From 15ce2146e3d184e951e06ecc39157c344177cfea Mon Sep 17 00:00:00 2001
From: pazpi <pasettodavide@gmail.com>
Date: Fri, 29 Nov 2024 16:15:22 +0100
Subject: [PATCH] feat: Add searXNG service with Prometheus monitoring
 integration

---
 modules/monitoring/prometheus.nix   |   8 ++++
 modules/services/default.nix        |   1 +
 modules/services/searx.nix          |  71 ++++++++++++++++++++++++++++
 secrets.nix                         |   5 ++
 secrets/searx-prometheus-secret.age | Bin 0 -> 717 bytes
 secrets/searx-secret.age            | Bin 0 -> 704 bytes
 6 files changed, 85 insertions(+)
 create mode 100644 modules/services/searx.nix
 create mode 100644 secrets/searx-prometheus-secret.age
 create mode 100644 secrets/searx-secret.age

diff --git a/modules/monitoring/prometheus.nix b/modules/monitoring/prometheus.nix
index 4763ee5..b813d12 100644
--- a/modules/monitoring/prometheus.nix
+++ b/modules/monitoring/prometheus.nix
@@ -62,6 +62,14 @@ in
             job_name = "caddy";
             static_configs = [ { targets = [ "caddy.internal:2024" ]; } ];
           }
+          {
+            job_name = "searxng";
+            static_configs = [ { targets = [ "searxng.internal:8080" ]; } ];
+            basic_auth = {
+              username = "searxng";
+              password_file = config.age.secrets.searx-prometheus-secret.path;
+            };
+          }
         ];
       };
 
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 679de8d..c43bdd4 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -2,6 +2,7 @@
   imports = [
     ./media-mgr.nix
     ./nextcloud.nix
+    ./searx.nix
     ./vaultwarden.nix
   ];
 }
diff --git a/modules/services/searx.nix b/modules/services/searx.nix
new file mode 100644
index 0000000..44c0f27
--- /dev/null
+++ b/modules/services/searx.nix
@@ -0,0 +1,71 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.services.searx;
+in
+{
+
+  options.my.services.searx = {
+    enable = lib.mkEnableOption "Enable searXNG module";
+
+    proxy = {
+      enable = lib.mkEnableOption "Set the proxy entry for this service";
+
+      domain = lib.mkOption {
+        default = "example.com";
+        type = lib.types.str;
+        description = ''
+          The domain where Caddy is reachable
+        '';
+      };
+
+      host = lib.mkOption {
+        default = "localhost";
+        type = lib.types.str;
+        description = ''
+          host name where the service is running
+        '';
+      };
+
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+
+      age.secrets.searx-secret.file = ../../secrets/searx-secret.age;
+
+      services.searcx = {
+        enable = true;
+        redisCreateLocally = true;
+        environmentFile = config.age.secrets.searx-secret.path;
+        settings = {
+          general = {
+            open_metrics = "@METRICS_SECRET@";
+          };
+
+          server = {
+            base_url = "https://search.${cfg.proxy.domain}";
+            bind_address = "::1";
+            port = 8080;
+            secret_key = "@SEARX_SECRET_KEY@";
+          };
+        };
+      };
+
+    })
+
+    (lib.mkIf cfg.proxy.enable {
+      services.caddy = with cfg.proxy; {
+        virtualHosts."search.${domain}".extraConfig = ''
+          reverse_proxy http://${host}:8080
+          import cloudflare
+        '';
+      };
+    })
+  ];
+}
diff --git a/secrets.nix b/secrets.nix
index 2f1f76d..4620d05 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -13,6 +13,11 @@ let
     grafana-admin-pwd = [ machines.metrics ];
     nextcloud-admin-pwd = [ machines.nextcloud ];
     vaultwarden-admin-pwd = [ machines.vaultwarden ];
+    searx-secret = [ machines.search ];
+    searx-prometheus-secret = [
+      machines.search
+      machines.metrics
+    ];
   };
 in
 builtins.listToAttrs (
diff --git a/secrets/searx-prometheus-secret.age b/secrets/searx-prometheus-secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..545ceaebe6a7b560daae46f85503da420d98bceb
GIT binary patch
literal 717
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4=eQx4^#*#&Zsc6
zOeu;eDmF;+EOPZX2=XuwH81wfj&gU_PxVZx^mI3_C@b}IOXu<nPS46uPpt6D$S!j%
zarR6yiOh^Ba88fPFp9D;bd1a{bIWqcE3V3LOGme@A~-xeHBccqD&NN?&Ckp|(ag}_
zAT^-StgI?OJg~Ib!rRfruc|yG(mm89(6YcY$bicrq}0dN#nZ63$UQ4L+pHkf&pb51
z(4@*KD>5*}te_y&II6(ixzwwm$QRwV;7sFC?{WpxltfEycP|4!7wxQyKqpK6P$x$}
zlc36MXCL$O9KR%skbHw&C%<6ta#t>YPwfixq(HNj@PM+Y%z%t+&*D<;Dp$v3Q>UCL
zi^71a%2MqD%QSQSU=wuPj6>axOUo7fi`)$?y)uoxk}3nkQ>&aZT*^a=lMTX?5}nO0
z%BymcygdqC!-~A~9UZxnEW(nEE2G?ea|{B~13iPw3bVaale5c9%_G9|+zm|hBMjZm
zQVJvTG6T_V^K#87$q!UWDvS(IOfxc1j4VjYEcPtcj&wAPOfz>f@r#Ubb_xy8Ni*>Z
zHA@e0&WYqIOAm1_@+mh?&2p(KtVk=!axRZ5c8g3h^7OANFE!D2t#XevNVhcB_s-_h
z)zwwV^Dl~wDi6yybuKYYFVC=a%k#1DD)Y{EHp&mPFgG(v$_uaX2=;PM$|&dhWHBM+
zw3EyIJ)fss{p!ACR?pkC6ow1wY!eH)Z9DnTtp2?rdPkXjtjXe_q$zuU?TC16`RKQa
y?aChw&oB1Iv8D*rCLYPkJ+p!Rib+SS@vKW+HuH>^ygdHM^K$5dPrDl0bIkxFi1}Cm

