feat(services/searxng): add secret key

2026-04-12 18:41:27 +03:00 · 2026-04-12 18:41:27 +03:00 · 7e0dd5acd2
commit 7e0dd5acd2
parent 181c0dfa6b
4 changed files with 35 additions and 3 deletions
--- a/services/searxng/default.nix
+++ b/services/searxng/default.nix
@ -3,5 +3,6 @@
    ./network.nix
    ./options.nix
    ./service.nix
+    ./secrets.nix
  ];
 }
--- a/services/searxng/secrets.nix
+++ b/services/searxng/secrets.nix
@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.searxng;
+in
+with lib;
+mkIf cfg.enable {
+  sops.secrets = {
+    "searxng/secretKey" = {
+      sopsFile = ./../../secrets/common.yaml;
+      owner = config.users.users.matrix-synapse.name;
+      inherit (config.users.users.matrix-synapse) group;
+    };
+  };
+  sops.templates.searxng-env = {
+    owner = config.users.users.matrix-synapse.name;
+    inherit (config.users.users.matrix-synapse) group;
+    restartUnits = [ "matrix-synapse.service" ];
+    content = ''
+      SEARXNG_SECRET_KEY=${config.sops.placeholder."searxng/secretKey"};
+    '';
+  };
+}
--- a/services/searxng/service.nix
+++ b/services/searxng/service.nix
@ -12,6 +12,8 @@ mkIf cfg.enable {
  services.searx = {
    enable = true;
    redisCreateLocally = true;
+    domain = cfg.domain;
+    environmentFile = config.sops.secrets.searx.path;

    # Rate limiting
    limiterSettings = {
@ -65,7 +67,8 @@ mkIf cfg.enable {
      # Server configuration
      server = {
        base_url = if cfg.domain != null then "https://${cfg.domain}" else null end;
-        port = cfg.port;
+        secret_key = "@SEARXNG_SECRET_KEY@";
+        inherit (cfg) port;
        bind_address = "127.0.0.1";
        limiter = true;
        public_instance = true;