From 98e7b984e118fe0f67b04e7a0ad41f19d50ff6a4 Mon Sep 17 00:00:00 2001
From: Joakim Repomaa <joakim.repomaa@mocoapp.com>
Date: Fri, 29 May 2026 19:14:07 +0300
Subject: [PATCH] setup searxng

---
 hosts/freun-dev/secrets.nix  |   1 +
 hosts/freun-dev/services.nix |  38 +++++++++++++++++++
 modules/services/default.nix |   1 +
 modules/services/searx.nix   |  70 +++++++++++++++++++++++++++++++++++
 secrets/searx.age            | Bin 0 -> 480 bytes
 secrets/secrets.nix          |   1 +
 6 files changed, 111 insertions(+)
 create mode 100644 modules/services/searx.nix
 create mode 100644 secrets/searx.age

diff --git a/hosts/freun-dev/secrets.nix b/hosts/freun-dev/secrets.nix
index a11bfdb..bfc985b 100644
--- a/hosts/freun-dev/secrets.nix
+++ b/hosts/freun-dev/secrets.nix
@@ -32,6 +32,7 @@
           "voidauth"
           "gitea"
           "gitea-actions-runner"
+          "searx"
         ]
     )
     // {
diff --git a/hosts/freun-dev/services.nix b/hosts/freun-dev/services.nix
index 51f0878..5c95b0e 100644
--- a/hosts/freun-dev/services.nix
+++ b/hosts/freun-dev/services.nix
@@ -387,6 +387,44 @@ in
       };
     };
 
+    searx = {
+      enable = true;
+      subdomain = "q";
+      port = 3400;
+      environmentFile = secrets.searx.path;
+      settings = {
+        general = {
+          instance_name = "freun.dev SearXNG";
+        };
+        server = {
+          public_instance = true;
+          image_proxy = true;
+          method = "GET";
+          secret_key = "$SEARX_SECRET_KEY";
+        };
+        engines = lib.mapAttrsToList (name: value: { inherit name; } // value) {
+          "google".disabled = true;
+          "duckduckgo".disabled = false;
+          "duckduckgo images".disabled = false;
+          "wolframalpha".disabled = false;
+        };
+        search = {
+          formats = [
+            "html"
+            "json"
+          ];
+        };
+        enabled_plugins = [
+          "Basic Calculator"
+          "Hash plugin"
+          "Open Access DOI rewrite"
+          "Hostnames plugin"
+          "Unit converter plugin"
+          "Tracker URL remover"
+        ];
+      };
+    };
+
     webserver = {
       acme.dnsChallenge = true;
       tailscaleAuth.expectedTailnet = "tempel-vibes.ts.net";
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 49f22e8..b683018 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -33,5 +33,6 @@
     ./gitea.nix
     ./dhcp-dns-sync
     ./invidious-companion.nix
+    ./searx.nix
   ];
 }
diff --git a/modules/services/searx.nix b/modules/services/searx.nix
new file mode 100644
index 0000000..7212bf8
--- /dev/null
+++ b/modules/services/searx.nix
@@ -0,0 +1,70 @@
+{
+  pkgs-unstable,
+  config,
+  lib,
+  inputs,
+  ...
+}:
+let
+  cfg = config.services.searx;
+  fqdn = "${cfg.subdomain}.${config.networking.domain}";
+in
+{
+  disabledModules = [ "services/networking/searx.nix" ];
+
+  imports = [
+    "${inputs.nixpkgs-unstable}/nixos/modules/services/networking/searx.nix"
+  ];
+
+  options.services.searx = {
+    port = lib.mkOption {
+      type = lib.types.int;
+    };
+    subdomain = lib.mkOption {
+      type = lib.types.str;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.searx = {
+      redisCreateLocally = true;
+      package = pkgs-unstable.searxng;
+      limiterSettings = {
+        botdetection = {
+          ipv4_prefix = 32;
+          ipv6_prefix = 56;
+          ip_limit = {
+            filter_link_local = true;
+            link_token = false;
+          };
+          ip_lists = {
+            pass_ip = [
+              "127.0.0.1/32"
+              "::1"
+            ];
+          };
+          trusted_proxies = [
+            "127.0.0.0/8"
+            "::1"
+          ];
+        };
+      };
+      settings = {
+        server = {
+          bind_address = "localhost";
+          port = cfg.port;
+          limiter = true;
+        };
+      };
+    };
+
+    services.webserver.vHosts.${fqdn}.locations."/".proxyPort = cfg.port;
+
+    # searx expects limiter.toml in the same directory as settings.yml (/run/searx)
+    systemd.services.searx-init.script = lib.mkAfter ''
+      ln -sf /etc/searxng/limiter.toml /run/searx/limiter.toml
+    '';
+
+    users.groups.searx.members = [ "nginx" ];
+  };
+}
diff --git a/secrets/searx.age b/secrets/searx.age
new file mode 100644
index 0000000000000000000000000000000000000000..b545da7a9b07619c2ed90d1930c3d5284867f502
GIT binary patch
literal 480
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#RRRF*XQu
ztjJHxP4Y1bOEL)#DoKop%1$#ZtjzUr^b9I6EY5QD%SbhJOXl(oO7u@Hj`S}{$q8{X
z3-^l5%g8G-4RMW1^)q*N$w-gPa&gTtHSh~CGC{Y^#Vs>GBT&J_DKIM{qM+0$$*k1J
zJ*m>j#ltr(%{?u=xXQw}&?m$o%Df^+KioCS$$-nHDzU=EJhVJ1x4_WR$K1!!Ge|!o
zDIzQ*Ki|x<$X`3F+|si$HCf-X9K*JN5c9OObcJF^(==mW=S*$C?7V=Kw9*ihj6egg
zJc}Z;0C%IrRL_De!~6>KNXsDOVlFqA#Ec}9p#0!)r;4)t60hLoybAa5?EK`=#3B<z
zL(9le&w`BdFyA7NNG@GnU4@j~N`r7SeeH15V2=nNKcC=GqqHg`BS%lu@`}u|Q1^6m
z_w1?)^T;ww6E5|$)s6FSccn5+dzdZVe0!ep!Z{Bda^~izJDa9t6@1<%8@y8B+1F;a
vz%N|;7F!1G;JA5WqU|Cx4cFj}t*1?%ey`XyuQsM$aQeo=%2^le_oo2>CNie<

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 87b9276..bf204d2 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -46,6 +46,7 @@ in
   "gitea-actions-runner.age".publicKeys = users ++ [ freun-dev ];
   "invidious-companion.age".publicKeys = users ++ [ apu ];
   "invidious.age".publicKeys = users ++ [ freun-dev ];
+  "searx.age".publicKeys = users ++ [ freun-dev ];
   "everii-vpn/de1.key.age".publicKeys = users ++ [ radish ];
   "everii-vpn/ch1.key.age".publicKeys = users ++ [ radish ];
   "everii-vpn/fi1.key.age".publicKeys = users ++ [ radish ];