literal 0
HcmV?d00001

diff --git a/secrets/searx-secret.age b/secrets/searx-secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..5a5c95ece84a0f95151ce09f62177eb911f98771
GIT binary patch
literal 704
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4=eQx4^;5aD5!8Y
zs&F;VuFNko3o$iM_OEnvG)yTja&olL_i*ux3{KIn%qus~^5n|THnYgCGEX;lN^>`i
za;yx>%q#PD_w_L>(M}BuHZCqt%62vNtH>$$D@V62IMX=PyIi3_J2=0>Jt{{(D#xif
z*QL1FHP<cFB(m7m)6XJFKPx}mxID@{z|t`%+?6ZBB;768$k@9w)7ZSy%rr_nqR1sA
z)iT?^$|EX6yVATe(ch&!!rjfxA|Ks0<4||w(sG5Qa1SGc^mJE!ui`)t<B|%C;`FeT
z^rFh*Bz+HG?ZN_!qU5x~l!yrZPy;T<G|MQDg5*@sP|GkcpNMd0|0<)RsH)1qvWVb-
zw3Gn-e4l{I@~|+&a16hBxn`8)2P)(gR%JvbSGsvcc~}IMCRHTn=Nea5dZ*?Xhd4P^
z`A2zVR%&}!nI@(gXLA`P29&3U8Akd<mgbsUYL|M31!m`%hUw>dXICWoxn_GMmF0yd
zdRG*=n{ess>MEogSvp4<21QmH<QuvM=lL0DItK)VRE0U3CtHSl8kZ+(n;K_1IfW;u
z6mvzKwK#A3TPw`zk^6Nw25An4(xoNOIYKY(U#iVCea-ZmtOuPNCV%crPJTDHJ<;2y
zLvnQ^&y*;KAC-nykC%9~+ikv?!k`%6^K1R@N`=%d6COTdZk5^0WSO>pf`NQE*JT$D
z-fh>et<qq<5Ha<ON3ndwOt~bE9!62ElMyN`T3uecetG%RPEKn2)~&<7|NE*m?q~A_
z9jX^8s;I_VOyN3rU`fZiy`P`%t2oCOT5a62{#K67G5M6fr@wct+M0Y=yk0H1bsYdh
CAN?-?

literal 0
HcmV?d00001