# Plan: Add SearxNG service to homelab network

## Source Ticket

- `tickets/active/2026-06-06-add-searxng-service.md`

## Confirmed Decisions

- Target platform: create in Proxmox using API credentials from `.tokens/proxmox.env`.
- Service name / DNS name: `search.dropcutstud.io`.
- Access policy: LAN and Tailscale only.

## Safety Constraints

- Do not print Proxmox API token values.
- Prefer a dedicated lightweight VM/LXC for SearxNG.
- Avoid public exposure.
- Verify target node/storage/template before creation.
- Avoid destructive actions; do not overwrite existing VMIDs or services.
- Log all server-side operational changes in `docs/server-change-log.md`.

## Proposed Deployment Shape

Preferred first implementation:
- Dedicated Debian LXC or VM named `searxng`.
- Docker Compose running SearxNG and its cache dependency if needed.
- HTTP bound internally; optional reverse proxy later.
- Firewall/DNS configured so `search.dropcutstud.io` resolves for LAN and Tailscale clients only.

## Execution Steps

1. Query Proxmox API for nodes, storage, existing VMIDs, and available templates/images.
2. Select safe VMID and target node/storage.
3. Create dedicated guest.
4. Provision SearxNG runtime.
5. Configure SearxNG base URL as `https://search.dropcutstud.io/` or `http://search.dropcutstud.io/` depending on TLS decision.
6. Configure LAN/Tailscale-only access.
7. Verify search behavior.
8. Record change log and rollback notes.

## Open Implementation Questions

- Does Proxmox API access include a way to execute commands in new guests, or do we need SSH/provisioning bootstrap after guest creation?
- Which DNS system controls `dropcutstud.io` internal/LAN and Tailscale resolution?
- Should first deployment use HTTP internally, or should we configure TLS immediately?