.

modules/nixos/kernel-hardening.nix

@@ -58,6 +58,8 @@ in
     };
 
     # Runtime kernel hardening
+    boot.kernelModules = lib.mkIf cfg.enableZram [ "zram" ];
+
     boot.kernelParams = [
       "slab_nomerge"
       "init_on_alloc=1"

modules/nixos/lutris-sandboxed.nix

@@ -99,9 +99,18 @@ in
           # PipeWire + Pulse
           ''--bind "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"''
           ''--bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"''
+
+          # Hardware access
+          "--dev-bind /dev/dri /dev/dri"
+          "--dev-bind /dev/shm /dev/shm"
+          "--ro-bind /sys /sys"
+
           # Bind system themes to /usr/share
           "--ro-bind /run/current-system/sw/share/themes /usr/share/themes"
           "--ro-bind /run/current-system/sw/share/icons /usr/share/icons"
+          # OpenGL/Vulkan drivers
+          "--ro-bind-try /run/opengl-driver /run/opengl-driver"
+          "--ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32"
         ];
 
         # Disable built-in DBus module (invokes bwrap without --unshare-user)

modules/nixos/media.nix

@@ -48,6 +48,7 @@ in
         TZ = "Europe/Berlin";
         DOT = "off"; # DNS over TLS off (optional)
         FIREWALL_OUTBOUND_SUBNETS = "10.89.0.0/24"; # Allow access to local docker network
+        FIREWALL_VPN_INPUT_PORTS = "36630"; # Allow incoming torrent traffic
       };
       extraOptions = [
         "--cap-add=NET_ADMIN"

modules/nixos/redlib.nix

@@ -0,0 +1,63 @@
+# Redlib Module (Rootless Podman)
+# Provides: Private Reddit frontend running in a rootless container
+#
+# Usage:
+#   myModules.redlib = {
+#     enable = true;
+#     port = 8082;
+#   };
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.myModules.redlib;
+in
+{
+  options.myModules.redlib = {
+    enable = lib.mkEnableOption "Redlib private Reddit frontend";
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 8082;
+      description = "Port to expose Redlib on localhost";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    myModules.podman.enable = true;
+
+    # Redlib Container
+    virtualisation.oci-containers.containers."redlib" = {
+      image = "quay.io/redlib/redlib:latest";
+      # ports = [ "127.0.0.1:${toString cfg.port}:8080" ]; # Port exposed via VPN
+      extraOptions = [
+        "--pull=always"
+        "--cap-drop=ALL"
+        "--network=container:vpn"
+      ];
+      dependsOn = [ "vpn" ];
+    };
+
+    # Rootless Overrides
+    systemd.services."podman-redlib".serviceConfig.User = lib.mkForce "ashie";
+    systemd.services."podman-redlib".environment = {
+      HOME = "/home/ashie";
+      XDG_RUNTIME_DIR = "/run/user/1000";
+    };
+    systemd.services."podman-redlib".serviceConfig.Type = lib.mkForce "simple";
+    systemd.services."podman-redlib".serviceConfig.Delegate = true;
+    systemd.services."podman-redlib".after = [
+      "user-runtime-dir@1000.service"
+      "podman-vpn.service"
+    ];
+    systemd.services."podman-redlib".requires = [
+      "user-runtime-dir@1000.service"
+      "podman-vpn.service"
+    ];
+  };
+}

modules/nixos/searxng.nix

@@ -199,6 +199,25 @@ let
         border-radius: 2em !important;
     }
   '';
+
+  anubisPolicy = pkgs.writeText "anubis-policy.yml" ''
+    bots:
+      - name: "Allow OpenSearch"
+        action: ALLOW
+        path_regex: ".*opensearch\\.xml.*"
+      - name: "Catch-All"
+        user_agent_regex: ".*"
+        action: CHALLENGE
+  '';
+
+  faviconsConfig = pkgs.writeText "favicons.toml" ''
+    [favicons]
+    cfg_schema = 1
+
+    [favicons.cache]
+    db_url = "/var/cache/searxng/faviconcache.db"
+    LIMIT_TOTAL_BYTES = 2147483648
+  '';
 in
 {
   options.myModules.searxng = {
@@ -236,11 +255,15 @@ in
       serviceConfig.RemainAfterExit = true;
       after = [ "user-runtime-dir@1000.service" ];
       requires = [ "user-runtime-dir@1000.service" ];
-      path = [ pkgs.podman ];
+      path = [
+        pkgs.podman
+        pkgs.shadow
+      ];
       script = ''
+        export PATH=/run/wrappers/bin:$PATH
         export XDG_RUNTIME_DIR="/run/user/1000"
         export HOME="/home/ashie"
-        podman network create searxng-net --ignore
+        podman network create searxng-net --subnet 10.89.2.0/24 --ignore
       '';
     };
 
@@ -263,8 +286,8 @@ in
 
     # 3. SearXNG Container
     virtualisation.oci-containers.containers."searxng" = {
-      image = "ghcr.io/searxng/searxng:latest";
-      ports = [ "127.0.0.1:${toString cfg.port}:8080" ];
+      image = "ghcr.io/privau/searxng:latest";
+      # ports = [ "127.0.0.1:${toString cfg.port}:8080" ]; # Port moved to Anubis
       environment = {
         "SEARXNG_BASE_URL" = "https://${cfg.domain}";
         "SEARXNG_REDIS_URL" = "valkey://valkey:6379"; # Talk to Valkey via alias
@@ -276,6 +299,7 @@ in
       ];
       extraOptions = [
         "--network=searxng-net"
+        "--network-alias=searxng"
         "--cap-drop=ALL"
         "--cap-add=CHOWN"
         "--cap-add=SETGID"
@@ -285,10 +309,41 @@ in
       volumes = [
         "${config.sops.templates."searxng_settings.yml".path}:/etc/searxng/settings.yml:ro"
         "${catppuccinCss}:/etc/searxng/custom.css:ro"
+        "${faviconsConfig}:/etc/searxng/favicons.toml:ro"
+        "searxng-cache:/var/cache/searxng"
       ];
       dependsOn = [ "searxng-valkey" ];
     };
 
