Simplify SearXNG module to use root-based podman

Remove complex rootless container setup that was causing dependency issues with user-runtime-dir services. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-17 20:17:20 +01:00 · 2026-03-17 20:17:20 +01:00 · f013863986
commit f013863986
parent e44340d3eb
1 changed files with 25 additions and 100 deletions
--- a/modules/searxng.nix
+++ b/modules/searxng.nix
@ -1,5 +1,5 @@
-# SearXNG Module (Rootless Podman)
-# Provides: Private meta-search engine running in a rootless container
+# SearXNG Module (Podman)
+# Provides: Private meta-search engine running in containers
 #
 # Usage:
 #   myModules.searxng = {
@ -17,8 +17,6 @@

 let
  cfg = config.myModules.searxng;
-  mainUser = config.myModules.system.mainUser;
-  mainUserUid = toString config.users.users.${mainUser}.uid;
  anubisPolicy = pkgs.writeText "anubis-policy.yml" ''
    bots:
      - name: "Allow OpenSearch"
@ -67,7 +65,7 @@ in
    donations = lib.mkOption {
      type = lib.types.attrsOf lib.types.str;
      default = { };
-      description = "Map of donation platform names to URLs (e.g. { patreon = '...'; })";
+      description = "Map of donation platform names to URLs";
    };
  };

@ -75,56 +73,41 @@ in
    # Ensure Podman is enabled
    myModules.podman.enable = true;

-    # 1. Create Bridge Network
-    systemd.services."create-searxng-network" = {
-      serviceConfig.Type = "oneshot";
-      serviceConfig.User = mainUser;
-      serviceConfig.RemainAfterExit = true;
-      after = [ "user-runtime-dir@${mainUserUid}.service" ];
-      requires = [ "user-runtime-dir@${mainUserUid}.service" ];
-      path = [
-        pkgs.podman
-        pkgs.shadow
-      ];
+    # Create bridge network
+    systemd.services.create-searxng-network = {
+      description = "Create SearXNG podman network";
+      after = [ "network-online.target" ];
+      requires = [ "network-online.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      path = [ pkgs.podman ];
      script = ''
-        export PATH=/run/wrappers/bin:$PATH
-        export XDG_RUNTIME_DIR="/run/user/${mainUserUid}"
-        export HOME="/home/${mainUser}"
-
-        if ! podman network exists searxng-net; then
-          echo "Creating searxng-net..."
+        if ! podman network exists searxng-net 2>/dev/null; then
          podman network create searxng-net --subnet 10.89.2.0/24
-        else
-          echo "searxng-net already exists."
        fi
      '';
    };

-    # 2. Valkey Container (Cache/Limiter)
+    # Valkey Container (Cache)
    virtualisation.oci-containers.containers."searxng-valkey" = {
      image = "docker.io/valkey/valkey:alpine";
-      labels = { "io.containers.autoupdate" = "registry"; };
-      cmd = [
-        "valkey-server"
-        "--save"
-        ""
-        "--appendonly"
-        "no"
-      ];
+      cmd = [ "valkey-server" "--save" "" "--appendonly" "no" ];
      extraOptions = [
        "--network=searxng-net"
        "--network-alias=valkey"
      ];
    };

-    # 3. SearXNG Container
+    # SearXNG Container
    virtualisation.oci-containers.containers."searxng" = {
      image = "docker.io/searxng/searxng:latest";
      environment = {
-        "SEARXNG_BASE_URL" = "https://${cfg.domain}";
-        "SEARXNG_REDIS_URL" = "valkey://valkey:6379";
-        "SEARXNG_URL_BASE" = "https://${cfg.domain}";
-        "GRANIAN_HOST" = "0.0.0.0";
+        SEARXNG_BASE_URL = "https://${cfg.domain}";
+        SEARXNG_REDIS_URL = "valkey://valkey:6379";
+        SEARXNG_URL_BASE = "https://${cfg.domain}";
+        GRANIAN_HOST = "0.0.0.0";
      };
      environmentFiles = [
        config.sops.templates."searxng.env".path
@ -148,15 +131,14 @@ in
      dependsOn = [ "searxng-valkey" ];
    };

