From f013863986d9b5b9f869838dbaf56d69c7f8d22f Mon Sep 17 00:00:00 2001
From: ashisgreat22 <dev@ashisgreat.xyz>
Date: Tue, 17 Mar 2026 20:17:20 +0100
Subject: [PATCH] Simplify SearXNG module to use root-based podman

Remove complex rootless container setup that was causing
dependency issues with user-runtime-dir services.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 modules/searxng.nix | 125 +++++++++-----------------------------------
 1 file changed, 25 insertions(+), 100 deletions(-)

diff --git a/modules/searxng.nix b/modules/searxng.nix
index e42c036..6a33d1c 100644
--- a/modules/searxng.nix
+++ b/modules/searxng.nix
@@ -1,5 +1,5 @@
-# SearXNG Module (Rootless Podman)
-# Provides: Private meta-search engine running in a rootless container
+# SearXNG Module (Podman)
+# Provides: Private meta-search engine running in containers
 #
 # Usage:
 #   myModules.searxng = {
@@ -17,8 +17,6 @@
 
 let
   cfg = config.myModules.searxng;
-  mainUser = config.myModules.system.mainUser;
-  mainUserUid = toString config.users.users.${mainUser}.uid;
   anubisPolicy = pkgs.writeText "anubis-policy.yml" ''
     bots:
       - name: "Allow OpenSearch"
@@ -67,7 +65,7 @@ in
     donations = lib.mkOption {
       type = lib.types.attrsOf lib.types.str;
       default = { };
-      description = "Map of donation platform names to URLs (e.g. { patreon = '...'; })";
+      description = "Map of donation platform names to URLs";
     };
   };
 
@@ -75,56 +73,41 @@ in
     # Ensure Podman is enabled
     myModules.podman.enable = true;
 
-    # 1. Create Bridge Network
-    systemd.services."create-searxng-network" = {
-      serviceConfig.Type = "oneshot";
-      serviceConfig.User = mainUser;
-      serviceConfig.RemainAfterExit = true;
-      after = [ "user-runtime-dir@${mainUserUid}.service" ];
-      requires = [ "user-runtime-dir@${mainUserUid}.service" ];
-      path = [
-        pkgs.podman
-        pkgs.shadow
-      ];
+    # Create bridge network
+    systemd.services.create-searxng-network = {
+      description = "Create SearXNG podman network";
+      after = [ "network-online.target" ];
+      requires = [ "network-online.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      path = [ pkgs.podman ];
       script = ''
-        export PATH=/run/wrappers/bin:$PATH
-        export XDG_RUNTIME_DIR="/run/user/${mainUserUid}"
-        export HOME="/home/${mainUser}"
-
-        if ! podman network exists searxng-net; then
-          echo "Creating searxng-net..."
+        if ! podman network exists searxng-net 2>/dev/null; then
           podman network create searxng-net --subnet 10.89.2.0/24
-        else
-          echo "searxng-net already exists."
         fi
       '';
     };
 
-    # 2. Valkey Container (Cache/Limiter)
+    # Valkey Container (Cache)
     virtualisation.oci-containers.containers."searxng-valkey" = {
       image = "docker.io/valkey/valkey:alpine";
-      labels = { "io.containers.autoupdate" = "registry"; };
-      cmd = [
-        "valkey-server"
-        "--save"
-        ""
-        "--appendonly"
-        "no"
-      ];
+      cmd = [ "valkey-server" "--save" "" "--appendonly" "no" ];
       extraOptions = [
         "--network=searxng-net"
         "--network-alias=valkey"
       ];
     };
 
-    # 3. SearXNG Container
+    # SearXNG Container
     virtualisation.oci-containers.containers."searxng" = {
       image = "docker.io/searxng/searxng:latest";
       environment = {
-        "SEARXNG_BASE_URL" = "https://${cfg.domain}";
-        "SEARXNG_REDIS_URL" = "valkey://valkey:6379";
-        "SEARXNG_URL_BASE" = "https://${cfg.domain}";
-        "GRANIAN_HOST" = "0.0.0.0";
+        SEARXNG_BASE_URL = "https://${cfg.domain}";
+        SEARXNG_REDIS_URL = "valkey://valkey:6379";
+        SEARXNG_URL_BASE = "https://${cfg.domain}";
+        GRANIAN_HOST = "0.0.0.0";
       };
       environmentFiles = [
         config.sops.templates."searxng.env".path
@@ -148,15 +131,14 @@ in
       dependsOn = [ "searxng-valkey" ];
     };
 
