searxng

5 files changed, 233 insertions, 0 deletions

diff --git a/terminaldweller.com/searxng/.env b/terminaldweller.com/searxng/.env
new file mode 100644
index 0000000..f21562a
--- /dev/null
+++ b/terminaldweller.com/searxng/.env
@@ -0,0 +1,7 @@
+# By default listen on https://localhost
+# To change this:
+# * uncomment SEARXNG_HOSTNAME, and replace <host> by the SearXNG hostname
+# * uncomment LETSENCRYPT_EMAIL, and replace <email> by your email (require to create a Let's Encrypt certificate)
+
+SEARXNG_HOSTNAME=searx.terminaldweller.com
+LETSENCRYPT_EMAIL=devi@terminaldweller.com
diff --git a/terminaldweller.com/searxng/Caddyfile b/terminaldweller.com/searxng/Caddyfile
new file mode 100644
index 0000000..be88221
--- /dev/null
+++ b/terminaldweller.com/searxng/Caddyfile
@@ -0,0 +1,99 @@
+{
+  admin off
+  https_port 8081
+}
+
+{$SEARXNG_HOSTNAME} {
+  log {
+        output discard
+  }
+
+  tls {$SEARXNG_TLS}
+
+  @api {
+        path /config
+        path /healthz
+        path /stats/errors
+        path /stats/checker
+  }
+
+  @static {
+        path /static/*
+  }
+
+  @notstatic {
+        not path /static/*
+  }
+
+  @imageproxy {
+        path /image_proxy
+  }
+
+  @notimageproxy {
+        not path /image_proxy
+  }
+
+  header {
+        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+
+        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+        X-XSS-Protection "1; mode=block"
+
+        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        X-Content-Type-Options "nosniff"
+
+        # Disable some features
+        Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
+
+        # Disable some features (legacy)
+        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
+
+        # Referer
+        Referrer-Policy "no-referrer"
+
+        # X-Robots-Tag
+        X-Robots-Tag "noindex, noarchive, nofollow"
+
+        # Remove Server header
+        -Server
+  }
+
+  header @api {
+        Access-Control-Allow-Methods "GET, OPTIONS"
+        Access-Control-Allow-Origin  "*"
+  }
+
+  # Cache
+  header @static {
+        # Cache
+        Cache-Control "public, max-age=31536000"
+        defer
+  }
+
+  header @notstatic {
+        # No Cache
+        Cache-Control "no-cache, no-store"
+        Pragma "no-cache"
+  }
+
+  # CSP (see http://content-security-policy.com/ )
+  header @imageproxy {
+        Content-Security-Policy "default-src 'none'; img-src 'self' data:"
+  }
+
+  header @notimageproxy {
+        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
+  }
+
+  # SearXNG
+  handle {
+        encode zstd gzip
+
+        reverse_proxy localhost:8080 {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+        }
+  }
+
+}
diff --git a/terminaldweller.com/searxng/docker-compose.yaml b/terminaldweller.com/searxng/docker-compose.yaml
new file mode 100644
index 0000000..f592709
--- /dev/null
+++ b/terminaldweller.com/searxng/docker-compose.yaml
@@ -0,0 +1,67 @@
+version: '3.7'
+
+services:
+
+  caddy:
+    container_name: caddy
+    image: caddy:2-alpine
+    network_mode: host
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - caddy-data:/data:rw
+      - caddy-config:/config:rw
+    environment:
+      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
+      - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_BIND_SERVICE
+      - DAC_OVERRIDE
+
+  redis:
+    container_name: redis
+    image: "redis:alpine"
+    command: redis-server --save "" --appendonly "no"
+    networks:
+      - searxng
+    tmpfs:
+      - /var/lib/redis
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+
+  searxng:
+    container_name: searxng
+    image: searxng/searxng:latest
+    networks:
+      - searxng
+    ports:
+     - "127.0.0.1:8080:8080"
+    volumes:
+      - ./searxng:/etc/searxng:rw
+    environment:
+      - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1m"
+        max-file: "1"
+networks:
+  searxng:
+    ipam:
+      driver: default
+
+volumes:
+  caddy-data:
+  caddy-config:
diff --git a/terminaldweller.com/searxng/searxng/settings.yml b/terminaldweller.com/searxng/searxng/settings.yml
new file mode 100644
index 0000000..16258b9
--- /dev/null
+++ b/terminaldweller.com/searxng/searxng/settings.yml
@@ -0,0 +1,11 @@
+# see https://docs.searxng.org/admin/engines/settings.html#use-default-settings
+use_default_settings: true
+server:
+  # base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
+  secret_key: ""  # change this!
+  limiter: true  # can be disabled for a private instance
+  image_proxy: true
+ui:
+  static_use_hash: true
+redis:
+  url: redis://redis:6379/0
diff --git a/terminaldweller.com/searxng/searxng/uwsgi.ini b/terminaldweller.com/searxng/searxng/uwsgi.ini
new file mode 100644
index 0000000..7574799
--- /dev/null
+++ b/terminaldweller.com/searxng/searxng/uwsgi.ini
@@ -0,0 +1,49 @@
+[uwsgi]
+# Who will run the code
+uid = searxng
+gid = searxng
+
+# Number of workers (usually CPU count)
+workers = %k
+threads = 4
+
+# The right granted on the created socket
+chmod-socket = 666
+
+# Plugin to use and interpretor config
+single-interpreter = true
+master = true
+plugin = python3
+lazy-apps = true
+enable-threads = true
+
+# Module to import
+module = searx.webapp
+
+# Virtualenv and python path
+pythonpath = /usr/local/searxng/
+chdir = /usr/local/searxng/searx/
+
+# automatically set processes name to something meaningful
+auto-procname = true
+
+# Disable request logging for privacy
+disable-logging = true
+log-5xx = true
+
+# Set the max size of a request (request-body excluded)
+buffer-size = 8192
+
+# No keep alive
+# See https://github.com/searx/searx-docker/issues/24
+add-header = Connection: close
+
+# uwsgi serves the static files
+# expires set to one year since there are hashes
+static-map = /static=/usr/local/searxng/searx/static
+static-expires = /* 31557600
+static-gzip-all = True
+offload-threads = %k
+
+# Cache
+cache2 = name=searxngcache,items=2000,blocks=2000,blocksize=4096,bitmap=1