restic(gutterman): exclude database files from backup

caddy: add countries web map
searxng: init (also forgot to introduce forgejo oidc secret... oops)
2026-01-25 16:27:49 -05:00 · 2026-01-25 16:27:21 -05:00 · 2026-01-24 14:44:22 -05:00 · 2026-01-23 13:02:14 -05:00
6 changed files with 141 additions and 6 deletions
--- a/modules/nixos/services/gameserver/restic.nix
+++ b/modules/nixos/services/gameserver/restic.nix
@ -27,6 +27,11 @@
    paths = [
      "/var/lib/minecraft"
    ];
-    exclude = [ ".*" ];
+    exclude = [
+      ".*"
+      "*.db"
+      "*.db-shm"
+      "*.db-wal"
+    ];
  };
 }
--- a/modules/nixos/services/homeserver/default.nix
+++ b/modules/nixos/services/homeserver/default.nix
@ -7,10 +7,12 @@
    ./caddy.nix
    ./cloudflared.nix
    ./forgejo.nix
+    ./gameserver-caddy.nix
    ./jellyfin.nix
    ./kanidm.nix
    ./nextcloud.nix
    ./ntfy.nix
+    ./searxng.nix
    ./sops.nix
    ./technitium-dns.nix
    ./uptime-kuma.nix
--- a/modules/nixos/services/homeserver/forgejo.nix
+++ b/modules/nixos/services/homeserver/forgejo.nix
@ -12,13 +12,15 @@
    };
  };

+  users.groups.forgejo.members = [ "caddy" ];
+
  services.caddy.virtualHosts."git.wo2wz.fyi".extraConfig =
  assert config.services.caddy.enable;
  ''
    import default-settings
    import cloudflare-tls

-    reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
+    reverse_proxy unix/${config.services.forgejo.settings.server.HTTP_ADDR}
  '';

  services.forgejo = {
@ -40,11 +42,15 @@
      };

      server = {
-        HTTP_ADDR = "127.0.0.1";
-        HTTP_PORT = 8008;
+        PROTOCOL = "http+unix";
+        HTTP_ADDR = "/run/forgejo/forgejo.sock";
+        UNIX_SOCKET_PERMISSION = 660;

        DOMAIN = "git.wo2wz.fyi";
        ROOT_URL = "https://git.wo2wz.fyi/";
+
+        # cant work with cf tunnel unfortunately
+        DISABLE_SSH = true;
      };
      
