samsa/config.example.toml

# samsa configuration
# Copy to config.toml and adjust as needed.
# Environment variables are used as fallbacks when a config field is empty/unset.

[server]
# Listen port (env: PORT)
port = 5355

# HTTP timeout for engine and upstream calls (env: HTTP_TIMEOUT)
http_timeout = "10s"

# Public base URL for OpenSearch XML (env: BASE_URL)
# Set this so browsers can add samsa as a search engine.
# Example: "https://search.example.com"
base_url = ""

# Link to the source code (shown in footer as "Source" link)
# Defaults to the upstream samsa repo if not set.
# Example: "https://git.example.com/my-samsa-fork"
source_url = ""

[upstream]
# URL of an upstream metasearch instance for unported engines (env: UPSTREAM_SEARXNG_URL)
# Leave empty to run without an upstream proxy.
url = ""

[engines]
# Comma-separated list of engines to execute locally in Go (env: LOCAL_PORTED_ENGINES)
# Engines not listed here will be proxied to the upstream instance.
# Include bing_images, ddg_images, qwant_images for image search when [upstream].url is empty.
local_ported = ["wikipedia", "arxiv", "crossref", "braveapi", "qwant", "duckduckgo", "github", "reddit", "bing", "google", "youtube", "bing_images", "ddg_images", "qwant_images"]

[engines.brave]
# Brave Search API key (env: BRAVE_API_KEY)
api_key = ""
# Optional access token to gate requests (env: BRAVE_ACCESS_TOKEN)
access_token = ""

[engines.qwant]
# Qwant category: "web" or "web-lite" (default: "web-lite")
category = "web-lite"
results_per_page = 10

[engines.youtube]
# YouTube Data API v3 key (env: YOUTUBE_API_KEY)
api_key = ""

[cache]
# Valkey/Redis cache for search results.
# Leave address empty to disable caching entirely.
# Env: VALKEY_ADDRESS
address = ""
# Env: VALKEY_PASSWORD
password = ""
# Database index (env: VALKEY_DB)
db = 0
# Cache TTL for search results (env: VALKEY_CACHE_TTL)
default_ttl = "5m"

[cors]
# CORS configuration for browser-based clients.
# Allowed origins: use "*" for all, or specific domains (env: CORS_ALLOWED_ORIGINS)
allowed_origins = ["*"]
# Allowed methods (default: GET, POST, OPTIONS)
# allowed_methods = ["GET", "POST", "OPTIONS"]
# Allowed headers (default: Content-Type, Authorization, X-Search-Token, X-Brave-Access-Token)
# allowed_headers = ["Content-Type", "Authorization"]
# Preflight cache duration in seconds (default: 3600)
# max_age = 3600

[rate_limit]
# Per-IP rate limiting. Set requests to 0 to disable.
# Env: RATE_LIMIT_REQUESTS
requests = 30
# Time window for rate limit (env: RATE_LIMIT_WINDOW)
window = "1m"
# How often to clean up stale IP entries (env: RATE_LIMIT_CLEANUP_INTERVAL)
cleanup_interval = "5m"

[global_rate_limit]
# Server-wide rate limit across ALL IPs. Prevents pool exhaustion from
# distributed attacks even when per-IP limits are bypassed via VPNs.
# Returns 503 when exceeded. Set to 0 to disable.
# Env: GLOBAL_RATE_LIMIT_REQUESTS
requests = 0
# Env: GLOBAL_RATE_LIMIT_WINDOW
window = "1m"

[burst_rate_limit]
# Per-IP burst + sustained rate limiting. More aggressive than the standard
# per-IP limiter. Blocks rapid-fire abuse even if the per-minute limit isn't hit.
# Returns 429 with X-RateLimit-Reason header. Set burst to 0 to disable.
#
# Example: burst=5, burst_window="5s" means max 5 requests in any 5-second span.
#          sustained=60, sustained_window="1m" means max 60 requests per minute.
# Env: BURST_RATE_LIMIT_BURST
burst = 0
# Env: BURST_RATE_LIMIT_BURST_WINDOW
burst_window = "5s"
# Env: BURST_RATE_LIMIT_SUSTAINED
sustained = 0
# Env: BURST_RATE_LIMIT_SUSTAINED_WINDOW
sustained_window = "1m"