-    # 4. Anubis Container (AI Firewall)
+    # Anubis Container (AI Firewall)
     virtualisation.oci-containers.containers."searxng-anubis" = {
       image = "ghcr.io/techarohq/anubis:latest";
-      labels = { "io.containers.autoupdate" = "registry"; };
       ports = [ "127.0.0.1:${toString cfg.port}:8080" ];
       environment = {
-        "TARGET" = "http://searxng:8080";
-        "BIND" = ":8080";
-        "POLICY_FNAME" = "/etc/anubis/policy.yml";
+        TARGET = "http://searxng:8080";
+        BIND = ":8080";
+        POLICY_FNAME = "/etc/anubis/policy.yml";
       };
       extraOptions = [
         "--network=searxng-net"
@@ -170,14 +152,12 @@ in
 
     # SOPS templates
     sops.templates."searxng.env" = {
-      owner = mainUser;
       content = ''
         SEARXNG_SECRET_KEY=${config.sops.placeholder.searxng_secret_key}
       '';
     };
 
     sops.templates."searxng_settings.yml" = {
-      owner = mainUser;
       content = ''
         use_default_settings: true
 
@@ -230,60 +210,5 @@ in
 
     # Secret definitions
     sops.secrets.searxng_secret_key = { };
-
-    # Rootless Overrides
-    systemd.services."podman-searxng".serviceConfig.User = lib.mkForce mainUser;
-    systemd.services."podman-searxng".environment = {
-      HOME = "/home/${mainUser}";
-      XDG_RUNTIME_DIR = "/run/user/${mainUserUid}";
-    };
-    systemd.services."podman-searxng".serviceConfig.Type = lib.mkForce "simple";
-    systemd.services."podman-searxng".serviceConfig.Delegate = true;
-    systemd.services."podman-searxng".after = [
-      "create-searxng-network.service"
-      "user-runtime-dir@${mainUserUid}.service"
-      "network-online.target"
-    ];
-    systemd.services."podman-searxng".requires = [
-      "create-searxng-network.service"
-      "user-runtime-dir@${mainUserUid}.service"
-      "network-online.target"
-    ];
-
-    systemd.services."podman-searxng-valkey".serviceConfig.User = lib.mkForce mainUser;
-    systemd.services."podman-searxng-valkey".environment = {
-      HOME = "/home/${mainUser}";
-      XDG_RUNTIME_DIR = "/run/user/${mainUserUid}";
-    };
-    systemd.services."podman-searxng-valkey".serviceConfig.Type = lib.mkForce "simple";
-    systemd.services."podman-searxng-valkey".serviceConfig.Delegate = true;
-    systemd.services."podman-searxng-valkey".after = [
-      "create-searxng-network.service"
-      "user-runtime-dir@${mainUserUid}.service"
-      "network-online.target"
-    ];
-    systemd.services."podman-searxng-valkey".requires = [
-      "create-searxng-network.service"
-      "user-runtime-dir@${mainUserUid}.service"
-      "network-online.target"
-    ];
-
-    systemd.services."podman-searxng-anubis".serviceConfig.User = lib.mkForce mainUser;
-    systemd.services."podman-searxng-anubis".environment = {
-      HOME = "/home/${mainUser}";
-      XDG_RUNTIME_DIR = "/run/user/${mainUserUid}";
-    };
-    systemd.services."podman-searxng-anubis".serviceConfig.Type = lib.mkForce "simple";
-    systemd.services."podman-searxng-anubis".serviceConfig.Delegate = true;
-    systemd.services."podman-searxng-anubis".after = [
-      "create-searxng-network.service"
-      "user-runtime-dir@${mainUserUid}.service"
-      "network-online.target"
-    ];
-    systemd.services."podman-searxng-anubis".requires = [
-      "create-searxng-network.service"
-      "user-runtime-dir@${mainUserUid}.service"
-      "network-online.target"
-    ];
   };
 }