From 1c8bc1d422d8f8b200ceafcebde10ba13a418488 Mon Sep 17 00:00:00 2001
From: Rustam Efimov <rus07tam+contact@ruject.fun>
Date: Sun, 12 Apr 2026 18:06:42 +0300
Subject: [PATCH] feat(hosts/velarion): enable SearXNG

---
 hosts/velarion/machine.nix    |  6 ++++
 services/default.nix          |  1 +
 services/searxng/default.nix  |  3 +-
 services/searxng/firewall.nix | 39 ------------------------
 services/searxng/network.nix  | 26 ++++++++++++++++
 services/searxng/nginx.nix    | 57 -----------------------------------
 services/searxng/options.nix  |  2 +-
 7 files changed, 35 insertions(+), 99 deletions(-)
 delete mode 100644 services/searxng/firewall.nix
 create mode 100644 services/searxng/network.nix
 delete mode 100644 services/searxng/nginx.nix

diff --git a/hosts/velarion/machine.nix b/hosts/velarion/machine.nix
index d438145..145b0e6 100644
--- a/hosts/velarion/machine.nix
+++ b/hosts/velarion/machine.nix
@@ -51,6 +51,7 @@ in
             matrix = ns1;
             chat = ns1;
             turn = ns1;
+            search = ns1;
           };
 
           TXT = [
@@ -136,6 +137,11 @@ in
       enable = true;
       domain = "roundcube.${domain}";
     };
+    searxng = {
+      enable = true;
+      domain = "search.${domain}";
+      port = 8888;
+    };
     synapse = {
       enable = true;
       element = {
diff --git a/services/default.nix b/services/default.nix
index 8760ef3..410d70f 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -15,6 +15,7 @@
     ./prosody
     ./redis
     ./roundcube
+    ./searxng
     ./synapse
     ./uptime-kuma
     ./vaultwarden
diff --git a/services/searxng/default.nix b/services/searxng/default.nix
index 9a28810..16b18a3 100644
--- a/services/searxng/default.nix
+++ b/services/searxng/default.nix
@@ -1,7 +1,6 @@
 {
   imports = [
-    ./firewall.nix
-    ./nginx.nix
+    ./network.nix
     ./options.nix
     ./service.nix
   ];
diff --git a/services/searxng/firewall.nix b/services/searxng/firewall.nix
deleted file mode 100644
index df51a26..0000000
--- a/services/searxng/firewall.nix
+++ /dev/null
@@ -1,39 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  inherit (config.machine.prosody)
-    enable
-    ;
-in
-with lib;
-mkIf enable {
-  networking.firewall = {
-    allowedTCPPorts = [
-      # HTTP filer
-      80
-      443
-
-      # C2S
-      5222
-      5223
-
-      # S2S
-      5269
-      5270
-
-      # WebSockets / BOSH
-      5280
-      5281
-    ]
-    ++ concatLists (
-      with config.services.prosody;
-      [
-        httpPorts
-        httpsPorts
-      ]
-    );
-  };
-}
diff --git a/services/searxng/network.nix b/services/searxng/network.nix
new file mode 100644
index 0000000..d7953f5
--- /dev/null
+++ b/services/searxng/network.nix
@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.searxng;
+in
+with lib;
+mkIf enable {
+  networking.firewall = {
+    allowedTCPPorts = [ cfg.port ];
+  };
+
+  services.nginx.virtualHosts =
+    mkIf (cfg.domain != null) {
+      "${cfg.domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://[::1]:${toString cfg.port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+}
diff --git a/services/searxng/nginx.nix b/services/searxng/nginx.nix
deleted file mode 100644
index 254b1e1..0000000
--- a/services/searxng/nginx.nix
+++ /dev/null
@@ -1,57 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  inherit (config.machine.prosody)
-    enable
-    domain
-    ;
-
-  localhost = "http://localhost:5280";
-in
-with lib;
-mkIf enable {
-  security.acme.certs."${domain}".extraDomainNames = [
-    "conference.${domain}"
-    "upload.${domain}"
-  ];
-  users.groups.acme.members = [
-    "prosody"
-  ];
-  services.nginx.virtualHosts =
-    with lib;
-    mkIf (domain != null) {
-      "${domain}".locations = {
-        "= /xmpp-websocket" = {
-          proxyPass = localhost;
-          proxyWebsockets = true;
-        };
-        "= /http-bind".proxyPass = localhost;
-        "/push".proxyPass = localhost;
-        "= /.well-known/host-meta".proxyPass = localhost;
-        "= /.well-known/host-meta.json".proxyPass = localhost;
-      };
-      "conference.${domain}" = {
-        http3 = true;
-        quic = true;
-        forceSSL = true;
-        kTLS = true;
-        useACMEHost = domain;
-        sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
-        sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
-        locations."/".proxyPass = localhost;
-      };
-      "upload.${domain}" = {
-        http3 = true;
-        quic = true;
-        forceSSL = true;
-        kTLS = true;
-        useACMEHost = domain;
-        sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
-        sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
-        locations."/".proxyPass = localhost;
-      };
-    };
-}
diff --git a/services/searxng/options.nix b/services/searxng/options.nix
index 264de26..9823334 100644
--- a/services/searxng/options.nix
+++ b/services/searxng/options.nix
@@ -10,7 +10,7 @@ with lib;
     };
     port = mkOption {
       type = types.port;
-      default = 4000;
+      default = 8888;
       description = "Listen port.";
     };
   };