From f8ac4c667d6c523330827c03c1fe31fbe3b260d2 Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sat, 8 Mar 2025 17:23:27 -0500
Subject: [PATCH] add searx and fix caddy cloudflare stuff

---
 .sops.yaml                  |  6 ++++++
 hosts/chunk/default.nix     |  4 ++++
 hosts/ytnix/default.nix     |  2 +-
 modules/caddy.nix           |  7 ++++---
 modules/default.nix         |  1 +
 modules/searx.nix           | 35 +++++++++++++++++++++++++++++++++++
 secrets/services/caddy.yaml |  6 +++---
 secrets/services/searx.yaml | 31 +++++++++++++++++++++++++++++++
 8 files changed, 85 insertions(+), 7 deletions(-)
 create mode 100644 modules/searx.nix
 create mode 100644 secrets/services/searx.yaml

diff --git a/.sops.yaml b/.sops.yaml
index 96b61cd..6276e76 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -118,3 +118,9 @@ creation_rules:
       - age:
           - *chunk
           - *cy
+
+  - path_regex: secrets/services/searx.yaml
+    key_groups:
+      - age:
+          - *chunk
+          - *cy
\ No newline at end of file
diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix
index 4a25cce..48d7d84 100644
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@@ -60,6 +60,9 @@
     "zipline/env" = {
       sopsFile = ../../secrets/services/zipline.yaml;
     };
+    "searx/env" = {
+      sopsFile = ../../secrets/services/searx.yaml;
+    };
   };
 
   boot = {
@@ -197,4 +200,5 @@
 
   my.roundcube.enable = true;
   my.zipline.enable = true;
+  my.searx.enable = true;
 }
diff --git a/hosts/ytnix/default.nix b/hosts/ytnix/default.nix
index 7f41acb..cfbfc09 100644
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@@ -353,7 +353,7 @@
 
   services.ollama.enable = false;
 
-  services.trezord.enable = false;
+  services.trezord.enable = true;
 
