searxng.nix (1867B)
1 { 2 config, 3 lib, 4 pkgs, 5 haravara, 6 ... 7 }: let 8 cfg = config.services.haravara.searxng; 9 in { 10 options.services.haravara.searxng = { 11 enable = lib.mkEnableOption "SearXNG search engine"; 12 domain = lib.mkOption { 13 type = lib.types.str; 14 description = "Domain for the SearXNG instance"; 15 }; 16 authLabel = haravara.authLabelOption; 17 port = lib.mkOption { 18 type = lib.types.port; 19 default = 8899; 20 description = "Port for SearXNG to listen on"; 21 }; 22 bindAddress = lib.mkOption { 23 type = lib.types.str; 24 default = "127.0.0.1"; 25 description = "Address for SearXNG to bind to"; 26 }; 27 secretKeyFile = lib.mkOption { 28 type = lib.types.path; 29 description = "Path to file containing SEARX_SECRET_KEY"; 30 }; 31 }; 32 33 config = lib.mkIf cfg.enable { 34 services.searx = { 35 enable = true; 36 package = pkgs.searxng; 37 redisCreateLocally = true; 38 environmentFile = cfg.secretKeyFile; 39 settings = { 40 server = { 41 inherit (cfg) port; 42 bind_address = cfg.bindAddress; 43 secret_key = "@SEARX_SECRET_KEY@"; 44 }; 45 ui = { 46 static_use_hash = true; 47 default_theme = "simple"; 48 }; 49 }; 50 }; 51 52 services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' 53 ${haravara.mkAuthImport cfg.authLabel} 54 header { 55 Strict-Transport-Security "max-age=31536000; includeSubDomains" 56 X-Content-Type-Options "nosniff" 57 X-Frame-Options "DENY" 58 Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; object-src 'none'" 59 -Server 60 } 61 reverse_proxy ${cfg.bindAddress}:${toString cfg.port} 62 ''; 63 }; 64 }