Add searxng module

README.org

@@ -41,10 +41,12 @@ This guide documents the process for a minimal installation of NixOS on a Proxmo
 - [[#optional-nixos-modules][Optional NixOS Modules]]
   - [[#reverse-proxies][Reverse Proxies]]
   - [[#file-servers][File Servers]]
+  - [[#search-engines][Search Engines]]
 - [[#notes-and-configuration-details][Notes and Configuration Details]]
   - [[#disko-configuration-for-proxmox-mbr-boot][Disko Configuration for Proxmox (MBR Boot)]]
   - [[#generating-hardware-configuration][Generating Hardware Configuration]]
 - [[#todos][TODOs]]
+- [[#inspiration][Inspiration]]
 
 * Prerequisites on the Target VM
 Before attempting to install NixOS with =nixos-anywhere=, you must first perform a critical setup step on the target Proxmox VM.
@@ -158,7 +160,7 @@ dov = {
 
 ** File Servers
 *** copyparty
-Provides a web-based file manager.
+Provides a web-based file manager. For more information, see the [[https://github.com/9001/copyparty][official documentation]].
 #+begin_src nix
 dov = {
   file-server.copyparty.enable = true;
@@ -172,6 +174,15 @@ dov = {
 };
 #+end_src
 
+** Search Engines
+*** searxng
+A privacy-respecting metasearch engine. For more information, see the [[https://wiki.nixos.org/wiki/SearXNG][NixOS Wiki page]].
+#+begin_src nix
+dov = {
+  searxng.enable = true;
+};
+#+end_src
+
 * Notes and Configuration Details
 ** Disko Configuration for Proxmox (MBR Boot)
 A critical requirement for ensuring a NixOS VM can boot correctly in Proxmox is the disk partition scheme. Proxmox expects a Master Boot Record (MBR) compatible setup.
@@ -224,3 +235,7 @@ nix run github:nix-community/nixos-anywhere -- \
 - [ ] Refactor the =disko= configuration to make the disk device name (e.g., =/dev/sda=) a variable. This will avoid hardcoding the value and make the configuration more portable.
 - [ ] Create a custom ISO image to streamline the installation process, potentially pre-configuring items like the root user to avoid manual console steps.
 - [ ] Develop an automated installation script to handle the post-install process, such as fetching the AGE key and updating sops, based on [[https://unmovedcentre.com/posts/remote-install-nixos-config/#update-sops-file][this guide]].
+
+* Inspiration
+The configuration and structure of this setup were inspired by the following repository:
+- [[https://github.com/notthebee/nix-config][notthebee/nix-config]]

main/default.nix

@@ -151,6 +151,8 @@ in {
     file-server.copyparty.enable = true;
 
     samba.enable = true;
+
+    searxng.enable = true;
   };
 
