RuJect/nixos-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(services/searxng): add secret key
Some checks failed
Nix CI / build (push) Failing after 1m0s
Details

Browse source
This commit is contained in:
Rustam Efimov 2026-04-12 18:41:27 +03:00
parent 181c0dfa6b
commit 7e0dd5acd2
No known key found for this signature in database
4 changed files with 35 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
secrets/common.yaml
View file

@ -19,6 +19,8 @@ matrix:
signingKey: ENC[AES256_GCM,data:DdTsNPxrma6o/1BgsZlk/E6hDewNnU8AbukKR65U1b4WvS+YF3ffCRqYU7i1AMpbgUgf43H5bhlUTw==,iv:uTdZ5Rqf1/XCusoICInGp25CFDIanUzbl23K22ASDmI=,tag:vO7KGumD5slZrDCx134oCQ==,type:str] signingKey: ENC[AES256_GCM,data:DdTsNPxrma6o/1BgsZlk/E6hDewNnU8AbukKR65U1b4WvS+YF3ffCRqYU7i1AMpbgUgf43H5bhlUTw==,iv:uTdZ5Rqf1/XCusoICInGp25CFDIanUzbl23K22ASDmI=,tag:vO7KGumD5slZrDCx134oCQ==,type:str]
turn: turn:
authSecret: ENC[AES256_GCM,data:MjeCwd8CTugY5SccIOPMhGPwSurPiWnqlxmAVlMxSAWDMtngFwmyCl97ixW8BRMYTZy2iaml2AGlWrDyV42JgsFhvohYx/H3bsWFgKC2pO+PxHtC0syYKiuRWj2V8+mIb8wcsr//2L7O9gCTKBnyrwYbv8hG8J3SLfHqFDCBhX5dyzKCht6wjnhJOU3ZXN+foZHCyapOEqoY75K4oeVJxsWRCI9T/VPhuiH3QyosjTiyNBXYhz8UWYG+tpuh4AY7IPmHYeof04BqiuojjjTjaSuy+2v2QHVR2RSDJ6kCb4QkqwwsoGaDujm3el4xnduzRwLh60yZeNPFscKIylHi6A==,iv:Hq6yM3iurnj2TVjyvQb6iaUD+MRjas3bTFkht/mZ2Iw=,tag:YeR2fdglcdRKNgMZizGgOg==,type:str] authSecret: ENC[AES256_GCM,data:MjeCwd8CTugY5SccIOPMhGPwSurPiWnqlxmAVlMxSAWDMtngFwmyCl97ixW8BRMYTZy2iaml2AGlWrDyV42JgsFhvohYx/H3bsWFgKC2pO+PxHtC0syYKiuRWj2V8+mIb8wcsr//2L7O9gCTKBnyrwYbv8hG8J3SLfHqFDCBhX5dyzKCht6wjnhJOU3ZXN+foZHCyapOEqoY75K4oeVJxsWRCI9T/VPhuiH3QyosjTiyNBXYhz8UWYG+tpuh4AY7IPmHYeof04BqiuojjjTjaSuy+2v2QHVR2RSDJ6kCb4QkqwwsoGaDujm3el4xnduzRwLh60yZeNPFscKIylHi6A==,iv:Hq6yM3iurnj2TVjyvQb6iaUD+MRjas3bTFkht/mZ2Iw=,tag:YeR2fdglcdRKNgMZizGgOg==,type:str]
searxng:
secretKey: ENC[AES256_GCM,data:GTp13sKrjVndBm5L8sT6Yio+a3j5s5odH7xkuku9sXj0N7Nlju1k3rXsljZ8jpZSWOxGqJ+4xl6zilmKl5B7ib20E5tAGie2Fwmxr2UUJiM4w9w/hpM0p81AZxc8qrKQe98jxwlrYIaS0E3aXmQgq5JeAQ7NaGvLaSTCGbctgtU=,iv:nFSF6jmjFyRTrxH90fS7nPl1z0E57AvCgo5dbpHnPPk=,tag:fk5KPqGanjRAdH+54PsK+w==,type:str]
remote-build: remote-build:
publicKey: ENC[AES256_GCM,data:NxHuASqi56IftFCJKLjw1mbTedT87T05frAdM8HEEHPDcxC5pkcf+KTiNFTZHlfaI4/ZHI86LowK1PsHaS9CDOflwY4R8x6nT+Ysz0ff0udXzfrWR9qknHBWbvUEowunCU+/,iv:3j5TrIi0Rej6VYb7lRsPTxL+jHCqvvPMKptQ9r+vm2Q=,tag:84n/Sc5KOiZ49EZW8Ya9nA==,type:str] publicKey: ENC[AES256_GCM,data:NxHuASqi56IftFCJKLjw1mbTedT87T05frAdM8HEEHPDcxC5pkcf+KTiNFTZHlfaI4/ZHI86LowK1PsHaS9CDOflwY4R8x6nT+Ysz0ff0udXzfrWR9qknHBWbvUEowunCU+/,iv:3j5TrIi0Rej6VYb7lRsPTxL+jHCqvvPMKptQ9r+vm2Q=,tag:84n/Sc5KOiZ49EZW8Ya9nA==,type:str]
