diff --git a/hosts/modules/searxng.nix b/hosts/modules/searxng.nix new file mode 100644 index 0000000..bbd7e38 --- /dev/null +++ b/hosts/modules/searxng.nix @@ -0,0 +1,164 @@ +{ + pkgs, + lib, + ... +}: let + domain = null; + acmeEmail = null; + envFile = "/var/lib/searx/searxng.env"; +in { + services.searx = { + enable = true; + package = pkgs.searxng; + redisCreateLocally = true; + environmentFile = envFile; + runInUwsgi = false; + settings = { + server = { + bind_address = "127.0.0.1"; + port = 11212; + limiter = true; + image_proxy = true; + base_url = lib.mkIf (domain != null) "https://${domain}"; + }; + ui = { + default_locale = "en"; + default_theme = "simple"; + }; + search = { + safe_search = 0; + autocomplete = "google"; + default_engine = "google_web"; + default_categories = ["general" "it" "images" "videos" "map"]; + }; + enabled_plugins = ["hash" "self_info" "tracker_url_remover" "hostname_replace"]; + engines = [ + { + name = "duckduckgo_web"; + engine = "duckduckgo"; + disabled = false; + categories = ["general"]; + weight = 0.9; + timeout = 3.0; + } + { + name = "google_web"; + engine = "google"; + disabled = false; + categories = ["general"]; + weight = 0.75; + timeout = 4.0; + } + { + name = "bing_web"; + engine = "bing"; + disabled = false; + categories = ["general"]; + weight = 0.4; + timeout = 4.0; + } + { + name = "wikipedia"; + engine = "wikipedia"; + disabled = false; + categories = ["general"]; + timeout = 3.0; + } + { + name = "wikibooks"; + engine = "wikibooks"; + disabled = false; + categories = ["general"]; + timeout = 3.0; + } + { + name = "wiktionary"; + engine = "wiktionary"; + disabled = false; + categories = ["general"]; + timeout = 3.0; + } + { + name = "github_code"; + engine = "github"; + disabled = false; + categories = ["it"]; + timeout = 4.0; + } + { + name = "wikicommons_img"; + engine = "wikicommons"; + disabled = false; + categories = ["images"]; + timeout = 4.0; + } + { + name = "youtube_video"; + engine = "youtube"; + disabled = false; + categories = ["videos"]; + timeout = 5.0; + } + { + name = "peertube_video"; + engine = "peertube"; + disabled = false; + categories = ["videos"]; + timeout = 5.0; + } + { + name = "openstreetmap"; + engine = "openstreetmap"; + disabled = false; + categories = ["map"]; + timeout = 4.0; + } + { + name = "google_maps"; + engine = "google_maps"; + disabled = false; + categories = ["map"]; + timeout = 4.0; + } + ]; + }; + limiterSettings.real_ip = { + x_for = 1; + ipv4_prefix = 32; + ipv6_prefix = 56; + }; + }; + systemd.services.searx-secret = { + description = "Generate SearXNG secret"; + wantedBy = ["multi-user.target"]; + before = ["searx-init.service" "searx.service"]; + serviceConfig = { + Type = "oneshot"; + User = "root"; + Group = "root"; + }; + script = '' + set -euo pipefail + install -d -m 0750 -o searx -g searx /var/lib/searx + if [ ! -f ${envFile} ]; then + umask 0077 + echo "SEARXNG_SECRET=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > ${envFile} + chown searx:searx ${envFile} + chmod 0640 ${envFile} + fi + ''; + }; + systemd.services.searx-init = { + wants = ["searx-secret.service"]; + after = ["searx-secret.service"]; + }; + systemd.services.searx = { + wants = ["searx-secret.service"]; + after = ["searx-secret.service"]; + }; + users.groups.searx.members = ["nginx"]; + security.acme = lib.mkIf (domain != null) { + acceptTerms = true; + defaults = lib.mkIf (acmeEmail != null) {email = acmeEmail;}; + }; +} diff --git a/hosts/system-packages.nix b/hosts/system-packages.nix index 97f997e..c0d6bf6 100644 --- a/hosts/system-packages.nix +++ b/hosts/system-packages.nix @@ -28,6 +28,7 @@ ./modules/libs.nix ./modules/rgb.nix ./modules/nano.nix + ./modules/searxng.nix ]; npm.enable = true; services.udisks2.enable = true;