diff --git a/hosts/anastacia/default.nix b/hosts/anastacia/default.nix index 1a42255..53778ef 100644 --- a/hosts/anastacia/default.nix +++ b/hosts/anastacia/default.nix @@ -4,7 +4,9 @@ in { imports = [ ./hardware-configuration.nix ./networking.nix # generated at runtime by nixos-infect + "${mod}/services/forgejo.nix" + "${mod}/services/searx.nix" ]; boot.tmp.cleanOnBoot = true; diff --git a/system/services/searx.nix b/system/services/searx.nix new file mode 100644 index 0000000..13c891b --- /dev/null +++ b/system/services/searx.nix @@ -0,0 +1,51 @@ +{pkgs, ...}: { + services = { + searx = { + enable = true; + package = pkgs.searxng; + settings = { + server = { + secret_key = "TODO_USE_SOPS_INSTEAD"; + port = 8888; # Internal port + bind_address = "localhost"; # Only listen locally + base_url = "https://search.nezia.dev/"; + image_proxy = true; + default_http_headers = { + X-Content-Type-Options = "nosniff"; + X-XSS-Protection = "1; mode=block"; + X-Download-Options = "noopen"; + X-Robots-Tag = "noindex, nofollow"; + Referrer-Policy = "no-referrer"; + }; + }; + engines = [ + { + name = "qwant"; + disabled = true; + } + ]; + }; + }; + + caddy = { + enable = true; + virtualHosts."search.nezia.dev" = { + extraConfig = '' + encode gzip + reverse_proxy localhost:8888 { + header_up Host {host} + header_up X-Real-IP {remote_addr} + header_up X-Forwarded-For {remote_addr} + header_up X-Forwarded-Proto {scheme} + } + ''; + }; + }; + }; + + # Open required ports + networking.firewall = { + allowedTCPPorts = [80 443]; # For Caddy + }; +} +