searxng

6 files changed, 269 insertions, 13 deletions

diff --git a/terminaldweller.com/haproxy/haproxy.cfg b/terminaldweller.com/haproxy/haproxy.cfg
index 9930fe6..dcc7714 100644
--- a/terminaldweller.com/haproxy/haproxy.cfg
+++ b/terminaldweller.com/haproxy/haproxy.cfg
@@ -26,7 +26,7 @@ resolvers docker_resolver
   resolve_retries 3
   timeout retry 1000ms
   timeout resolve 1000ms
- 
+
 #Frontends
 frontend http
   bind *:80
@@ -41,12 +41,22 @@ frontend http
   acl editor-host hdr_sub(host) -i editor.terminaldweller.com
   acl editorsave-host hdr_sub(host) -i editorsave.terminaldweller.com
   acl devourer-host hdr_sub(host) -i mila.terminaldweller.com
+  acl discord-host hdr_sub(host) -i discord.terminaldweller.com
   acl mila-api-acl url_beg /mila
   acl crypto-api-acl url_beg /crypto
   acl http ssl_fc,not
-  #Conditions
+
+  #Redirects
   #this will prevent any letsencrypt cert challenges from working
-  http-request redirect scheme https if http
+  #http-request redirect scheme https if http
+  http-request redirect scheme https code 301 if http blog-host !letsencrypt-acl
+  http-request redirect scheme https code 301 if http editor-host
+  http-request redirect scheme https code 301 if http editorsave-host
+  http-request redirect scheme https code 301 if http api-host
+  http-request redirect scheme https code 301 if http devourer-host
+  #http-request redirect scheme https code 301 if http searx-host !letsencrypt-acl
+
+  #Conditions
   #use_backend chat-cert-backend if letsencrypt-acl chat-host
   use_backend blog-backend-cert if letsencrypt-acl blog-host
   use_backend blog-backend-cert if letsencrypt-acl editor-host
@@ -82,6 +92,7 @@ frontend https
   acl cargo-host-s req.ssl_sni -i cargo.terminaldweller.com
   acl editor-host-s req.ssl_sni -i editor.terminaldweller.com
   acl editorsave-host-s req.ssl_sni -i editorsave.terminaldweller.com
+  acl discord-host-s req.ssl_sni -i discord.terminaldweller.com
   #Conditions
   use_backend mail-backend-s if mail-host-s
   #use_backend chat-backend-s if chat-host-s
@@ -89,20 +100,29 @@ frontend https
   #use_backend api-crypto-backend-s if api-host-s crypto-api-acl
   use_backend api-crypto-backend-s if api-host-s
   use_backend api-mila-backend-s if mila-api-host-s
-  #use_backend searx-backend-s if searx-host-s
+  use_backend searx-backend-s if searx-host-s
   use_backend cargo-backend-s if cargo-host-s
   use_backend editor-backend-s if editor-host-s
   use_backend editorsave-backend-s if editorsave-host-s
 
 frontend jabber5222
   bind *:5222
-  timeout client 60s
   mode tcp
-  tcp-request inspect-delay 5s
-  tcp-request content accept if { req.ssl_hello_type 1 }
-  tcp-request content reject
-  acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
-  use_backend chat-backend-c2s if chat-host-s
+  use_backend chat-backend-c2s
+#frontend jabber5222
+#  bind *:5222
+#  timeout client 60s
+#  mode tcp
+#  tcp-request inspect-delay 5s
+#  tcp-request content accept if { req.ssl_hello_type 1 }
+#  tcp-request content reject
+#  acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
+#  use_backend chat-backend-c2s if chat-host-s
+#frontend jabbber5222
+#  bind *:5280
+#  mode http
+#  acl chat-host hdr_sub(host) -i chat.terminaldweller.com
+#  use_backend chat-backend if chat-host
 frontend jabber5280
   bind *:5280
   mode http
@@ -259,13 +279,16 @@ backend api-mila-backend-cert
 backend chat-backend-admin
   mode http
   server chat-host 130.185.121.80:5280
+backend chat-backend
+  mode http
+  server chat-host 130.185.121.80:5222
 backend chat-backend-s
   mode tcp
   option ssl-hello-chk
   server chat-host 130.185.121.80:5443
 backend chat-backend-c2s
   mode tcp
-  option ssl-hello-chk
+  #option ssl-hello-chk
   server chat-host 130.185.121.80:5222
 backend chat-cert-backend
   mode http
@@ -276,11 +299,11 @@ backend searx-backend-cert
   server searx-host-cert 130.185.121.80:80
 backend searx-backend
   mode http
-  server searx-host 130.185.121.80:4040
+  server searx-host 130.185.121.80:8080
 backend searx-backend-s
   mode tcp
   option ssl-hello-chk
-  server searx-host-s 130.185.121.80:4040
+  server searx-host-s 130.185.121.80:8081 maxconn 10
 