   # DO NOT CHANGE AT ANY POINT!

main/secrets/secrets.yaml

@@ -15,6 +15,7 @@ copyparty:
     admin_password: ENC[AES256_GCM,data:VlHcQB1Z1/wSUi8yCEpcW+i8h3c=,iv:mystE6THTS50LzV/TPm+QtZ1C87Vxtx+W9jVzcGAnSM=,tag:8nxtbklHwJnI7VHjJA55dQ==,type:str]
     alex_password: ENC[AES256_GCM,data:0X5AZH8tqJRd6er5w3oMaWI0jrE=,iv:/2aLquP4LVCKCozJsMGItqX9+L9pxSM4PRpn6QnDzbE=,tag:b1GRHEBwQNYBtERj1xqjoA==,type:str]
 smb-secrets: ENC[AES256_GCM,data:RW8xaGU94jxE/iTocH3ylCP5uIpmnSg/MQDC+e5i9PhvlsNY+kfUiqQHoDXETgEPmNUbLr2qZSMLPhQ=,iv:5vkw0Qfa7UHYZ2ODOvFZgirehpY7muV6fvjWHAyHMu4=,tag:cuEzibaBZVf5HVlAF2xUIA==,type:str]
+searxng: ENC[AES256_GCM,data:KmW0pzhjWBBC0VqQNkOmPzcuDnPBEXiZMi030x+LxcOZmS/Q4Hz8RgahWIYwef0maRyFdyB++36SQbUnXz1+Cw==,iv:PL7mby/fmsROaOafv0auCmTEpF5w8WH6Nw4wUrpXNg0=,tag:3s4E1zJh6MB1YkDFM9gBSw==,type:str]
 sops:
     age:
         - recipient: age19wvqtn4ju6k4vs8fxr34unl6xx4cv04jw0lx9ps20xlde927zfssgl4qke
@@ -35,7 +36,7 @@ sops:
             NHdWQnlGbk43WS80VDkxV0o4TE5uSUUK0WSdFzR3u0pLUYHXaTMrtBm0sKKe9ZPG
             nF90b/jv66WGIH1n2oFaaohCkd7DZGzSpr0+KsqX6pkszYnp39YC5A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-27T18:42:07Z"
+    lastmodified: "2025-07-27T19:16:54Z"
-    mac: ENC[AES256_GCM,data:EP1ziiWZ3hPCbjLtPdLccL4csnNmLqtQkhwn8x5bwXuqIU9Q8U6+nXIorAG2Ck28hyjnAjHyYMbJcSSrNOVHroA5Xnlps65975WuKe3akNF6n6Nz+gTDQgEzIpxwYD2rEFNutCNN4EhESzh13lvsvdkxTCsFLjZzwQ4DSuVId24=,iv:f2jM71VXiShEkTUOtfONhMIeR6JnC3xpUN2zXJvdDLo=,tag:s62lb8GtrHHBj6ferphGog==,type:str]
+    mac: ENC[AES256_GCM,data:SlHu8gnDv7QluHvgiz4OORZ5X1ooQu3OYvw8l1xfmfA/lUSMpALzzAgzmKjniEamCVcgQubj11I5LpRpUZOKzL5VmhbCONPknxCDTGgILf1gJlV3NhmEymChGgyrxItqCABA+hjXY0RlFGdNCTdeYwWJAIi/a1jzKYcWiGURTr8=,iv:GFGUYDftz5S9OQYU/iyOJLCSye+QuLowar35hgoivlw=,tag:8kv/OLeMzR1PAK4BCj0E2Q==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

modules/default.nix

@@ -7,5 +7,6 @@
     ./social
     ./file-server
     ./samba
+    ./searxng
   ];
 }

modules/reverse-proxy/traefik/default.nix

@@ -53,10 +53,10 @@ in {
             acme = {
               email = "susano@local.com";
               storage = "/var/lib/traefik/acme.json"; # Where Traefik stores certs
-              # Use the DNS-01 challenge with the DuckDNS provider
+
               dnsChallenge = {
                 provider = "duckdns";
-                disablePropagationCheck = true;
+                #disablePropagationCheck = true;
               };
             };
           };
@@ -91,6 +91,13 @@ in {
               service = "copyparty-service";
               tls.certResolver = "duckdns";
             };
+
+            searxng = mkIf config.dov.searxng.enable {
+              rule = "Host(`searxng.${domain}`)";
+              entryPoints = [ "websecure" ];
+              service = "serxng-service";
+              tls.certResolver = "duckdns";
+            };
           };
 
           services = {
@@ -104,7 +111,14 @@ in {
             copyparty-service = mkIf config.dov.file-server.copyparty.enable {
               loadBalancer.servers = [
                 # The backend URL for Immich
-                { url = "http://192.168.1.85:3923"; }
+                { url = "http://susano:3923"; }
+              ];
+            };
+
+            serxng-service = mkIf config.dov.searxng.enable {
+              loadBalancer.servers = [
+                # The backend URL for Immich
+                { url = "http://susano:8888"; }
               ];
             };
           };

