dotfiles/modules/nixos/services/searx/default.nix

{
  flake,
  lib,
  config,
  ...
}:
let
  inherit (flake.config.machines.devices) ceres;
  inherit (flake.config.services.instances) searx web;
  configHelpers = {
    service = searx;
    hostname = config.networking.hostName;
    localhost = web.localhost.address0;
    host = configHelpers.service.domains.url0;
  };
  configPath = ./config;
  configImports = {
    general = import (configPath + /general.nix);
    ui = import (configPath + /ui.nix);
    search = import (configPath + /search.nix);
    server = import (configPath + /server.nix) { inherit config flake configHelpers; };
    engines = import (configPath + /engines.nix) { inherit lib; };
    outgoing = import (configPath + /outgoing.nix);
    enabled_plugins = import (configPath + /plugins.nix);
  };

in
{
  services =
    {
      searx = {
        enable = true;
        redisCreateLocally = true;
        uwsgiConfig = {
          socket = "/run/searx/searx.sock";
          http = ":${builtins.toString configHelpers.service.ports.port0}";
          chmod-socket = "660";
        };
        settings = configImports;
      };
    }
    // (
      if configHelpers.hostname == ceres.name then
        {
          caddy = {
            virtualHosts = {
              "${configHelpers.host}" = {
                extraConfig = ''
                  @allowed_ips {
                    remote_ip 10.100.0.2
                  }
                  respond @not_allowed 403

                  redir /.well-known/carddav /remote.php/dav/ 301
                  redir /.well-known/caldav /remote.php/dav/ 301

                  reverse_proxy ${configHelpers.localhost}:${toString configHelpers.service.ports.port0}

                  tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key}
                '';
              };
            };
          };
        }
      else
        { }
    );

  users.groups.searx.members = [ "caddy" ];
  # systemd.services.caddy.serviceConfig.ProtectHome = false;

  sops =
    let
      sopsPath = secret: {
        path = "${configHelpers.service.sops.path0}/${configHelpers.service.name}-${secret}";
        owner = configHelpers.service.name;
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        map
          (secret: {
            name = "${configHelpers.service.name}-${secret}";
            value = sopsPath secret;
          })
          [
            "key"
          ]
      );
    };

  networking = {
    firewall = {
      interfaces.wg0.allowedTCPPorts = [
        configHelpers.service.ports.port0
      ];
    };
  };
}
feat: init 2025-03-29 23:08:26 -05:00			`{`
			`flake,`
			`lib,`
			`config,`
			`...`
			`}:`
			`let`
			`inherit (flake.config.machines.devices) ceres;`
			`inherit (flake.config.services.instances) searx web;`
feat: wireguard test 2025-07-01 04:11:32 -05:00			`configHelpers = {`
			`service = searx;`
			`hostname = config.networking.hostName;`
			`localhost = web.localhost.address0;`
			`host = configHelpers.service.domains.url0;`
			`};`
			`configPath = ./config;`
			`configImports = {`
			`general = import (configPath + /general.nix);`
			`ui = import (configPath + /ui.nix);`
			`search = import (configPath + /search.nix);`
			`server = import (configPath + /server.nix) { inherit config flake configHelpers; };`
			`engines = import (configPath + /engines.nix) { inherit lib; };`
			`outgoing = import (configPath + /outgoing.nix);`
			`enabled_plugins = import (configPath + /plugins.nix);`
			`};`

feat: init 2025-03-29 23:08:26 -05:00			`in`
			`{`
			`services =`
			`{`
			`searx = {`
			`enable = true;`
			`redisCreateLocally = true;`
			`uwsgiConfig = {`
			`socket = "/run/searx/searx.sock";`
feat: wireguard test 2025-07-01 04:11:32 -05:00			`http = ":${builtins.toString configHelpers.service.ports.port0}";`
feat: init 2025-03-29 23:08:26 -05:00			`chmod-socket = "660";`
			`};`
feat: wireguard test 2025-07-01 04:11:32 -05:00			`settings = configImports;`
feat: init 2025-03-29 23:08:26 -05:00			`};`
			`}`
			`// (`
feat: wireguard test 2025-07-01 04:11:32 -05:00			`if configHelpers.hostname == ceres.name then`
feat: init 2025-03-29 23:08:26 -05:00			`{`
			`caddy = {`
			`virtualHosts = {`
feat: wireguard test 2025-07-01 04:11:32 -05:00			`"${configHelpers.host}" = {`
feat: init 2025-03-29 23:08:26 -05:00			`extraConfig = ''`
feat: wireguard test 2025-07-01 04:34:25 -05:00			`@allowed_ips {`
			`remote_ip 10.100.0.2`
			`}`
			`respond @not_allowed 403`
feat: wireguard test 2025-07-01 04:32:00 -05:00
feat: init 2025-03-29 23:08:26 -05:00			`redir /.well-known/carddav /remote.php/dav/ 301`
			`redir /.well-known/caldav /remote.php/dav/ 301`

feat: wireguard test 2025-07-01 04:11:32 -05:00			`reverse_proxy ${configHelpers.localhost}:${toString configHelpers.service.ports.port0}`
feat: init 2025-03-29 23:08:26 -05:00
feat: wireguard test 2025-07-01 04:11:32 -05:00			`tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key}`
feat: init 2025-03-29 23:08:26 -05:00			`'';`
			`};`
			`};`
			`};`
			`}`
			`else`
			`{ }`
			`);`

			`users.groups.searx.members = [ "caddy" ];`
			`# systemd.services.caddy.serviceConfig.ProtectHome = false;`

			`sops =`
			`let`
			`sopsPath = secret: {`
feat: wireguard test 2025-07-01 04:11:32 -05:00			`path = "${configHelpers.service.sops.path0}/${configHelpers.service.name}-${secret}";`
			`owner = configHelpers.service.name;`
feat: init 2025-03-29 23:08:26 -05:00			`mode = "600";`
			`};`
			`in`
			`{`
			`secrets = builtins.listToAttrs (`
			`map`
			`(secret: {`
feat: wireguard test 2025-07-01 04:11:32 -05:00			`name = "${configHelpers.service.name}-${secret}";`
feat: init 2025-03-29 23:08:26 -05:00			`value = sopsPath secret;`
			`})`
			`[`
			`"key"`
			`]`
			`);`
			`};`

			`networking = {`
			`firewall = {`
feat: wireguard test 2025-07-01 04:32:00 -05:00			`interfaces.wg0.allowedTCPPorts = [`
feat: wireguard test 2025-07-01 04:11:32 -05:00			`configHelpers.service.ports.port0`
feat: init 2025-03-29 23:08:26 -05:00			`];`
			`};`
			`};`
			`}`