      database.SQLITE_JOURNAL_MODE = "WAL";
--- a/modules/nixos/services/homeserver/gameserver-caddy.nix
+++ b/modules/nixos/services/homeserver/gameserver-caddy.nix
@ -0,0 +1,12 @@
+{ config, ... }:
+
+{
+  services.caddy.virtualHosts."map-countries.wo2wz.fyi".extraConfig =
+  assert config.services.caddy.enable;
+  ''
+    import default-settings
+    import cloudflare-tls
+
+    reverse_proxy gutterman:8123
+  '';
+}
--- a/modules/nixos/services/homeserver/searxng.nix
+++ b/modules/nixos/services/homeserver/searxng.nix
@ -0,0 +1,107 @@
+{ config, ... }:
+
+{
+  sops.secrets."searxng/secrets.env" = {};
+
+  services.caddy.virtualHosts."searxng.taild5f7e6.ts.net".extraConfig =
+  assert config.services.caddy.enable;
+  ''
+    import default-settings
+
+    bind tailscale/searxng
+
+    reverse_proxy localhost:${toString config.services.searx.settings.server.port}
+  '';
+
+  services.searx = {
+    enable = true;
+    redisCreateLocally = true;
+    settings = {
+      general = {
+        instance_name = "Wo2wz's SearXNG";
+        enable_metrics = false;
+      };
+
+      server = {
+        bind_address = "127.0.0.1";
+        port = 8009;
+        base_url = "https://searxng.taild5f7e6.ts.net";
+        secret_key = "$SEARXNG_SECRET_KEY";
+      };
+
+      ui.default_locale = "en";
+
+      search = {
+        safe_search = 1;
+        default_lang = "en-US";
+        autocomplete = "duckduckgo";
+        favicon_resolver = "duckduckgo";
+      };
+
+      engines = [
+        # brave is broken from what it seems
+        {
+          name = "brave";
+          disabled = true;
+        }
+
+        {
+          name = "bing news";
+          disabled = true;
+        }
+        
+        {
+          name = "deezer";
+          disabled = false;
+        }
+
+        {
+          name = "annas archive";
+          disabled = false;
+        }
+        {
+          name = "piratebay";
+          disabled = true;
+        }
+
+        {
+          name = "nixos wiki";
+          disabled = false;
+        }
+        {
+          name = "codeberg";
+          disabled = false;
+        }
+
+        {
+          name = "docker hub";
+          disabled = true;
+        }
+        {
+          name = "hoogle";
+          disabled = true;
+        }
+        {
+          name = "pypi";
+          disabled = true;
+        }
+
+        {
+          name = "hackernews";
+          disabled = false;
+        }
+      ];
+    };
+    faviconsSettings.favicons = {
+      cfg_schema = 1;
+      cache = {
+        db_url = "/var/cache/searx/faviconcache.db";
+        HOLD_TIME = 5184000;
+        LIMIT_TOTAL_BYTES = 104857600;
+        BLOB_MAX_BYTES = 40960;
+        MAINTENANCE_MODE = "auto";
+        MAINTENANCE_PERIOD = 600;
+      };
+    };
+  };
+}
--- a/secrets/drone.yaml
+++ b/secrets/drone.yaml
@ -13,6 +13,7 @@ grafana:
    secrets.env: ENC[AES256_GCM,data:yv7u5+8l7M4PJ4BzCUlTGX8PeFxxVMtS2Pi4yKnvAeZf+4tcz6NFNRjyPeqTFinqmZ8yq+iYA1tBS5Gy9DTHo8TzmhoaWBPI/ZUXQgl5Y7lnGBOyZ6wHlllsP8zbC+zEWW+gRssaXj6yYBuvQTTzfSqSlmZdB7VwhUegiVxMs722jbys1Rl+NE8TKDc384IbwPRAIi6ZO+UH,iv:M/dgcJ++gMH5/sNQDUQvkiJW2n+fSkPCEDZBcFRXWuE=,tag:SocmiehkaCzl9ZB8dNZPZQ==,type:str]
 kanidm:
    oauth2:
+        forgejo: ENC[AES256_GCM,data:Gi5JH0bFfJwzIe1JHjtWlnOf2Ucp/oEGr2nNngCaU8gRiWtd2QhWBeUQvcCuiKmF1kKNDJyi6F4R896FzXHEbg==,iv:bMQyYDv3cDhCQdSo8CP3qpqGQ2lapn5eZsLcNKZ+NFM=,tag:0J8qimAIfJAEDpW7Nu/1yw==,type:str]
        grafana: ENC[AES256_GCM,data:9aWa5SJ4UNWcQCCRT9rL6XnoUjlkXeifBYe3fL4xRbNC3bc5L6jNtJOF9v0ZZ874pTr/dnv5LzLz/ISLDQWfnw==,iv:+V+JjP2EA02cn7aFif262DjqoCXYRLqXv2jR0pc457c=,tag:CI9daTCxkeOueb3d//hx0A==,type:str]
