nix

configuration files that power my machines
Log | Files | Refs | README | LICENSE

searxng.nix (1867B)


      1 {
      2   config,
      3   lib,
      4   pkgs,
      5   haravara,
      6   ...
      7 }: let
      8   cfg = config.services.haravara.searxng;
      9 in {
     10   options.services.haravara.searxng = {
     11     enable = lib.mkEnableOption "SearXNG search engine";
     12     domain = lib.mkOption {
     13       type = lib.types.str;
     14       description = "Domain for the SearXNG instance";
     15     };
     16     authLabel = haravara.authLabelOption;
     17     port = lib.mkOption {
     18       type = lib.types.port;
     19       default = 8899;
     20       description = "Port for SearXNG to listen on";
     21     };
     22     bindAddress = lib.mkOption {
     23       type = lib.types.str;
     24       default = "127.0.0.1";
     25       description = "Address for SearXNG to bind to";
     26     };
     27     secretKeyFile = lib.mkOption {
     28       type = lib.types.path;
     29       description = "Path to file containing SEARX_SECRET_KEY";
     30     };
     31   };
     32 
     33   config = lib.mkIf cfg.enable {
     34     services.searx = {
     35       enable = true;
     36       package = pkgs.searxng;
     37       redisCreateLocally = true;
     38       environmentFile = cfg.secretKeyFile;
     39       settings = {
     40         server = {
     41           inherit (cfg) port;
     42           bind_address = cfg.bindAddress;
     43           secret_key = "@SEARX_SECRET_KEY@";
     44         };
     45         ui = {
     46           static_use_hash = true;
     47           default_theme = "simple";
     48         };
     49       };
     50     };
     51 
     52     services.caddy.virtualHosts."${cfg.domain}".extraConfig = ''
     53       ${haravara.mkAuthImport cfg.authLabel}
     54       header {
     55         Strict-Transport-Security "max-age=31536000; includeSubDomains"
     56         X-Content-Type-Options "nosniff"
     57         X-Frame-Options "DENY"
     58         Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; object-src 'none'"
     59         -Server
     60       }
     61       reverse_proxy ${cfg.bindAddress}:${toString cfg.port}
     62     '';
     63   };
     64 }