-    # 4. Anubis Container (AI Firewall)
+    # Anubis Container (AI Firewall)
    virtualisation.oci-containers.containers."searxng-anubis" = {
      image = "ghcr.io/techarohq/anubis:latest";
-      labels = { "io.containers.autoupdate" = "registry"; };
      ports = [ "127.0.0.1:${toString cfg.port}:8080" ];
      environment = {
-        "TARGET" = "http://searxng:8080";
-        "BIND" = ":8080";
-        "POLICY_FNAME" = "/etc/anubis/policy.yml";
+        TARGET = "http://searxng:8080";
+        BIND = ":8080";
+        POLICY_FNAME = "/etc/anubis/policy.yml";
      };
      extraOptions = [
        "--network=searxng-net"
@ -170,14 +152,12 @@ in

    # SOPS templates
    sops.templates."searxng.env" = {
-      owner = mainUser;
      content = ''
        SEARXNG_SECRET_KEY=${config.sops.placeholder.searxng_secret_key}
      '';
    };

    sops.templates."searxng_settings.yml" = {
-      owner = mainUser;
      content = ''
        use_default_settings: true

@ -230,60 +210,5 @@ in

    # Secret definitions
    sops.secrets.searxng_secret_key = { };
-
-    # Rootless Overrides
-    systemd.services."podman-searxng".serviceConfig.User = lib.mkForce mainUser;
-    systemd.services."podman-searxng".environment = {
-      HOME = "/home/${mainUser}";
-      XDG_RUNTIME_DIR = "/run/user/${mainUserUid}";
-    };
-    systemd.services."podman-searxng".serviceConfig.Type = lib.mkForce "simple";
-    systemd.services."podman-searxng".serviceConfig.Delegate = true;
-    systemd.services."podman-searxng".after = [
-      "create-searxng-network.service"
-      "user-runtime-dir@${mainUserUid}.service"
-      "network-online.target"
-    ];
-    systemd.services."podman-searxng".requires = [
-      "create-searxng-network.service"
-      "user-runtime-dir@${mainUserUid}.service"
-      "network-online.target"
-    ];
-
-    systemd.services."podman-searxng-valkey".serviceConfig.User = lib.mkForce mainUser;
-    systemd.services."podman-searxng-valkey".environment = {
-      HOME = "/home/${mainUser}";
-      XDG_RUNTIME_DIR = "/run/user/${mainUserUid}";
-    };
-    systemd.services."podman-searxng-valkey".serviceConfig.Type = lib.mkForce "simple";
-    systemd.services."podman-searxng-valkey".serviceConfig.Delegate = true;
-    systemd.services."podman-searxng-valkey".after = [
-      "create-searxng-network.service"
-      "user-runtime-dir@${mainUserUid}.service"
-      "network-online.target"
-    ];
-    systemd.services."podman-searxng-valkey".requires = [
-      "create-searxng-network.service"
-      "user-runtime-dir@${mainUserUid}.service"
-      "network-online.target"
-    ];
-
-    systemd.services."podman-searxng-anubis".serviceConfig.User = lib.mkForce mainUser;
-    systemd.services."podman-searxng-anubis".environment = {
-      HOME = "/home/${mainUser}";
-      XDG_RUNTIME_DIR = "/run/user/${mainUserUid}";
-    };
-    systemd.services."podman-searxng-anubis".serviceConfig.Type = lib.mkForce "simple";
-    systemd.services."podman-searxng-anubis".serviceConfig.Delegate = true;
-    systemd.services."podman-searxng-anubis".after = [
-      "create-searxng-network.service"
-      "user-runtime-dir@${mainUserUid}.service"
-      "network-online.target"
-    ];
-    systemd.services."podman-searxng-anubis".requires = [
-      "create-searxng-network.service"
-      "user-runtime-dir@${mainUserUid}.service"
-      "network-online.target"
-    ];
  };
 }