   programs.niri.enable = false;
   programs.niri.package = pkgs.niri-unstable;
diff --git a/modules/caddy.nix b/modules/caddy.nix
index 03d7a4a..6b46cb5 100644
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@@ -29,11 +29,12 @@ in
         (common) {
           encode zstd gzip
           header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+          tls {
+            dns cloudflare {$CLOUDFLARE_KEY}
+            resolvers 1.1.1.1 8.8.8.8
+          }
         }
       '';
-      globalConfig = ''
-        acme_dns cloudflare {$CLOUDFLARE_KEY}
-      '';
       environmentFile = config.sops.secrets."caddy/env".path;
     };
   };
diff --git a/modules/default.nix b/modules/default.nix
index 489ec66..b93f89f 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -7,5 +7,6 @@
     ./zipline.nix
     ./containerization.nix
     ./vaultwarden.nix
+    ./searx.nix
   ];
 }
diff --git a/modules/searx.nix b/modules/searx.nix
new file mode 100644
index 0000000..3eb178a
--- /dev/null
+++ b/modules/searx.nix
@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.my.searx;
+  sockPath = "/run/searx/searx.sock";
+in
+{
+  options.my.searx = {
+    enable = lib.mkEnableOption "searx";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.searx = {
+      enable = true;
+      runInUwsgi = true;
+      uwsgiConfig = {
+        disable-logging = true;
+        http = "127.0.0.1:8090";
+      };
+      settings = {
+        # get secret from env
+        server.secret_key = "@SEARX_SECRET_KEY@";
+      };
+      environmentFile = config.sops.secrets."searx/env".path;
+    };
+
+    services.caddy.virtualHosts."x.cy7.sh".extraConfig = ''
+      import common
+      reverse_proxy 127.0.0.1:8090
+    '';
+  };
+}
\ No newline at end of file
diff --git a/secrets/services/caddy.yaml b/secrets/services/caddy.yaml
index 2ff8b4c..5f3ea62 100644
--- a/secrets/services/caddy.yaml
+++ b/secrets/services/caddy.yaml
@@ -1,5 +1,5 @@
 caddy:
-    env: ENC[AES256_GCM,data:XyxcCVT+rwlS7A3xzUgGqpMoLwhfUJo2++zPTgoPt3q6Edt14bYQJsoSJXnKx/lGg/0ilNfEEg8AEnru/Mzx0bWedSdWuZ380l8wlLiucqQThhEBhEJlyd94BMNzhxFdj82w0ejp4oWb5By/WjkFNesvAyxPIo/Ir4S+fTgGpA1iO2Ms8Pdjp00qeXYsK1CfjaXOYlEP+8BxntN2JKLYb8Cgs7dLmHfUwP6gTFKlTukUTtQZYUw336q3TtGy,iv:Ab/E0ljUBxzWlXfAC2BXCYxlgo0ErvKFaubgVjFR3OU=,tag:Yr24/DofYS2lM6f2/1LQ3Q==,type:str]
+    env: ENC[AES256_GCM,data:fyP1pPJgO9jN0ypC09s0Sz+HlUX42fl6DxWevYYevKdlKTgz5VHQfbELhy6vejmg9v+zFB3/AtSZfWJQB2dNX4Zm/L42wf5QZ7oYoa9QTujJjRgE96OXM77ioNy2DzFzpGw3w16QoC7zaR8UHSN1KL6qRj5xxKw0U6Apxhc0AuBoLvNHOgn8CHY92Q4OBcA1tJn8tgLB9uZB5Ge/2BlEjdSQ0sZMLkE+dHC4/0IILVFrrv1sWRXvXt6t5njF,iv:tF5GRPFYZSuKRgDAY1e8/J7jNQAEqDpgXlpwWW+1P4E=,tag:lK/BUErXNIPgqXPzGJvPTQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -33,8 +33,8 @@ sops:
             Q2hBZE1FOHJ3aW5rVmoyK045eG11cmsKFOmP5iWONREZvxu0rM+fKMPQKgnYq5LH
             AKMZFsP7nnUxjdCXEA18sDg4Rf0qp8i3uQK3D6P7417j9ye/YZA4BQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-30T17:26:39Z"
-    mac: ENC[AES256_GCM,data:saoalvnwHsv0CTw/cRZqibnH9oGoZTNwGUT7RePKRa8OwNzbUEzQt+Z1WrmmWoqR+omQXLE+lpOPv6uNYxvAWnIelzCGeBBCMSBxtjlTUsjts7oFo7d9C5SdTIOkzotDxryvjRupb0P7hAmEqcSUKRZipJy5MVR7VXR1XZ4fIPM=,iv:VaP05zj8L2pygi1/M4BnOV3Inf0ssaWMu+aTBkdDMys=,tag:nuZT8GMB4F0T5dHnTvHOhA==,type:str]
+    lastmodified: "2025-03-08T21:05:07Z"
+    mac: ENC[AES256_GCM,data:vgGCrCJMBxjiCWZYymlaPKTekA1Weprwgtc4xcoPVlDsuljkXDth+aAZPpnakE/nSXhGC6jGJOHdtrsIUTkH2R9WQHIdZDBy+VrVQoV6xE3ijfWyIujcIPwz3s1MGBqRFUYum1XMU5FAcIASiYV7PDxj/f6fsLbjKZCc9/kG3GE=,iv:PSvlssl+Gx+Gcw6/zccIKJDeNz3dJ0kHnPmCrAdBnqQ=,tag:6F/JKBFNxKEgMTyYZ3W0Vg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4
diff --git a/secrets/services/searx.yaml b/secrets/services/searx.yaml
new file mode 100644
index 0000000..46df77e
--- /dev/null
+++ b/secrets/services/searx.yaml
@@ -0,0 +1,31 @@
+searx:
+    env: ENC[AES256_GCM,data:VWLft5+85mNA8k3VynVBz2V+8zcg97UtHfucpaAcKbA+CQdGUbqLesQSu9a7tNRI7+OdI1qPJj5HTzP8tpGN5f39D4brtyo4fN8n8zAd,iv:F70wq9qJiFjEjJeZeFCyQskLdBR3nd/CR/UW/dE9gTo=,tag:/W8FhRC180aAdzjD5v0vZw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEM3VXOVZBSVdZMzBOVzJD
+            Y0ZvWUtFUW5pMUZnYjdxdHQvWDBEVmU1L2hBCi8zcEszZThwcGQ5WUdRTWFUWCtP
+            WWE0OVJIOXpCMGJZc3J6TmVCMGN2TUUKLS0tIEwxVDJLTkdrK3g2TG9iWml6aEFR
+            d3NOS245SmV3K1dlaHdnMHpVSzlYQk0KnDSK1C1sEeBVMX80DqjJRrGFx+WkNijg
+            XEf/Jq//qzgvX24fOl4X4xGTRfBMbLlznLs4N6WtIY7aVcW5N041jQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCOGFaWkY1TWhvQUhENHUx
+            cUk4b2FpeCs5eUMyQ2FhZzVKdHY1MVIzWUhRCmw0eEhwYjl2OFNoQkZRVW43REQy
+            OGpNWFRTWEF4NFFuU1lpTFdKY3lBNEEKLS0tIFNET0JBZmxoSGhWdTIwL0x2Ris3
+            ZHhidlJHT08rR3ZuME9UQmovRTFGNlkK83k2wqXQvxeURrUE/hXoZMDc9lqkgBuL
+            W/UWt/PBorp1/WRqO6dpuu9N2S9i6VCPJH0jdoHMWEqWuRIENFKVhQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-08T20:52:15Z"
+    mac: ENC[AES256_GCM,data:UGFkCgmgRofmX2gQR2W2DD0u4LowQ9pmUxPOgpLVaKGasEoNWJMGu7A7rUIpHvuUomoL6q8aiWs3kiIuZrTQ3CB5gawmU9pPiEseOAdbww4beIcnUmumwmCLH46XYQdaooPaz8bIncW/gFePRpVB2Oef1pYeryXkbZRwBm+bPOI=,iv:GGFjerxpLH8C1m50AiKoEJxj+lGRYNMe4Y7k4u232v8=,tag:woww///+80wakvzYoyWCqQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4