service loss
#### Alternative Architecture
**Availability Factors:**
- ✅ Self-hosted VPN eliminates external dependencies
- ✅ Can implement custom redundancy
- ⚠️ Requires more manual monitoring
- ⚠️ Two services must be operational (WireGuard + Tailscale)
**Failure Scenarios:**
- WireGuard server failure → No VPN access
- Tailscale exit node failure → No internet routing
- Either service down → Complete service loss
### 6. Cost Analysis
#### Current Architecture
**Financial Costs:**
- 💰 Tailscale Personal: Free (up to 3 users, 100 devices)
- 💰 Tailscale Teams: $6/user/month (for larger deployments)
- 💰 Infrastructure: Existing hardware
- 💰 **Total Monthly Cost: $0-18**
**Resource Costs:**
- Minimal CPU/RAM overhead
- Existing reverse proxy hardware
- No additional server requirements
#### Alternative Architecture
**Financial Costs:**
- 💰 WireGuard: Free (open source)
- 💰 Tailscale: Free for exit node functionality
- 💰 Infrastructure: Existing hardware
- 💰 **Total Monthly Cost: $0**
**Resource Costs:**
- Additional CPU for double encryption
- More complex monitoring requirements
- Higher administrative time investment
### 7. Scalability
#### Current Architecture
**Scaling Characteristics:**
- 📈 Easy device addition via Tailscale
- 📈 Automatic device discovery and connectivity
- 📈 Centralized access control via Tailscale admin
- 📈 Supports up to 100 devices on free plan
- 🔧 Service scaling through load balancers
#### Alternative Architecture
**Scaling Characteristics:**
- 📈 Manual client configuration for each device
- 📈 Custom automation required for device management
- 📈 Unlimited device support (self-hosted)
- 🔧 More complex load balancing setup
- 🔧 Requires custom device provisioning system
### 8. Compliance & Audit
#### Current Architecture
**Compliance Aspects:**
- 📋 Tailscale provides audit logs and compliance features
- 📋 Centralized access control and monitoring
- 📋 Professional support available for Teams plan
- 📋 SOC 2 Type II compliance (Tailscale)
#### Alternative Architecture
**Compliance Aspects:**
- 📋 Complete audit trail control (self-hosted logs)
- 📋 Custom compliance implementations required
- 📋 No third-party compliance dependencies
- 📋 Requires internal audit and monitoring systems
## Specific Use Case Analysis
### For Home Lab Environment
#### Current Architecture Advantages
1. **Rapid Deployment**: Get secure remote access in under an hour
2. **Family-Friendly**: Easy to add family devices without technical knowledge
3. **Maintenance-Free**: Updates and key rotation handled automatically
4. **Professional Features**: Access controls, device management, audit logs
5. **Support**: Community and professional support available
#### Alternative Architecture Advantages
1. **Complete Control**: No external service dependencies
2. **Cost**: Zero recurring costs regardless of scale
3. **Privacy**: No metadata visible to any third party
4. **Customization**: Full control over VPN server configuration
5. **Learning**: Deeper understanding of VPN technologies
### Recommended Decision Matrix
| Priority | Current (Tailscale + Proxy) | Alternative (WireGuard + Exit) |
|----------|----------------------------|--------------------------------|
| **Ease of Use** | ⭐⭐⭐⭐⭐ | ⭐⭐ |
| **Privacy** | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| **Performance** | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ |
| **Reliability** | ⭐⭐⭐⭐ | ⭐⭐⭐ |
| **Cost (Long-term)** | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| **Learning Value** | ⭐⭐ | ⭐⭐⭐⭐⭐ |
| **Time Investment** | ⭐⭐⭐⭐⭐ | ⭐⭐ |
## Implementation Recommendations
### Stick with Current Architecture If
- You value simplicity and time efficiency
- You have family members or non-technical users
- You want professional-grade features without complexity
- You're satisfied with Tailscale's privacy model
- You need reliable, low-maintenance solution
### Consider Alternative Architecture If
- You want complete control over your privacy infrastructure
- You enjoy learning and implementing complex networking
- You have unlimited time for setup and maintenance
- You want zero recurring costs
- You're concerned about any third-party service dependencies
- You need to comply with strict data sovereignty requirements
### Hybrid Approach Option
A third option is to implement both architectures in parallel:
1. **Keep current Tailscale setup** for daily use and family access
2. **Add WireGuard option** for maximum privacy scenarios
3. **Use selective routing** based on security requirements
This provides flexibility while maintaining the benefits of both approaches.
## Migration Path (If Choosing Alternative)
### Phase 1: Prepare Infrastructure
1. Set up WireGuard server on dedicated hardware
2. Configure exit node functionality on reverse proxy
3. Test connectivity and performance
### Phase 2: Gradual Migration
1. Configure one test client with WireGuard
2. Verify SearXNG access and functionality
3. Monitor performance and stability
### Phase 3: Full Deployment
1. Generate client configurations for all devices
2. Distribute and configure clients
3. Decommission Tailscale (optional)
### Phase 4: Optimization
1. Fine-tune performance settings
2. Implement monitoring and alerting
3. Document procedures and troubleshooting
## Conclusion
The **current architecture (SearXNG + Tailscale + Internal Proxy)** is recommended for most home lab users because:
1. **Proven Reliability**: Battle-tested in production environments
2. **Time Efficiency**: Minimal setup and maintenance overhead
3. **Professional Features**: Access controls, audit logging, device management
4. **Performance**: Single VPN hop with optimized routing
5. **Support**: Professional support and large community
The **alternative architecture (WireGuard + Exit Node)** should be considered only if:
1. You have significant networking expertise and time
2. Complete control over infrastructure is a hard requirement
3. You want to learn advanced VPN technologies
4. You have specific compliance or sovereignty requirements
For most users, the current architecture provides the optimal balance of security, privacy, performance, and maintainability for a home lab environment.