privateKey: ENC[AES256_GCM,data:bLE+T+s0b/+TqNUpDZ2kTYQwDlflCGeFhqsuq6Mc/og7TFn4JRfFxCR0B0glvbuMJs4GM/v+IERIRUNolVmg3u1Sqc6mmWXM5pKlba3NXsZW/MxzOeLgsiUQFnhEyo1rEmAqNr0CQH1fTbiOiBYLxEpnAvz2Swggd7wXUDhM5NrlQeVUSnsyET12Nc/WH7K5YRyIEa/KjIvjo3DWPzUuWcqwQ39f7j17uutjwdfirAsojakmW/jfd/SI7/9oqC5MI5Uwnk4DqmNGviO1SHRHQQ9cGlA5WYVw3kIzW8faEaygbKxbzJYTpoO3jljZKEn/Xakj6rpmCeKKGbKB7JoZbMI2ye3GSj/W77kYLj6QaMuDBy7BqLo6CytFKTUl+QxmXkOWngzLDA8VhKzZVIRIjIQTB5d+82f77ztXLvPkq7AOEOhd9ySRZHC23yPPjLpzl+BcmxLSDzNrTah2LcfaNAUptN3VvgHcl3uNjKRdTj9aJ4ERXeExVjDqsIKRczg0mklYwGbjQNtqCfu68Z61oX3C57LiIwa2ByTp,iv:HuCYE3EwVJbc6a6VB9liWMAKZvk6Wbs6S2hrNj2SseQ=,tag:KPP3KWtF6jZ7D18Bx3PXrA==,type:str] privateKey: ENC[AES256_GCM,data:bLE+T+s0b/+TqNUpDZ2kTYQwDlflCGeFhqsuq6Mc/og7TFn4JRfFxCR0B0glvbuMJs4GM/v+IERIRUNolVmg3u1Sqc6mmWXM5pKlba3NXsZW/MxzOeLgsiUQFnhEyo1rEmAqNr0CQH1fTbiOiBYLxEpnAvz2Swggd7wXUDhM5NrlQeVUSnsyET12Nc/WH7K5YRyIEa/KjIvjo3DWPzUuWcqwQ39f7j17uutjwdfirAsojakmW/jfd/SI7/9oqC5MI5Uwnk4DqmNGviO1SHRHQQ9cGlA5WYVw3kIzW8faEaygbKxbzJYTpoO3jljZKEn/Xakj6rpmCeKKGbKB7JoZbMI2ye3GSj/W77kYLj6QaMuDBy7BqLo6CytFKTUl+QxmXkOWngzLDA8VhKzZVIRIjIQTB5d+82f77ztXLvPkq7AOEOhd9ySRZHC23yPPjLpzl+BcmxLSDzNrTah2LcfaNAUptN3VvgHcl3uNjKRdTj9aJ4ERXeExVjDqsIKRczg0mklYwGbjQNtqCfu68Z61oX3C57LiIwa2ByTp,iv:HuCYE3EwVJbc6a6VB9liWMAKZvk6Wbs6S2hrNj2SseQ=,tag:KPP3KWtF6jZ7D18Bx3PXrA==,type:str]
@ -81,7 +83,7 @@ sops:
eXNxVEZzUW5lR0dqaUhMTWJmcWJNUHMKXZuzo97FE43+c+KcxibO9bcFA+4omTjB eXNxVEZzUW5lR0dqaUhMTWJmcWJNUHMKXZuzo97FE43+c+KcxibO9bcFA+4omTjB
LQUFFMxenelJ1MWawmUhCeJ13rKjk3EEeTbEav14EF1WzYd4bZgbZQ== LQUFFMxenelJ1MWawmUhCeJ13rKjk3EEeTbEav14EF1WzYd4bZgbZQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-01T15:24:24Z" lastmodified: "2026-04-12T15:41:05Z"
mac: ENC[AES256_GCM,data:oeeZ+KgndGH/hIcUQcdgN6JEFXmXh5BggWgTRhnlmFS3C3IN5so5y2bg7IgOGz8BE9TZbi5/y20EQGTXjuvG0zDA8eDktgps5rzap/ZzVCVUsNthG6X6YKAtzpSEZY+xKUf0ubCSEz3LtcWkGJkFJjZDor3GSfSkEax9+ml2V0w=,iv:5GpY2egRT2zxzaR5ywAhegcCJdk8gDTOXQF2+aj2X+I=,tag:EIBtEQ3SoSnikuP2SjGCgA==,type:str] mac: ENC[AES256_GCM,data:SSUVwVduh7Kk0SlGPTFivwfonFkRB2pfGr7D45wFHpTuViRvc4pD5lbAjsytEY26IMJE8N8hZCHuUQpdEzAVDx0j71rX7ak6bhxCu6gTMntmUzvW+J3BSTtr5/FU/X7AbQxAiotv4Th3dH6oChraTrE0LQ1QXlpRpH5Y8pedLfQ=,iv:6GIo40HYxfRMxSc5upcDQCOfH/eHTOk+gfYstQEPTpU=,tag:QwEOOMzJLOt5TuSAAzQtJA==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.2 version: 3.12.2

