dotfiles/modules/nixos/services/searx/default.nix

{
  flake,
  lib,
  config,
  ...
}:
let
  inherit (flake.config.machines.devices) ceres;
  inherit (flake.config.services.instances) searx web;
  configHelpers = {
    service = searx;
    hostname = config.networking.hostName;
    localhost = web.localhost.address0;
    host = configHelpers.service.domains.url0;
  };
  configPath = ./config;
  configImports = {
    general = import (configPath + /general.nix);
    ui = import (configPath + /ui.nix);
    search = import (configPath + /search.nix);
    server = import (configPath + /server.nix) { inherit config flake configHelpers; };
    engines = import (configPath + /engines.nix) { inherit lib; };
    outgoing = import (configPath + /outgoing.nix);
    enabled_plugins = import (configPath + /plugins.nix);
  };

in
{
  services =
    {
      searx = {
        enable = true;
        redisCreateLocally = true;
        uwsgiConfig = {
          socket = "/run/searx/searx.sock";
          http = ":${builtins.toString configHelpers.service.ports.port0}";
          chmod-socket = "660";
        };
        settings = configImports;
      };
    }
    // (
      if configHelpers.hostname == ceres.name then
        {
          caddy = {
            virtualHosts = {
              "${configHelpers.host}" = {
                extraConfig = ''
                  redir /.well-known/carddav /remote.php/dav/ 301
                  redir /.well-known/caldav /remote.php/dav/ 301

                  reverse_proxy ${configHelpers.localhost}:${toString configHelpers.service.ports.port0}

                  tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key}
                '';
              };
            };
          };
        }
      else
        { }
    );

  users.groups.searx.members = [ "caddy" ];
  # systemd.services.caddy.serviceConfig.ProtectHome = false;

  sops =
    let
      sopsPath = secret: {
        path = "${configHelpers.service.sops.path0}/${configHelpers.service.name}-${secret}";
        owner = configHelpers.service.name;
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        map
          (secret: {
            name = "${configHelpers.service.name}-${secret}";
            value = sopsPath secret;
          })
          [
            "key"
          ]
      );
    };

  networking = {
    firewall = {
      allowedTCPPorts = [
        configHelpers.service.ports.port0
      ];
    };
  };
}