ashie/nixos-vps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Simplify SearXNG module to use root-based podman

Browse source 
Remove complex rootless container setup that was causing
dependency issues with user-runtime-dir services.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
ashisgreat22 2026-03-17 20:17:20 +01:00
parent e44340d3eb
commit f013863986
1 changed files with 25 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

125
modules/searxng.nix
View file

@ -1,5 +1,5 @@
# SearXNG Module (Rootless Podman) # SearXNG Module (Podman)
# Provides: Private meta-search engine running in a rootless container # Provides: Private meta-search engine running in containers
# #
# Usage: # Usage:
# myModules.searxng = { # myModules.searxng = {
@ -17,8 +17,6 @@
let let
cfg = config.myModules.searxng; cfg = config.myModules.searxng;
mainUser = config.myModules.system.mainUser;
mainUserUid = toString config.users.users.${mainUser}.uid;
anubisPolicy = pkgs.writeText "anubis-policy.yml" '' anubisPolicy = pkgs.writeText "anubis-policy.yml" ''
bots: bots:
- name: "Allow OpenSearch" - name: "Allow OpenSearch"
@ -67,7 +65,7 @@ in
donations = lib.mkOption { donations = lib.mkOption {
type = lib.types.attrsOf lib.types.str; type = lib.types.attrsOf lib.types.str;
default = { }; default = { };
description = "Map of donation platform names to URLs (e.g. { patreon = '...'; })"; description = "Map of donation platform names to URLs";
}; };
}; };
@ -75,56 +73,41 @@ in
# Ensure Podman is enabled # Ensure Podman is enabled
myModules.podman.enable = true; myModules.podman.enable = true;
# 1. Create Bridge Network # Create bridge network
systemd.services."create-searxng-network" = { systemd.services.create-searxng-network = {
serviceConfig.Type = "oneshot"; description = "Create SearXNG podman network";
serviceConfig.User = mainUser; after = [ "network-online.target" ];
serviceConfig.RemainAfterExit = true; requires = [ "network-online.target" ];
after = [ "user-runtime-dir@${mainUserUid}.service" ]; serviceConfig = {
requires = [ "user-runtime-dir@${mainUserUid}.service" ]; Type = "oneshot";
path = [ RemainAfterExit = true;
pkgs.podman };
pkgs.shadow path = [ pkgs.podman ];
];
script = '' script = ''
export PATH=/run/wrappers/bin:$PATH if ! podman network exists searxng-net 2>/dev/null; then
export XDG_RUNTIME_DIR="/run/user/${mainUserUid}"
export HOME="/home/${mainUser}"
if ! podman network exists searxng-net; then
echo "Creating searxng-net..."
podman network create searxng-net --subnet 10.89.2.0/24 podman network create searxng-net --subnet 10.89.2.0/24
else
echo "searxng-net already exists."
fi fi
''; '';
}; };
# 2. Valkey Container (Cache/Limiter) # Valkey Container (Cache)
virtualisation.oci-containers.containers."searxng-valkey" = { virtualisation.oci-containers.containers."searxng-valkey" = {
image = "docker.io/valkey/valkey:alpine"; image = "docker.io/valkey/valkey:alpine";
labels = { "io.containers.autoupdate" = "registry"; }; cmd = [ "valkey-server" "--save" "" "--appendonly" "no" ];
cmd = [
"valkey-server"
"--save"
""
"--appendonly"
"no"
];
extraOptions = [ extraOptions = [
"--network=searxng-net" "--network=searxng-net"
"--network-alias=valkey" "--network-alias=valkey"
]; ];
}; };
# 3. SearXNG Container # SearXNG Container
virtualisation.oci-containers.containers."searxng" = { virtualisation.oci-containers.containers."searxng" = {
image = "docker.io/searxng/searxng:latest"; image = "docker.io/searxng/searxng:latest";
environment = { environment = {
"SEARXNG_BASE_URL" = "https://${cfg.domain}"; SEARXNG_BASE_URL = "https://${cfg.domain}";
"SEARXNG_REDIS_URL" = "valkey://valkey:6379"; SEARXNG_REDIS_URL = "valkey://valkey:6379";