1
services/searxng/default.nix
View file

@ -3,5 +3,6 @@
./network.nix ./network.nix
./options.nix ./options.nix
./service.nix ./service.nix
./secrets.nix
]; ];
} }

26
services/searxng/secrets.nix Normal file
View file

@ -0,0 +1,26 @@
{
config,
lib,
...
}:
let
cfg = config.machine.searxng;
in
with lib;
mkIf cfg.enable {
sops.secrets = {
"searxng/secretKey" = {
sopsFile = ./../../secrets/common.yaml;
owner = config.users.users.matrix-synapse.name;
inherit (config.users.users.matrix-synapse) group;
};
};
sops.templates.searxng-env = {
owner = config.users.users.matrix-synapse.name;
inherit (config.users.users.matrix-synapse) group;
restartUnits = [ "matrix-synapse.service" ];
content = ''
SEARXNG_SECRET_KEY=${config.sops.placeholder."searxng/secretKey"};
'';
};
}

5
services/searxng/service.nix
View file

@ -12,6 +12,8 @@ mkIf cfg.enable {
services.searx = { services.searx = {
enable = true; enable = true;
redisCreateLocally = true; redisCreateLocally = true;
domain = cfg.domain;
environmentFile = config.sops.secrets.searx.path;
# Rate limiting # Rate limiting
limiterSettings = { limiterSettings = {
@ -65,7 +67,8 @@ mkIf cfg.enable {
# Server configuration # Server configuration
server = { server = {
base_url = if cfg.domain != null then "https://${cfg.domain}" else null end; base_url = if cfg.domain != null then "https://${cfg.domain}" else null end;
port = cfg.port; secret_key = "@SEARXNG_SECRET_KEY@";
inherit (cfg) port;
bind_address = "127.0.0.1"; bind_address = "127.0.0.1";
limiter = true; limiter = true;
public_instance = true; public_instance = true;