modules/searxng/default.nix

@@ -0,0 +1,181 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.dov.searxng;
+  port = 8888;
+in {
+  options.dov.searxng = {
+    enable = mkEnableOption "searxng config";
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ port ];
+
+    sops.secrets.searxng = { };
+
+    services.searx = {
+      enable = cfg.enable;
+      redisCreateLocally = true;
+
+      # Rate limiting
+      limiterSettings = {
+        real_ip = {
+          x_for = 1;
+          ipv4_prefix = 32;
+          ipv6_prefix = 56;
+        };
+
+        botdetection = {
+          ip_limit = {
+            filter_link_local = true;
+            link_token = true;
+          };
+        };
+      };
+
+      # UWSGI configuration
+      runInUwsgi = true;
+
+      uwsgiConfig = {
+        socket = "/run/searx/searx.sock";
+        http = ":${ builtins.toString port}";
+        chmod-socket = "660";
+      };
+
+      # Searx configuration
+      settings = {
+        # Instance settings
+        general = {
+          debug = false;
+          instance_name = "NixOS SearXNG";
+          donation_url = false;
+          contact_url = false;
+          privacypolicy_url = false;
+          enable_metrics = false;
+        };
+
+        # User interface
+        ui = {
+          static_use_hash = true;
+          default_locale = "en";
+          query_in_title = true;
+          infinite_scroll = false;
+          center_alignment = true;
+          default_theme = "simple";
+          theme_args.simple_style = "auto";
+          search_on_category_select = false;
+          hotkeys = "vim";
+        };
+
+        # Search engine settings
+        search = {
+          safe_search = 2;
+          autocomplete_min = 2;
+          autocomplete = "duckduckgo";
+          ban_time_on_fail = 5;
+          max_ban_time_on_fail = 120;
+        };
+
+        # Server configuration
+        server = {
+          base_url = "https://searng.susano-nixos.duckdns.org";
+          port = port;
+          bind_address = "127.0.0.1";
+          secret_key = config.sops.secrets.searxng.path;
+          limiter = true;
+          public_instance = true;
+          image_proxy = true;
+          method = "GET";
+        };
+
+        # Search engines
+        engines = lib.mapAttrsToList (name: value: { inherit name; } // value) {
+          "duckduckgo".disabled = true;
+          "brave".disabled = true;
+          "bing".disabled = false;
+          "mojeek".disabled = true;
+          "mwmbl".disabled = false;
+          "mwmbl".weight = 0.4;
+          "qwant".disabled = true;
+          "crowdview".disabled = false;
+          "crowdview".weight = 0.5;
+          "curlie".disabled = true;
+          "ddg definitions".disabled = false;
+          "ddg definitions".weight = 2;
+          "wikibooks".disabled = false;
+          "wikidata".disabled = false;
+          "wikiquote".disabled = true;
+          "wikisource".disabled = true;
+          "wikispecies".disabled = false;
+          "wikispecies".weight = 0.5;
+          "wikiversity".disabled = false;
+          "wikiversity".weight = 0.5;
+          "wikivoyage".disabled = false;
+          "wikivoyage".weight = 0.5;
+          "currency".disabled = true;
+          "dictzone".disabled = true;
+          "lingva".disabled = true;
+          "bing images".disabled = false;
+          "brave.images".disabled = true;
+          "duckduckgo images".disabled = true;
+          "google images".disabled = false;
+          "qwant images".disabled = true;
+          "1x".disabled = true;
+          "artic".disabled = false;
+          "deviantart".disabled = false;
+          "flickr".disabled = true;
+          "imgur".disabled = false;
+          "library of congress".disabled = false;
+          "material icons".disabled = true;
+          "material icons".weight = 0.2;
+          "openverse".disabled = false;
+          "pinterest".disabled = true;
+          "svgrepo".disabled = false;
+          "unsplash".disabled = false;
+          "wallhaven".disabled = false;
+          "wikicommons.images".disabled = false;
+          "yacy images".disabled = true;
+          "bing videos".disabled = false;
+          "brave.videos".disabled = true;
+          "duckduckgo videos".disabled = true;
+          "google videos".disabled = false;
+          "qwant videos".disabled = false;
+          "dailymotion".disabled = true;
+          "google play movies".disabled = true;
+          "invidious".disabled = true;
+          "odysee".disabled = true;
+          "peertube".disabled = false;
+          "piped".disabled = true;
+          "rumble".disabled = false;
+          "sepiasearch".disabled = false;
+          "vimeo".disabled = true;
+          "youtube".disabled = false;
+          "brave.news".disabled = true;
+          "google news".disabled = true;
+        };
+
+        # Outgoing requests
+        outgoing = {
+          request_timeout = 5.0;
+          max_request_timeout = 15.0;
+          pool_connections = 100;
+          pool_maxsize = 15;
+          enable_http2 = true;
+        };
+
+        # Enabled plugins
+        enabled_plugins = [
+          "Basic Calculator"
+          "Hash plugin"
+          "Tor check plugin"
+          "Open Access DOI rewrite"
+          "Hostnames plugin"
+          "Unit converter plugin"
+          "Tracker URL remover"
+        ];
+      };
+    };
+  };
+}