{
  pkgs-unstable,
  config,
  lib,
  inputs,
  ...
}:
let
  cfg = config.services.searx;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
in
{
  disabledModules = [ "services/networking/searx.nix" ];

  imports = [
    "${inputs.nixpkgs-unstable}/nixos/modules/services/networking/searx.nix"
  ];

  options.services.searx = {
    port = lib.mkOption {
      type = lib.types.int;
    };
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
  };

  config = lib.mkIf cfg.enable {
    services.searx = {
      redisCreateLocally = true;
      package = pkgs-unstable.searxng;
      limiterSettings = {
        botdetection = {
          ipv4_prefix = 32;
          ipv6_prefix = 56;
          ip_limit = {
            filter_link_local = true;
            link_token = false;
          };
          ip_lists = {
            pass_ip = [
              "127.0.0.1/32"
              "::1"
            ];
          };
          trusted_proxies = [
            "127.0.0.0/8"
            "::1"
          ];
        };
      };
      settings = {
        server = {
          bind_address = "localhost";
          port = cfg.port;
          limiter = true;
        };
      };
    };

    services.webserver.vHosts.${fqdn}.locations."/".proxyPort = cfg.port;

    # searx expects limiter.toml in the same directory as settings.yml (/run/searx)
    systemd.services.searx-init.script = lib.mkAfter ''
      ln -sf /etc/searxng/limiter.toml /run/searx/limiter.toml
    '';

    users.groups.searx.members = [ "nginx" ];
  };
}