+    # 4. Anubis Container (AI Firewall)
+    virtualisation.oci-containers.containers."searxng-anubis" = {
+      image = "ghcr.io/techarohq/anubis:latest";
+      ports = [ "127.0.0.1:${toString cfg.port}:8080" ];
+      environment = {
+        "TARGET" = "http://searxng:8080";
+        "BIND" = ":8080";
+        "POLICY_FNAME" = "/etc/anubis/policy.yml";
+      };
+      extraOptions = [
+        "--network=searxng-net"
+      ];
+      volumes = [
+        "${anubisPolicy}:/etc/anubis/policy.yml:ro"
+      ];
+      dependsOn = [ "searxng" ];
+    };
+
+    # 5. Permanent NAT Fix for SearXNG Network
+    networking.nftables.tables.searxng-nat = {
+      family = "inet";
+      content = ''
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          ip saddr 10.89.2.0/24 masquerade
+        }
+      '';
+    };
+
     sops.templates."searxng.env" = {
       owner = "ashie";
       content = ''
@@ -310,9 +365,16 @@ in
               lib.mapAttrsToList (name: url: "${name}: \"${url}\"") cfg.donations
             )}
 
+        engines:
+          - name: brave
+            engine: brave
+            api_key: "${config.sops.placeholder.searxng_brave_api_key}"
+            tokens: ["${config.sops.placeholder.searxng_private_token}"]
+
 
         search:
           safe_search: 0
+          favicon_resolver: "duckduckgo"
           autocomplete: "google"
           default_lang: "en-US"
           formats:
@@ -327,18 +389,25 @@ in
           image_proxy: true
 
         ui:
+          default_theme: simple
+          default_theme_style: kagi
           static_use_hash: true
-          custom_css: custom.css
-          theme_args:
-            simple_style: "auto"
+          # custom_css: custom.css
+          # theme_args:
+          #   simple_style: kagi
+
+          hostname_replace:
+            '(^|.*\.)reddit\.com$': 'reddit.ashisgreat.xyz'
 
         redis:
           url: valkey://valkey:6379/0
       '';
     };
 
-    # Placeholder secret definition (User must add this to secrets.yaml!)
+    # Secret definitions
     sops.secrets.searxng_secret_key = { };
+    sops.secrets.searxng_brave_api_key = { };
+    sops.secrets.searxng_private_token = { };
 
     # Rootless Overrides
     systemd.services."podman-searxng".serviceConfig.User = lib.mkForce "ashie";
@@ -351,10 +420,12 @@ in
     systemd.services."podman-searxng".after = [
       "create-searxng-network.service"
       "user-runtime-dir@1000.service"
+      "network-online.target"
     ];
     systemd.services."podman-searxng".requires = [
       "create-searxng-network.service"
       "user-runtime-dir@1000.service"
+      "network-online.target"
     ];
 
     systemd.services."podman-searxng-valkey".serviceConfig.User = lib.mkForce "ashie";
@@ -367,10 +438,30 @@ in
     systemd.services."podman-searxng-valkey".after = [
       "create-searxng-network.service"
       "user-runtime-dir@1000.service"
+      "network-online.target"
     ];
     systemd.services."podman-searxng-valkey".requires = [
       "create-searxng-network.service"
       "user-runtime-dir@1000.service"
+      "network-online.target"
+    ];
+
+    systemd.services."podman-searxng-anubis".serviceConfig.User = lib.mkForce "ashie";
+    systemd.services."podman-searxng-anubis".environment = {
+      HOME = "/home/ashie";
+      XDG_RUNTIME_DIR = "/run/user/1000";
+    };
+    systemd.services."podman-searxng-anubis".serviceConfig.Type = lib.mkForce "simple";
+    systemd.services."podman-searxng-anubis".serviceConfig.Delegate = true;
+    systemd.services."podman-searxng-anubis".after = [
+      "create-searxng-network.service"
+      "user-runtime-dir@1000.service"
+      "network-online.target"
+    ];
+    systemd.services."podman-searxng-anubis".requires = [
+      "create-searxng-network.service"
+      "user-runtime-dir@1000.service"
+      "network-online.target"
     ];
   };
 }

modules/nixos/steam-gamemode.nix

@@ -36,7 +36,7 @@
           fi
 
           echo "Launching gamescope..."
-          exec ${pkgs.gamescope}/bin/gamescope -f -e -- game-bypass steam -gamepadui
+          exec ${pkgs.gamescope}/bin/gamescope -f -e -- steam -gamepadui
         ''}
         Type=Application
       '';

modules/nixos/steam-sandboxed.nix

@@ -104,6 +104,9 @@ in
             "$HOME/.local/share/Larian Studios"
             "$HOME/Desktop"
             "/games/steam"
+            "/games/windows/Modlist"
+            "/games/windows/Modlist_Downloads"
+            "$HOME/Games/windows/Modlist/Nordic"
           ];
         };