# Implementation Plan: Bypass Age Identity for SearXNG Backups Date: 2026-06-07 ## Goal Bypass age identity for SearXNG backups by replacing the age-encrypted SearXNG config backup path with a sanitized config backup. The SearXNG `secret_key` is not backed up; it is replaced by `__REGENERATE_ON_RESTORE__` and must be regenerated during restore. ## Safety Boundaries - Do not delete existing historical SearXNG `.tar.gz.age` artifacts without explicit approval. - Do not change Vaultwarden critical backup encryption, recipients, scripts, or restore process as part of this SearXNG change. - Do not print or store the live SearXNG `secret_key`. - Do not restore into production CT 103 as part of this bypass. ## Implemented Approach - Removed repo-managed SearXNG age backup helper: - `ansible/files/searxng-encrypted-backup-from-nimrod` - Added repo-managed sanitized helper: - `ansible/files/searxng-sanitized-backup-from-nimrod` - New artifact pattern: - `/home/piagent/backups/searxng/searxng-sanitized-config-.tar.gz` - `/home/piagent/backups/searxng/searxng-sanitized-config-.sha256` - Sanitized backup contents: - `opt/searxng/docker-compose.yml` - `opt/searxng/searxng/settings.yml` with `secret_key: "__REGENERATE_ON_RESTORE__"` - `etc/systemd/system/searxng-compose.service` ## Verification Evidence Observed successful results for artifact `searxng-sanitized-config-20260607T054700Z.tar.gz`: ```text sha256sum -c searxng-sanitized-config-20260607T054700Z.sha256: OK settings.yml secret_key line: secret_key: "__REGENERATE_ON_RESTORE__" backup directory mode: 700 artifact/manifest mode: 600 direct SearXNG HTTP check: 200 reverse-proxy SearXNG HTTP check: 200 ``` The public age recipient staging file previously copied to Nimrod for SearXNG was removed from `/home/piagent/backups/age-recipients/`. Existing historical encrypted SearXNG artifacts were left in place. ## Documentation Updates Updated: - `runbooks/searxng-homelab.md` - `infra/proxmox-registry.yaml` - `docs/service-backup-standard.md` - `tickets/active/2026-06-07-service-backup-standard.md` - `docs/server-change-log.md` ## Remaining Follow-up Perform an isolated SearXNG sanitized restore/rebuild test. The restore test must generate a fresh `secret_key` before starting the restored service and must not use age identity.