diff --git a/machines/cj/configuration.nix b/machines/cj/configuration.nix
index f462250..3d8d823 100644
--- a/machines/cj/configuration.nix
+++ b/machines/cj/configuration.nix
@@ -204,6 +204,16 @@
       #media-session.enable = true;
     };
 
+    searx = {
+      enable = true;
+      redisCreateLocally = true;
+      settings.server = {
+        bind_address = "::1";
+        port = 6789;
+        secret_key = config.sops.secrets.searxng.key;
+      };
+    };
+
     syncthing = import ./syncthing.nix;
 
     tailscale = {
diff --git a/machines/cj/hardware-configuration-zfs.nix b/machines/cj/hardware-configuration-zfs.nix
index 984aae8..3cfa2c0 100644
--- a/machines/cj/hardware-configuration-zfs.nix
+++ b/machines/cj/hardware-configuration-zfs.nix
@@ -51,6 +51,12 @@
       neededForBoot = true;
     };
 
+  fileSystems."/tmp" =
+    { device = "rpool/nixos/tmp";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
+
   fileSystems."/var/lib" =
     { device = "rpool/nixos/var/lib";
       fsType = "zfs";
diff --git a/secrets.yaml b/secrets.yaml
index 97fee5d..9b1472a 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -8,6 +8,8 @@ email:
         password: ENC[AES256_GCM,data:db0Wll4B8eXYc70dsIuYbw==,iv:2g4fE2GQyKxiVMkOQqOCPjAISdlXElvWYt0XKPEOWv0=,tag:73ymkTNGUlVccJFXjT40EA==,type:str]
 pihole:
     webpassword: ENC[AES256_GCM,data:bqBbGE5M4LUukMh7vQA=,iv:YhKaO2WQq5Ar9aKitgRTbDU2Ld2Cdc0wmrcQZ92lztY=,tag:UGnerGhtQBjO+n4LobdSyg==,type:str]
+searxng:
+    key: ENC[AES256_GCM,data:RayEL/8Pi7+j3T6fWRV142uw0P7Vlm15FWB14Lcfg/5xz+TpB6W4d8ivAM9ZTNG3CZGUwziAoP8qApYjxOeTqA==,iv:IecQ9nHuUaXa8B2y9Y/FryIbdq/oi5EbEuaZ4XaR4wg=,tag:cDJr1AVqG4tgtvPe6ujtxQ==,type:str]
 spotify:
     username: ENC[AES256_GCM,data:EXLRJXrHsP+k,iv:5pvHLVnrtG+oZEPZsBY/4/+b9QQEBTT7jiPvmkBHAWY=,tag:gcCJqgBd7b2+e2k0oIVY8w==,type:str]
     password: ENC[AES256_GCM,data:DHj06DfPU98C,iv:wxinj4sLt8rQ6hW4NtxIHQPnAJ3acXRXQHRsRaoiGR8=,tag:b7ota0m1gpwSZYSDY1Uj+A==,type:str]
@@ -19,10 +21,6 @@ wifi:
         PSKRAW_HOME=base64 output from wpa_passphrase
     env: ENC[AES256_GCM,data:a2m3FI0SmpbM2hhNbEdNhWWxgNyhXRDN9/LFiRMyFEr9Nf3NvkteZCdf/CCc81GAl/aKqqqCt49HQEiSRwzw2wc3XKmbQPxw6tmK4mCd4pP7YmPpg6tacLd8CzjtCG9J248W0qqTYUIU3+kuDcY6Tdp97KxJDINVbA==,iv:kXltdSsKkXwhIaWywFYMUGJCmMgaxv8FqhdBbjuyVSU=,tag:GvkevELXFKU31mmRGsFjDw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age16k5tturaeszpxugxawmfsxkrce2cfvp06s00eaxcee243anu4qysnjfr70
           enc: |
@@ -60,8 +58,7 @@ sops:
             WVUwaEIwWTFFTExyT3hLSC9wODhJdGcKWsNIUsT06qYA9vUVeFHQrCdcn2MkHt+w
             Rr7W+4uaNb8Qxo/NUp9kodE9m/fg9XVd8wM7HUP4wJC0rE4GSnFvGg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-27T13:16:21Z"
-    mac: ENC[AES256_GCM,data:UkvaiVtsbMKNeMKlf6N6N0dxQWAUxT2VMQrhMJFqwdyRoFvTQ+4a27sXHIQgr+G+BAnsFBeWFjA3SS+YhHcDYCx1boXMhdoFeNjVZ2TUURX/KazcIwJNGmrt4qMK7BkfUu1mLa58pxie+XSY1MBRwByg7rnLaSJzNiWgqgLRGy0=,iv:7kBE0EKhvesWToa6+At0yWt1IzTWipv0fSvopA2PUXg=,tag:0e+5Gu5Ajw7r3AgeJLg+EQ==,type:str]
-    pgp: []
+    lastmodified: "2025-09-03T12:29:15Z"
+    mac: ENC[AES256_GCM,data:K7Q4h102XDk6s0jy6X3sRzIESbFnu8Z1I8u82yC2Xbfh8gHvQ+rqTjEC9sh+tmUpB9P8sQHA08FwPsQkiScY7CNVxXXeCzALJVS/qhLlOEC4PEOqUH2PZZHsDVslQtZT6JmB9mixCl69Ihx+CKt2+ddesXdGxuTGaH9cldORNQQ=,iv:RheBWo3bG9z+JAq2kg79ifaMRgRDNGyxHnCmMi7v/+U=,tag:CJUHJC68Cfi+whhy4McBqA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.10.2