"SEARXNG_URL_BASE" = "https://${cfg.domain}"; SEARXNG_URL_BASE = "https://${cfg.domain}";
"GRANIAN_HOST" = "0.0.0.0"; GRANIAN_HOST = "0.0.0.0";
}; };
environmentFiles = [ environmentFiles = [
config.sops.templates."searxng.env".path config.sops.templates."searxng.env".path
@ -148,15 +131,14 @@ in
dependsOn = [ "searxng-valkey" ]; dependsOn = [ "searxng-valkey" ];
}; };
# 4. Anubis Container (AI Firewall) # Anubis Container (AI Firewall)
virtualisation.oci-containers.containers."searxng-anubis" = { virtualisation.oci-containers.containers."searxng-anubis" = {
image = "ghcr.io/techarohq/anubis:latest"; image = "ghcr.io/techarohq/anubis:latest";
labels = { "io.containers.autoupdate" = "registry"; };
ports = [ "127.0.0.1:${toString cfg.port}:8080" ]; ports = [ "127.0.0.1:${toString cfg.port}:8080" ];
environment = { environment = {
"TARGET" = "http://searxng:8080"; TARGET = "http://searxng:8080";
"BIND" = ":8080"; BIND = ":8080";
"POLICY_FNAME" = "/etc/anubis/policy.yml"; POLICY_FNAME = "/etc/anubis/policy.yml";
}; };
extraOptions = [ extraOptions = [
"--network=searxng-net" "--network=searxng-net"
@ -170,14 +152,12 @@ in
# SOPS templates # SOPS templates
sops.templates."searxng.env" = { sops.templates."searxng.env" = {
owner = mainUser;
content = '' content = ''
SEARXNG_SECRET_KEY=${config.sops.placeholder.searxng_secret_key} SEARXNG_SECRET_KEY=${config.sops.placeholder.searxng_secret_key}
''; '';
}; };
sops.templates."searxng_settings.yml" = { sops.templates."searxng_settings.yml" = {
owner = mainUser;
content = '' content = ''
use_default_settings: true use_default_settings: true
@ -230,60 +210,5 @@ in
# Secret definitions # Secret definitions
sops.secrets.searxng_secret_key = { }; sops.secrets.searxng_secret_key = { };
# Rootless Overrides
systemd.services."podman-searxng".serviceConfig.User = lib.mkForce mainUser;
systemd.services."podman-searxng".environment = {
HOME = "/home/${mainUser}";
XDG_RUNTIME_DIR = "/run/user/${mainUserUid}";
};
systemd.services."podman-searxng".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-searxng".serviceConfig.Delegate = true;
systemd.services."podman-searxng".after = [
"create-searxng-network.service"
"user-runtime-dir@${mainUserUid}.service"
"network-online.target"
];
systemd.services."podman-searxng".requires = [
"create-searxng-network.service"
"user-runtime-dir@${mainUserUid}.service"
"network-online.target"
];
systemd.services."podman-searxng-valkey".serviceConfig.User = lib.mkForce mainUser;
systemd.services."podman-searxng-valkey".environment = {
HOME = "/home/${mainUser}";
XDG_RUNTIME_DIR = "/run/user/${mainUserUid}";
};
systemd.services."podman-searxng-valkey".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-searxng-valkey".serviceConfig.Delegate = true;
systemd.services."podman-searxng-valkey".after = [
"create-searxng-network.service"
"user-runtime-dir@${mainUserUid}.service"
"network-online.target"
];
systemd.services."podman-searxng-valkey".requires = [
"create-searxng-network.service"
"user-runtime-dir@${mainUserUid}.service"
"network-online.target"
];
systemd.services."podman-searxng-anubis".serviceConfig.User = lib.mkForce mainUser;
systemd.services."podman-searxng-anubis".environment = {
HOME = "/home/${mainUser}";
XDG_RUNTIME_DIR = "/run/user/${mainUserUid}";
};
systemd.services."podman-searxng-anubis".serviceConfig.Type = lib.mkForce "simple";
systemd.services."podman-searxng-anubis".serviceConfig.Delegate = true;
systemd.services."podman-searxng-anubis".after = [
"create-searxng-network.service"
"user-runtime-dir@${mainUserUid}.service"
"network-online.target"
];
systemd.services."podman-searxng-anubis".requires = [
"create-searxng-network.service"
"user-runtime-dir@${mainUserUid}.service"
"network-online.target"
];
}; };
} }