aboutsummaryrefslogtreecommitdiffstats
path: root/terminaldweller.com/searxng
diff options
context:
space:
mode:
authorterminaldweller <thabogre@gmail.com>2022-07-03 06:40:10 +0000
committerterminaldweller <thabogre@gmail.com>2022-07-03 06:40:10 +0000
commitbc4bb70fccdf72072a39cd663100617859b694a7 (patch)
tree40a587d5bce2577cbce832d0957fea4dd62de8f8 /terminaldweller.com/searxng
parentupdates (diff)
downloadscripts-bc4bb70fccdf72072a39cd663100617859b694a7.tar.gz
scripts-bc4bb70fccdf72072a39cd663100617859b694a7.zip
searxng
Diffstat (limited to 'terminaldweller.com/searxng')
-rw-r--r--terminaldweller.com/searxng/.env7
-rw-r--r--terminaldweller.com/searxng/Caddyfile99
-rw-r--r--terminaldweller.com/searxng/docker-compose.yaml67
-rw-r--r--terminaldweller.com/searxng/searxng/settings.yml11
-rw-r--r--terminaldweller.com/searxng/searxng/uwsgi.ini49
5 files changed, 233 insertions, 0 deletions
diff --git a/terminaldweller.com/searxng/.env b/terminaldweller.com/searxng/.env
new file mode 100644
index 0000000..f21562a
--- /dev/null
+++ b/terminaldweller.com/searxng/.env
@@ -0,0 +1,7 @@
+# By default listen on https://localhost
+# To change this:
+# * uncomment SEARXNG_HOSTNAME, and replace <host> by the SearXNG hostname
+# * uncomment LETSENCRYPT_EMAIL, and replace <email> by your email (require to create a Let's Encrypt certificate)
+
+SEARXNG_HOSTNAME=searx.terminaldweller.com
+LETSENCRYPT_EMAIL=devi@terminaldweller.com
diff --git a/terminaldweller.com/searxng/Caddyfile b/terminaldweller.com/searxng/Caddyfile
new file mode 100644
index 0000000..be88221
--- /dev/null
+++ b/terminaldweller.com/searxng/Caddyfile
@@ -0,0 +1,99 @@
+{
+ admin off
+ https_port 8081
+}
+
+{$SEARXNG_HOSTNAME} {
+ log {
+ output discard
+ }
+
+ tls {$SEARXNG_TLS}
+
+ @api {
+ path /config
+ path /healthz
+ path /stats/errors
+ path /stats/checker
+ }
+
+ @static {
+ path /static/*
+ }
+
+ @notstatic {
+ not path /static/*
+ }
+
+ @imageproxy {
+ path /image_proxy
+ }
+
+ @notimageproxy {
+ not path /image_proxy
+ }
+
+ header {
+ # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+ Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+
+ # Enable cross-site filter (XSS) and tell browser to block detected attacks
+ X-XSS-Protection "1; mode=block"
+
+ # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+ X-Content-Type-Options "nosniff"
+
+ # Disable some features
+ Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
+
+ # Disable some features (legacy)
+ Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
+
+ # Referer
+ Referrer-Policy "no-referrer"
+
+ # X-Robots-Tag
+ X-Robots-Tag "noindex, noarchive, nofollow"
+
+ # Remove Server header
+ -Server
+ }
+
+ header @api {
+ Access-Control-Allow-Methods "GET, OPTIONS"
+ Access-Control-Allow-Origin "*"
+ }
+
+ # Cache
+ header @static {
+ # Cache
+ Cache-Control "public, max-age=31536000"
+ defer
+ }
+
+ header @notstatic {
+ # No Cache
+ Cache-Control "no-cache, no-store"
+ Pragma "no-cache"
+ }
+
+ # CSP (see http://content-security-policy.com/ )
+ header @imageproxy {
+ Content-Security-Policy "default-src 'none'; img-src 'self' data:"
+ }
+
+ header @notimageproxy {
+ Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
+ }
+
+ # SearXNG
+ handle {
+ encode zstd gzip
+
+ reverse_proxy localhost:8080 {
+ header_up X-Forwarded-Port {http.request.port}
+ header_up X-Forwarded-Proto {http.request.scheme}
