From f160a3ebb6a8e9647b2b7716f76caab38eb02f82 Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Tue, 17 Dec 2024 13:20:51 +0100
Subject: [PATCH] gerd: adds searx w/ authentication in front

---
 machines/gerd.nix                |  1 +
 machines/gerd/services/searx.nix | 48 ++++++++++++++++++++++++++++++++
 secrets/default.nix              |  3 ++
 secrets/searx/env.age            | 11 ++++++++
 secrets/secrets.nix              |  3 ++
 5 files changed, 66 insertions(+)
 create mode 100644 machines/gerd/services/searx.nix
 create mode 100644 secrets/searx/env.age

diff --git a/machines/gerd.nix b/machines/gerd.nix
index a8a7593..f49e3a6 100644
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@@ -21,6 +21,7 @@
     ./gerd/services/nextcloud.nix
     ./gerd/services/stalwart
     ./gerd/services/wger
+    ./gerd/services/searx.nix
 
     ./gerd/services/element.nix
     ./gerd/services/matrix-synapse.nix
diff --git a/machines/gerd/services/searx.nix b/machines/gerd/services/searx.nix
new file mode 100644
index 0000000..16e08db
--- /dev/null
+++ b/machines/gerd/services/searx.nix
@@ -0,0 +1,48 @@
+{ config, lib, pkgs, ... }:
+
+let
+  svc_domain = "searx.${config.mine.shared.settings.domain}";
+  port = 7378;
+in {
+  services.searx = {
+    enable = true;
+    runInUwsgi = true;
+    redisCreateLocally = true;
+
+    environmentFile = config.age.secrets.searx-env.path;
+
+    uwsgiConfig.http = "127.0.0.1:${builtins.toString port}";
+    settings = {
+      general.debug = false;
+      server = {
+        base_url = "https://${svc_domain}";
+        secret_key = "@SECRET_KEY@";
+      };
+    };
+  };
+
+  # nginx
+  services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
+    forceSSL = true;
+    enableACME = true;
+    
+    locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation {
+      proxyPass = "http://localhost:${builtins.toString port}";
+    };
+  };
+
+  # meta
+  mine.shared.meta.searx = {
+    name = "searX";
+    description = "We host our own searX, use it to search the web!";
+    url = "https://${svc_domain}";
+
+    package = let
+      pkg = config.services.searx.package;
+    in {
+      name = pkg.pname;
+      version = pkg.version;
+      meta = pkg.meta;
+    };
+  };
+}
diff --git a/secrets/default.nix b/secrets/default.nix
index f081463..a79f451 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -45,6 +45,9 @@
     # restic
     restic-env.file = ./restic/env.age;
     restic-pass.file = ./restic/pass.age;
+
+    # searx
+    searx-env.file = ./searx/env.age;
   };
 
   users.groups.secrets-lldap-bind-user-pass = {};
diff --git a/secrets/searx/env.age b/secrets/searx/env.age
new file mode 100644
index 0000000..4c06708
--- /dev/null
+++ b/secrets/searx/env.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg fNc/NTcJ2bRYE0SIvKFIJG8mo9RrAvSxAB97RC+Gywg
+10OeGwUb1GaxvS6gOMh4yIJsTAq1Q7QoLasHp0OSzEo
+-> X25519 YSMcNwnLlqTImvRejhbowWVxTTo1bkhUL6BrQbXq7ns
+LLIOfY+u/qT/PVBIniGh+WztTwmHGJuY8cgWuqGEkhg
+-> ssh-ed25519 n8n9DQ Up+IltuGUo5c9MOGjrNV8tZH/CicwxKmRAJrlNL+bWw
+P3d/iYWJNDl5FedbSXUrtVtgZ8YJTx0BHToIzZqMnxM
+-> ssh-ed25519 BTp6UA 5fO9KgLtLJ2DEY4YuW5Ybt/BtziL1JmRUwJ0xYyMVhE
+uOqXkfhkjG9ocjEzboWKe39+18q+Dr1WRIppQA4B/h4
+--- rjsMU+9R21buoWlPfLWXxcBk5mHsSZ0H9uLgZTyS/9s
+@~��W�O�4@U�.�cR���b��:�D�������)]Xї�H�P]^��֐�F��4�=%�8K@bi�Ѽى��q�f��j�1OZ_n�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index bda44db..4f29f3b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -55,4 +55,7 @@ in
   # restic
   "restic/env.age".publicKeys = defaultAccess;
   "restic/pass.age".publicKeys = defaultAccess;
+
+  # searx
+  "searx/env.age".publicKeys = defaultAccess;
 }