feat(hosts/velarion): enable SearXNG

2026-04-12 18:06:42 +03:00 · 2026-04-12 18:06:42 +03:00 · 1c8bc1d422
commit 1c8bc1d422
parent 89c1059c9a
7 changed files with 35 additions and 99 deletions
--- a/hosts/velarion/machine.nix
+++ b/hosts/velarion/machine.nix
@ -51,6 +51,7 @@ in
            matrix = ns1;
            chat = ns1;
            turn = ns1;
+            search = ns1;
          };

          TXT = [
@ -136,6 +137,11 @@ in
      enable = true;
      domain = "roundcube.${domain}";
    };
+    searxng = {
+      enable = true;
+      domain = "search.${domain}";
+      port = 8888;
+    };
    synapse = {
      enable = true;
      element = {
--- a/services/default.nix
+++ b/services/default.nix
@ -15,6 +15,7 @@
    ./prosody
    ./redis
    ./roundcube
+    ./searxng
    ./synapse
    ./uptime-kuma
    ./vaultwarden
--- a/services/searxng/default.nix
+++ b/services/searxng/default.nix
@ -1,7 +1,6 @@
 {
  imports = [
-    ./firewall.nix
-    ./nginx.nix
+    ./network.nix
    ./options.nix
    ./service.nix
  ];
--- a/services/searxng/firewall.nix
+++ b/services/searxng/firewall.nix
@ -1,39 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  inherit (config.machine.prosody)
-    enable
-    ;
-in
-with lib;
-mkIf enable {
-  networking.firewall = {
-    allowedTCPPorts = [
-      # HTTP filer
-      80
-      443
-
-      # C2S
-      5222
-      5223
-
-      # S2S
-      5269
-      5270
-
-      # WebSockets / BOSH
-      5280
-      5281
-    ]
-    ++ concatLists (
-      with config.services.prosody;
-      [
-        httpPorts
-        httpsPorts
-      ]
-    );
-  };
-}
--- a/services/searxng/network.nix
+++ b/services/searxng/network.nix
@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.searxng;
+in
+with lib;
+mkIf enable {
+  networking.firewall = {
+    allowedTCPPorts = [ cfg.port ];
+  };
+
+  services.nginx.virtualHosts =
+    mkIf (cfg.domain != null) {
+      "${cfg.domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://[::1]:${toString cfg.port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+}
--- a/services/searxng/nginx.nix
+++ b/services/searxng/nginx.nix
@ -1,57 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  inherit (config.machine.prosody)
-    enable
-    domain
-    ;
-
-  localhost = "http://localhost:5280";
-in
-with lib;
-mkIf enable {
-  security.acme.certs."${domain}".extraDomainNames = [
-    "conference.${domain}"
-    "upload.${domain}"
-  ];
-  users.groups.acme.members = [
-    "prosody"
-  ];
-  services.nginx.virtualHosts =
-    with lib;
-    mkIf (domain != null) {
-      "${domain}".locations = {
-        "= /xmpp-websocket" = {
-          proxyPass = localhost;
-          proxyWebsockets = true;
-        };
-        "= /http-bind".proxyPass = localhost;
-        "/push".proxyPass = localhost;
-        "= /.well-known/host-meta".proxyPass = localhost;
-        "= /.well-known/host-meta.json".proxyPass = localhost;
-      };
-      "conference.${domain}" = {
-        http3 = true;
-        quic = true;
-        forceSSL = true;
-        kTLS = true;
-        useACMEHost = domain;
-        sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
-        sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
-        locations."/".proxyPass = localhost;
-      };
-      "upload.${domain}" = {
-        http3 = true;
-        quic = true;
-        forceSSL = true;
-        kTLS = true;
-        useACMEHost = domain;
-        sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
-        sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
-        locations."/".proxyPass = localhost;
-      };
-    };
-}
--- a/services/searxng/options.nix
+++ b/services/searxng/options.nix
@ -10,7 +10,7 @@ with lib;
    };
    port = mkOption {
      type = types.port;
-      default = 4000;
+      default = 8888;
      description = "Listen port.";
    };
  };