        jellyfin: ENC[AES256_GCM,data:37edw83rscw19EiFOVUYoq33awKMWw+XXN6KKYYjEdKwtBx7I01RuOha3DkspFM7zJdmZf3E6IL1UT3N/sBB6w==,iv:T9N4h90799xOhFeNxqmKR0nDGn6BXuIGB4DiOIkt6vk=,tag:JZuu+uqRKAbQskKxzOPIEQ==,type:str]
        nextcloud: ENC[AES256_GCM,data:P7ha6OwX6A5PyNO4xy+UTfdQBeKbktJbK5Ggv/fLuW+SDrxTehuwM1F9A5el3j1Dsegk3VsrrTPBZTVU6i5qwA==,iv:YcvNvAZHjdBd9q5Uxdp+Phj5uQRqLoRi33rIzUcv7Ng=,tag:cXM58lfOpHbTbaJRNUm1Kw==,type:str]
@ -24,6 +25,8 @@ restic:
    rest-auth.env: ENC[AES256_GCM,data:MAJVkdiutkhY8MCLrg1EMumAblektgO85VQLD65McX/VYInYDihxwJOV21+SAJSaN/8vA/MqUEmzsrUb04hgvqPYjXIyyUYpDrE8us47eqjF3SoZJsf70Ukps0lv3+L3LViRSpKJ+2v2v7GenaA/jAk=,iv:5yzIiEpQ1jvl9SDu/MxsAl25PmxmmuPxjRAa+iEGJRU=,tag:9UBXGt0vXj3F0YndwkeQaw==,type:str]
    rest-server:
        .htpasswd: ENC[AES256_GCM,data:605u/QTk6j1s3Wn3Lg2M0BDhy4WbVFIZRYijhLeGmPHC2sZUY0Ngoq8bkr/Jf97Erh+CM4oqiHXA+Jct8Yq0ml6MMFKk0v602yHRxIEn5MOBETygUz889kJnNLGsXDHJeJFCX5J5qmlnj9DZ+93hNEQJAzEP2CvzH/JoHJA/bMrCGl0aZyExrxJi,iv:wuTER92WYPUGm0QNpfoOepZSGcOmq2M16Xa3RVJFYAo=,tag:qgLqtf41735ajBvlEBlJCw==,type:str]
+searxng:
+    secrets.env: ENC[AES256_GCM,data:oOEHk2rHzQ5db8U3JfTyTFgvQsz2G/MWFOedvb3BAYrT7tRVP2x8868nlqjHkeo6GkLevw4ejghUJ/tRVdYEqfxAnTlQtRDhp6r1vxW07Lh3N+a6HQ==,iv:XUysHB/fLwbKEDJFkuhg3Y9D9qERJ/qErJ20AlcVjX4=,tag:NtYx1BcMLphMwgAD/MMCCA==,type:str]
 syncthing:
    cert.pem: ENC[AES256_GCM,data:BHZ+GuWS9MWWyeXmcGna2IaSli63QbMKOeYFoKZhs3nvLLI1fdsvWhkhR+UZ1/dPrKPz8ZcgvqeClCDnGQLR+UBOIV8/nbuLk/jQxcw+KRl4+OziFeDnHdHdk1ZeSrF8ek7ThCX/MIz3t0/UPv+X0kZQEpwtOYrrLqeYLh3syUKdnVm9N96erv3UWKfSot5dch5EEMDLvli48rZtbqDrNCdx1bg8/CLj56OvmVxKtyPrUW/DZ3euG7PuL4Crrxw1ZeafTWHINpGoTZDrpOfanLEO5BtK65WY6J18ggJ467P9SgpeC2MeRnCJu6WaH1nqRSM5KitDYwhMFFlcdGKDUF30pCUf/W63BZ8AokJFozuhwtTbCWJHAk39j/wYoU+S0MfIhb/5gZu2vs+2Qnkle6r0ew8AS3l0BNcNJbbSdWKnGbYo8uUAtUh6GmK4ADYFx2z8h31z7kONzFAeE03nAkhAEoDtUccDNUlwF6WBeQdaIKYk2lVwU0bi5C4L5RM5qanAlKvsWtqQ7re5B0nbn4QcnGFLBJZsLmxSzX73e+9MRxTaPUyVoPmAsELLuOMBL7y3wqBtmNeLPRih+7zfn2AwQGaZ/UgnfX1s2gJtx3+OnCy8GMRbaxTd+8AM2JkZsFpkQjwG+eI1HE28dELHcpeDZ4ZqzGUh4Xlgq15kmaXo3Ww89Ukq/QCMHs6xqQdbw4ra84Oh33Stt7YFtL+xVcJkoAzIVYKeoJDtqIwPf+LXukvAUZyMbaLSmEJTsfNnKkhsGU1clxyZXs6DK0EaP3LCY6iw9tv096PkrI9wFFNNxbIjuERkQK4xdus506s=,iv:rUJIqoZa9pSMUxSqUmUKnlUahKLEW/vzzmNI4V0LniE=,tag:EKExs0ms3LbIh7FJA923aA==,type:str]
    key.pem: ENC[AES256_GCM,data:jhYr/fFLvWOGKb7poh3reEDs6WatAoVgYEWw7Y5jwI06eAUO7yQCPpJefKZ+/0VRi0noX71U9Ul/Nv7VNo5bnZ8Yf0fcVxw8FBo0tMXYwg5AMqnJOIr3B48UZUJ9JiWjKG53rE7iGSbnJ4rzvVxB1Opu/wcEDzY=,iv:90R7tjucK/ogTicwAYL5VZ7YF0gCU7KberPQNtAwkBU=,tag:ECCuskrOefltx11+lk2NBA==,type:str]
@ -40,7 +43,7 @@ sops:
            N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P
            RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-15T22:36:28Z"
-    mac: ENC[AES256_GCM,data:aKyHq9f7NtLPklPRFwY2un40K+0Ar86oMPVZrzoPHhihX3WwyIhZvru8d84+eU6m6z0rS94yUcmVe7i8wcX+oDXvMFbX5nh2RNp3C14oBIP0PHNyA1V3z1dCy4wsc9lcM6x1ah0zEuqIIMTOxLVue4x8XBTneeqK47F6HRoNiWw=,iv:pSGLJxuinPCi1FnfXGsLZwlFoJa6GeOX7/e28e9vFOA=,tag:Imb3gEYz88Hu7SYbdz0lYg==,type:str]
+    lastmodified: "2026-01-23T19:01:32Z"
+    mac: ENC[AES256_GCM,data:zJalz3o5HGhlSrmBBMQ0nRBnry/rJPymQlszJYXDPi7fK7utZpMkYRH7DxrT4U5xM7q36mFiFm4O/m8BFXdoKsOzCxpCsvHHhfVvOFuR1Knoza33xeej/gEvqQmImBO6oauFBi3ZJ8ABbV8JbzkE33tu0qaE4xgQ9kC2q/6utck=,iv:oP1BGicUARP+HGhmhLbgssx1xLiPoBdNdNXk7gFLqdY=,tag:LhJbW5SmxFQzYYLjIWeH0Q==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
Author	SHA1	Message	Date
wo2w	6d1ce0556a	restic(gutterman): exclude database files from backup	2026-01-25 16:27:49 -05:00
wo2w	c6d39d17cb	caddy: add countries web map	2026-01-25 16:27:21 -05:00
wo2w	17945c4f7e	searxng: init (also forgot to introduce forgejo oidc secret... oops)	2026-01-24 14:44:22 -05:00
wo2w	34c2661dad	forgejo: use unix socket	2026-01-23 13:02:14 -05:00