 backend cargo-backend-s
   mode tcp
diff --git a/terminaldweller.com/searxng/.env b/terminaldweller.com/searxng/.env
new file mode 100644
index 0000000..f21562a
--- /dev/null
+++ b/terminaldweller.com/searxng/.env
@@ -0,0 +1,7 @@
+# By default listen on https://localhost
+# To change this:
+# * uncomment SEARXNG_HOSTNAME, and replace <host> by the SearXNG hostname
+# * uncomment LETSENCRYPT_EMAIL, and replace <email> by your email (require to create a Let's Encrypt certificate)
+
+SEARXNG_HOSTNAME=searx.terminaldweller.com
+LETSENCRYPT_EMAIL=devi@terminaldweller.com
diff --git a/terminaldweller.com/searxng/Caddyfile b/terminaldweller.com/searxng/Caddyfile
new file mode 100644
index 0000000..be88221
--- /dev/null
+++ b/terminaldweller.com/searxng/Caddyfile
@@ -0,0 +1,99 @@
+{
+  admin off
+  https_port 8081
+}
+
+{$SEARXNG_HOSTNAME} {
+  log {
+        output discard
+  }
+
+  tls {$SEARXNG_TLS}
+
+  @api {
+        path /config
+        path /healthz
+        path /stats/errors
+        path /stats/checker
+  }
+
+  @static {
+        path /static/*
+  }
+
+  @notstatic {
+        not path /static/*
+  }
+
+  @imageproxy {
+        path /image_proxy
+  }
+
+  @notimageproxy {
+        not path /image_proxy
+  }
+
+  header {
+        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+
+        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+        X-XSS-Protection "1; mode=block"
+
+        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        X-Content-Type-Options "nosniff"
+
+        # Disable some features
+        Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
+
+        # Disable some features (legacy)
+        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
+
+        # Referer
+        Referrer-Policy "no-referrer"
+
+        # X-Robots-Tag
+        X-Robots-Tag "noindex, noarchive, nofollow"
+
+        # Remove Server header
+        -Server
+  }
+
+  header @api {
+        Access-Control-Allow-Methods "GET, OPTIONS"
+        Access-Control-Allow-Origin  "*"
+  }
+
+  # Cache
+  header @static {
+        # Cache
+        Cache-Control "public, max-age=31536000"
+        defer
+  }
+
+  header @notstatic {
+        # No Cache
+        Cache-Control "no-cache, no-store"
+        Pragma "no-cache"
+  }
+
+  # CSP (see http://content-security-policy.com/ )
+  header @imageproxy {
+        Content-Security-Policy "default-src 'none'; img-src 'self' data:"
+  }
+
+  header @notimageproxy {
+        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
+  }
+
+  # SearXNG
+  handle {
+        encode zstd gzip
+
+        reverse_proxy localhost:8080 {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+        }
+  }
+
+}
diff --git a/terminaldweller.com/searxng/docker-compose.yaml b/terminaldweller.com/searxng/docker-compose.yaml
new file mode 100644
index 0000000..f592709
--- /dev/null
+++ b/terminaldweller.com/searxng/docker-compose.yaml
@@ -0,0 +1,67 @@
+version: '3.7'
+
+services:
+
+  caddy:
+    container_name: caddy
+    image: caddy:2-alpine
+    network_mode: host
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - caddy-data:/data:rw
+      - caddy-config:/config:rw
+    environment:
+      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
+      - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_BIND_SERVICE
+      - DAC_OVERRIDE
+
+  redis:
+    container_name: redis
+    image: "redis:alpine"
+    command: redis-server --save "" --appendonly "no"
+    networks:
+      - searxng
+    tmpfs:
+      - /var/lib/redis
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+
+  searxng:
+    container_name: searxng
+    image: searxng/searxng:latest
+    networks:
+      - searxng
+    ports:
+     - "127.0.0.1:8080:8080"
+    volumes:
+      - ./searxng:/etc/searxng:rw
+    environment:
+      - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1m"
+        max-file: "1"
+networks:
+  searxng:
+    ipam:
+      driver: default
+
+volumes:
+  caddy-data:
+  caddy-config:
diff --git a/terminaldweller.com/searxng/searxng/settings.yml b/terminaldweller.com/searxng/searxng/settings.yml
new file mode 100644
index 0000000..16258b9
--- /dev/null
+++ b/terminaldweller.com/searxng/searxng/settings.yml
@@ -0,0 +1,11 @@
+# see https://docs.searxng.org/admin/engines/settings.html#use-default-settings
+use_default_settings: true
+server:
+  # base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
+  secret_key: ""  # change this!
+  limiter: true  # can be disabled for a private instance
+  image_proxy: true
+ui:
+  static_use_hash: true
+redis:
+  url: redis://redis:6379/0
diff --git a/terminaldweller.com/searxng/searxng/uwsgi.ini b/terminaldweller.com/searxng/searxng/uwsgi.ini
new file mode 100644
index 0000000..7574799
--- /dev/null
+++ b/terminaldweller.com/searxng/searxng/uwsgi.ini
@@ -0,0 +1,49 @@
+[uwsgi]
+# Who will run the code
+uid = searxng
+gid = searxng
+
+# Number of workers (usually CPU count)
+workers = %k
+threads = 4
+
+# The right granted on the created socket
+chmod-socket = 666
+
+# Plugin to use and interpretor config
+single-interpreter = true
+master = true
+plugin = python3
+lazy-apps = true
+enable-threads = true
+
+# Module to import
+module = searx.webapp
+
+# Virtualenv and python path
+pythonpath = /usr/local/searxng/
+chdir = /usr/local/searxng/searx/
+
+# automatically set processes name to something meaningful
+auto-procname = true
+
+# Disable request logging for privacy
+disable-logging = true
+log-5xx = true
+
+# Set the max size of a request (request-body excluded)
+buffer-size = 8192
+
+# No keep alive
+# See https://github.com/searx/searx-docker/issues/24
+add-header = Connection: close
+
+# uwsgi serves the static files
+# expires set to one year since there are hashes
+static-map = /static=/usr/local/searxng/searx/static
+static-expires = /* 31557600
+static-gzip-all = True
+offload-threads = %k
+
+# Cache
+cache2 = name=searxngcache,items=2000,blocks=2000,blocksize=4096,bitmap=1