From b7a0f8c314ea23fd2ae6bea8e0036ebf3c85d807 Mon Sep 17 00:00:00 2001
From: Nick <nickjhiebert@proton.me>
Date: Sat, 8 Mar 2025 02:39:46 -0600
Subject: [PATCH] feat: added searXNG to Ceres

---
 modules/nixos/services/searx/default.nix | 59 ++++++++++++++++++++----
 1 file changed, 49 insertions(+), 10 deletions(-)

diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix
index f1a4099..cedda66 100644
--- a/modules/nixos/services/searx/default.nix
+++ b/modules/nixos/services/searx/default.nix
@@ -149,7 +149,55 @@ in
             virtualHosts = {
               "${host}" = {
                 extraConfig = ''
-                  handle /* {
+                  @api {
+                    path /config
+                    path /healthz
+                    path /stats/errors
+                    path /stats/checker
+                  }
+
+                  @static {
+                    path /static/*
+                  }
+
+                  @notstatic {
+                    not path /static/*
+                  }
+
+                  @imageproxy {
+                    path /image_proxy
+                  }
+
+                  @notimageproxy {
+                    not path /image_proxy
+                  }
+
+                  header @api {
+                    Access-Control-Allow-Methods "GET, OPTIONS"
+                    Access-Control-Allow-Origin "*"
+                  }
+
+                  header @static {
+                    Cache-Control "public, max-age=31536000"
+                    defer
+                  }
+
+                  header @notstatic {
+                    Cache-Control "no-cache, no-store"
+                    Pragma "no-cache"
+                  }
+
+                  header @imageproxy {
+                    Content-Security-Policy "default-src 'none'; img-src 'self' data:"
+                  }
+
+                  header @notimageproxy {
+                    Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
+                  }
+
+                  handle {
+                    encode zstd gzip
+
                     reverse_proxy unix/${config.services.searx.uwsgiConfig.socket} {
                       transport unix
                       transport protocol uwsgi
@@ -157,15 +205,6 @@ in
                   }
 
                   tls ${service.ssl.cert} ${service.ssl.key}
-
-                  encode zstd gzip
-
-                  header {
-                    Strict-Transport-Security "max-age=31536000;"
-                    X-Content-Type-Options "nosniff"
-                    X-Frame-Options "DENY"
-                    Referrer-Policy "no-referrer-when-downgrade"
-                  }
                 '';
               };
             };