{ config, inputs, lib, ... }: with lib; let cfg = config.nixfiles.modules.searx; in { options.nixfiles.modules.searx = { enable = mkEnableOption "SearX"; port = mkOption { description = "Port."; type = with types; port; default = 61001; }; domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; nullOr str; default = "searx.${config.networking.domain}"; }; }; config = mkIf cfg.enable { secrets.searx-environment = { file = "${inputs.self}/secrets/searx-environment"; owner = "searx"; group = "searx"; }; nixfiles.modules.nginx = { enable = true; upstreams.searx.servers."127.0.0.1:${toString cfg.port}" = {}; virtualHosts.${cfg.domain} = { locations."/".proxyPass = "http://searx"; extraConfig = nginxInternalOnly; }; }; services = { searx = { enable = true; settings = { general = { instance_name = cfg.domain; contact_url = "mailto:admin+searx@${config.networking.domain}"; git_url = false; git_branch = false; docs_url = false; wiki_url = false; twitter_url = false; }; server = { bind_address = "127.0.0.1"; inherit (cfg) port; secret_key = "@SEARX_SECRET_KEY@"; base_url = false; image_proxy = false; default_http_headers = { Referrer-Policy = "no-referrer"; X-Content-Type-Options = "nosniff"; X-Download-Options = "noopen"; X-Robots-Tag = "noindex, nofollow, nosnippet, noarchive"; }; }; search = { safe_search = 0; autocomplete = ""; }; }; environmentFile = config.secrets.searx-environment.path; }; }; }; }