diff --git a/config/hosts/searx/configuration.nix b/config/hosts/searx/configuration.nix new file mode 100644 index 0000000..1216183 --- /dev/null +++ b/config/hosts/searx/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "searx"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 8443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/searx/default.nix b/config/hosts/searx/default.nix new file mode 100644 index 0000000..ee2a678 --- /dev/null +++ b/config/hosts/searx/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./searx.nix + ]; +} diff --git a/config/hosts/searx/nginx.nix b/config/hosts/searx/nginx.nix new file mode 100644 index 0000000..a84c171 --- /dev/null +++ b/config/hosts/searx/nginx.nix @@ -0,0 +1,29 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."searx.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}"; + }; + extraConfig = '' + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/config/hosts/searx/searx.nix b/config/hosts/searx/searx.nix new file mode 100644 index 0000000..cdb9940 --- /dev/null +++ b/config/hosts/searx/searx.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: +{ + services.searx = { + enable = true; + package = pkgs.searxng; + redisCreateLocally = true; + settings = { + general = { + debug = false; + instance_name = "SearXNG"; + }; + server = { + bind_address = "127.0.0.1"; + port = 8080; + base_url = "https://searx.nekover.se"; + limiter = true; + image_proxy = true; + secret_key = "@SEARX_SECRET_KEY@"; + }; + search = { + safe_search = 0; + autocomplete = "duckduckgo"; + }; + ui.static_use_hash = true; + enabled_plugins = [ "Hash plugin" "Self Informations" "Tracker URL remover" "Ahmia blacklist" ]; + }; + environmentFile = "/secrets/searx-secret-key.secret"; + }; +} diff --git a/config/hosts/searx/secrets.nix b/config/hosts/searx/secrets.nix new file mode 100644 index 0000000..38231fc --- /dev/null +++ b/config/hosts/searx/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."searx-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "searx/secret-key" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 122a4b2..907cdb8 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -27,6 +27,7 @@ mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; + searx.nekover.se 10.202.41.105:8443; social.nekover.se 10.202.41.104:8443; } server { diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 9cd0be4..eaf7188 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -7,6 +7,7 @@ let "matrix.nekover.se" = "matrix.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; + "searx.nekover.se" = "searx.vs.grzb.de"; "turn.nekover.se" = "coturn.vs.grzb.de"; }; in diff --git a/hosts.nix b/hosts.nix index 4f00d17..194cc45 100644 --- a/hosts.nix +++ b/hosts.nix @@ -89,6 +89,11 @@ in site = "vs"; environment = "proxmox"; }; + searx = { + hostNixpkgs = nixpkgs-unstable; + site = "vs"; + environment = "proxmox"; + }; tor-relay = { site = "vs"; environment = "proxmox";