RuJect/nixos-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(hosts/velarion): enable SearXNG
Some checks failed
Nix CI / build (push) Failing after 1m36s
Details

Browse source
This commit is contained in:
Rustam Efimov 2026-04-12 18:06:42 +03:00
parent 89c1059c9a
commit 1c8bc1d422
No known key found for this signature in database
7 changed files with 35 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hosts/velarion/machine.nix
View file

@ -51,6 +51,7 @@ in
matrix = ns1; matrix = ns1;
chat = ns1; chat = ns1;
turn = ns1; turn = ns1;
search = ns1;
}; };
TXT = [ TXT = [
@ -136,6 +137,11 @@ in
enable = true; enable = true;
domain = "roundcube.${domain}"; domain = "roundcube.${domain}";
}; };
searxng = {
enable = true;
domain = "search.${domain}";
port = 8888;
};
synapse = { synapse = {
enable = true; enable = true;
element = { element = {

1
services/default.nix
View file

@ -15,6 +15,7 @@
./prosody ./prosody
./redis ./redis
./roundcube ./roundcube
./searxng
./synapse ./synapse
./uptime-kuma ./uptime-kuma
./vaultwarden ./vaultwarden

3
services/searxng/default.nix
View file

@ -1,7 +1,6 @@
{ {
imports = [ imports = [
./firewall.nix ./network.nix
./nginx.nix
./options.nix ./options.nix
./service.nix ./service.nix
]; ];

39
services/searxng/firewall.nix
View file

@ -1,39 +0,0 @@
{
config,
lib,
...
}:
let
inherit (config.machine.prosody)
enable
;
in
with lib;
mkIf enable {
networking.firewall = {
allowedTCPPorts = [
# HTTP filer
80
443
# C2S
5222
5223
# S2S
5269
5270
# WebSockets / BOSH
5280
5281
]
++ concatLists (
with config.services.prosody;
[
httpPorts
httpsPorts
]
);
};
}

26
services/searxng/network.nix Normal file
View file

@ -0,0 +1,26 @@
{
config,
lib,
...
}:
let
cfg = config.machine.searxng;
in
with lib;
mkIf enable {
networking.firewall = {
allowedTCPPorts = [ cfg.port ];
};
services.nginx.virtualHosts =
mkIf (cfg.domain != null) {
"${cfg.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:${toString cfg.port}";
proxyWebsockets = true;
};
};
};
}

57
services/searxng/nginx.nix
View file

@ -1,57 +0,0 @@
{
config,
lib,
...
}:
let
inherit (config.machine.prosody)
enable
domain
;
localhost = "http://localhost:5280";
in
with lib;
mkIf enable {
security.acme.certs."${domain}".extraDomainNames = [
"conference.${domain}"
"upload.${domain}"
];
users.groups.acme.members = [
"prosody"
];
services.nginx.virtualHosts =
with lib;
mkIf (domain != null) {
"${domain}".locations = {
"= /xmpp-websocket" = {
proxyPass = localhost;
proxyWebsockets = true;
};
"= /http-bind".proxyPass = localhost;
"/push".proxyPass = localhost;
"= /.well-known/host-meta".proxyPass = localhost;
"= /.well-known/host-meta.json".proxyPass = localhost;
};
"conference.${domain}" = {
http3 = true;
quic = true;
forceSSL = true;
kTLS = true;
useACMEHost = domain;
sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
locations."/".proxyPass = localhost;
};
"upload.${domain}" = {
http3 = true;
quic = true;
forceSSL = true;
kTLS = true;
useACMEHost = domain;
sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
locations."/".proxyPass = localhost;
};
};
}

2
services/searxng/options.nix
View file

@ -10,7 +10,7 @@ with lib;
}; };
port = mkOption { port = mkOption {
type = types.port; type = types.port;
default = 4000; default = 8888;
description = "Listen port."; description = "Listen port.";
}; };
}; };