+ }
+ }
+
+}
diff --git a/terminaldweller.com/searxng/docker-compose.yaml b/terminaldweller.com/searxng/docker-compose.yaml
new file mode 100644
index 0000000..f592709
--- /dev/null
+++ b/terminaldweller.com/searxng/docker-compose.yaml
@@ -0,0 +1,67 @@
+version: '3.7'
+
+services:
+
+ caddy:
+ container_name: caddy
+ image: caddy:2-alpine
+ network_mode: host
+ volumes:
+ - ./Caddyfile:/etc/caddy/Caddyfile:ro
+ - caddy-data:/data:rw
+ - caddy-config:/config:rw
+ environment:
+ - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
+ - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
+ cap_drop:
+ - ALL
+ cap_add:
+ - NET_BIND_SERVICE
+ - DAC_OVERRIDE
+
+ redis:
+ container_name: redis
+ image: "redis:alpine"
+ command: redis-server --save "" --appendonly "no"
+ networks:
+ - searxng
+ tmpfs:
+ - /var/lib/redis
+ cap_drop:
+ - ALL
+ cap_add:
+ - SETGID
+ - SETUID
+ - DAC_OVERRIDE
+
+ searxng:
+ container_name: searxng
+ image: searxng/searxng:latest
+ networks:
+ - searxng
+ ports:
+ - "127.0.0.1:8080:8080"
+ volumes:
+ - ./searxng:/etc/searxng:rw
+ environment:
+ - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
+ cap_drop:
+ - ALL
+ cap_add:
+ - CHOWN
+ - SETGID
+ - SETUID
+ - DAC_OVERRIDE
+ logging:
+ driver: "json-file"
+ options:
+ max-size: "1m"
+ max-file: "1"
+networks:
+ searxng:
+ ipam:
+ driver: default
+
+volumes:
+ caddy-data:
+ caddy-config:
diff --git a/terminaldweller.com/searxng/searxng/settings.yml b/terminaldweller.com/searxng/searxng/settings.yml
new file mode 100644
index 0000000..16258b9
--- /dev/null
+++ b/terminaldweller.com/searxng/searxng/settings.yml
@@ -0,0 +1,11 @@
+# see https://docs.searxng.org/admin/engines/settings.html#use-default-settings
+use_default_settings: true
+server:
+ # base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
+ secret_key: "" # change this!
+ limiter: true # can be disabled for a private instance
+ image_proxy: true
+ui:
+ static_use_hash: true
+redis:
+ url: redis://redis:6379/0
diff --git a/terminaldweller.com/searxng/searxng/uwsgi.ini b/terminaldweller.com/searxng/searxng/uwsgi.ini
new file mode 100644
index 0000000..7574799
--- /dev/null
+++ b/terminaldweller.com/searxng/searxng/uwsgi.ini
@@ -0,0 +1,49 @@
+[uwsgi]
+# Who will run the code
+uid = searxng
+gid = searxng
+
+# Number of workers (usually CPU count)
+workers = %k
+threads = 4
+
+# The right granted on the created socket
+chmod-socket = 666
+
+# Plugin to use and interpretor config
+single-interpreter = true
+master = true
+plugin = python3
+lazy-apps = true
+enable-threads = true
+
+# Module to import
+module = searx.webapp
+
+# Virtualenv and python path
+pythonpath = /usr/local/searxng/
+chdir = /usr/local/searxng/searx/
+
+# automatically set processes name to something meaningful
+auto-procname = true
+
+# Disable request logging for privacy
+disable-logging = true
+log-5xx = true
+
+# Set the max size of a request (request-body excluded)
+buffer-size = 8192
+
+# No keep alive
+# See https://github.com/searx/searx-docker/issues/24
+add-header = Connection: close
+
+# uwsgi serves the static files
+# expires set to one year since there are hashes
+static-map = /static=/usr/local/searxng/searx/static
+static-expires = /* 31557600
+static-gzip-all = True
+offload-threads = %k
+
+# Cache
+cache2 = name=searxngcache,items=2000,blocks=2000,blocksize=4096,bitmap=1