From 6f68de0ab7a4a41e6337a12a8bfde31a87a7f6a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorben=20G=C3=BCnther?= <admin@xenrox.net>
Date: Wed, 22 Feb 2023 18:13:29 +0100
Subject: [PATCH] Add searxng role

Only basic configuration for now.
Successor for searx.

Closes: https://todo.xenrox.net/~xenrox/infrastructure/16
---
 playbooks/avalon.yml                          |  1 +
 roles/searxng/files/settings.yml              | 62 +++++++++++++++++++
 roles/searxng/tasks/main.yml                  | 31 ++++++++++
 roles/searxng/templates/docker-compose.yml.j2 | 43 +++++++++++++
 4 files changed, 137 insertions(+)
 create mode 100644 roles/searxng/files/settings.yml
 create mode 100644 roles/searxng/tasks/main.yml
 create mode 100644 roles/searxng/templates/docker-compose.yml.j2

diff --git a/playbooks/avalon.yml b/playbooks/avalon.yml
index d0d2db1..728b6cc 100644
--- a/playbooks/avalon.yml
+++ b/playbooks/avalon.yml
@@ -26,6 +26,7 @@
     # - { role: sinusbot } # docker
     # - { role: faceit } # docker
     - { role: searx }
+    - { role: searxng }
     - { role: prometheus }
     - { role: alertmanager }
     - { role: prometheus_clients }
diff --git a/roles/searxng/files/settings.yml b/roles/searxng/files/settings.yml
new file mode 100644
index 0000000..9009425
--- /dev/null
+++ b/roles/searxng/files/settings.yml
@@ -0,0 +1,62 @@
+# see https://docs.searxng.org/admin/engines/settings.html#use-default-settings
+use_default_settings: true
+
+general:
+  # use true to use your own donation page written in searx/info/en/donate.md
+  # use false to disable the donation link
+  donation_url: false
+  # mailto:contact@example.com
+  contact_url: mailto:admin@xenrox.net
+
+search:
+  # Existing autocomplete backends: "dbpedia", "duckduckgo", "google", "yandex",
+  # "seznam", "startpage", "swisscows", "qwant", "wikipedia" - leave blank to turn it off
+  # by default.
+  autocomplete: "duckduckgo"
+
+server:
+  # public URL of the instance, to ensure correct inbound links. Is overwritten
+  # by ${SEARXNG_URL}.
+  base_url: https://search.xenrox.net
+  limiter: true # rate limit the number of request on the instance, block some bots
+  # Proxying image results through searx
+  image_proxy: true
+
+redis:
+  # URL to connect redis database. Is overwritten by ${SEARXNG_REDIS_URL}.
+  # https://redis-py.readthedocs.io/en/stable/connections.html#redis.client.Redis.from_url
+  url: redis://redis:6379/0
+
+ui:
+  static_use_hash: true
+
+# Comment or un-comment plugin to activate / deactivate by default.
+#
+enabled_plugins:
+#   # these plugins are enabled if nothing is configured ..
+  - 'Hash plugin'
+  - 'Search on category select'
+  - 'Self Information'
+  - 'Tracker URL remover'
+#   - 'Ahmia blacklist'  # activation depends on outgoing.using_tor_proxy
+#   # these plugins are disabled if nothing is configured ..
+  - 'Hostname replace'  # see hostname_replace configuration below
+  - 'Open Access DOI rewrite'
+#   - 'Vim-like hotkeys'
+#   - 'Tor check plugin'
+#   # Read the docs before activate: auto-detection of the language could be
+#   # detrimental to users expectations / users can activate the plugin in the
+#   # preferences if they want.
+#   - 'Autodetect search language'
+
+# Configuration of the "Hostname replace" plugin:
+#
+hostname_replace:
+#   '(.*\.)?youtube\.com$': 'invidious.example.com'
+#   '(.*\.)?youtu\.be$': 'invidious.example.com'
+#   '(.*\.)?youtube-noocookie\.com$': 'yotter.example.com'
+#   '(.*\.)?reddit\.com$': 'teddit.example.com'
+#   '(.*\.)?redd\.it$': 'teddit.example.com'
+  '(www\.)?twitter\.com$': 'nitter.net'
+#   # to remove matching host names from result list, set value to false
+#   'spam\.example\.com': false
diff --git a/roles/searxng/tasks/main.yml b/roles/searxng/tasks/main.yml
new file mode 100644
index 0000000..e9dcb73
--- /dev/null
+++ b/roles/searxng/tasks/main.yml
@@ -0,0 +1,31 @@
+---
+- name: Get secrets
+  ansible.builtin.set_fact:
+    secret_key: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/searxng:secret_key') }}"
+
+- name: Create directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  with_items:
+    - /opt/searxng
+    - /opt/searxng/searxng
+
+- name: Configure docker-compose
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: /opt/searxng/docker-compose.yml
+    owner: root
+    group: root
+    mode: "0600"
+
+- name: Configure searxng
+  ansible.builtin.copy:
+    src: settings.yml
+    dest: /opt/searxng/searxng/settings.yml
+    owner: root
+    group: root
+    mode: "0644"
diff --git a/roles/searxng/templates/docker-compose.yml.j2 b/roles/searxng/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..05a084f
--- /dev/null
+++ b/roles/searxng/templates/docker-compose.yml.j2
@@ -0,0 +1,43 @@
+version: "3.7"
+services:
+  redis:
+    container_name: redis
+    image: "redis:alpine"
+    command: redis-server --save "" --appendonly "no"
+    networks:
+      - searxng
+    tmpfs:
+      - /var/lib/redis
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+
+  searxng:
+    container_name: searxng
+    image: searxng/searxng:latest
+    networks:
+      - searxng
+    ports:
+      - "127.0.0.1:8888:8080"
+    volumes:
+      - ./searxng:/etc/searxng:rw
+    environment:
+      - SEARXNG_SECRET={{ secret_key }}
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1m"
+        max-file: "1"
+networks:
+  searxng:
+    ipam:
+      driver: default
-- 
2.44.0