WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(searxng): added new role to install and configure searxng

Browse source
This commit is contained in:
NaeiKinDus 2025-05-23 00:00:00 +00:00
parent 768a8133b5
commit 63eab11b85
Signed by: WoodSmellParticle
GPG key ID: 8E52ADFF7CA8AE56
19 changed files with 923 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
ansible_collections/nullified/infrastructure/extensions/molecule/default/converge.yml
View file

@ -103,5 +103,9 @@
ansible.builtin.include_role: ansible.builtin.include_role:
name: nullified.infrastructure.valkey name: nullified.infrastructure.valkey
tasks_from: main.yml tasks_from: main.yml
- name: Testing SearxNG role
ansible.builtin.include_role:
name: nullified.infrastructure.searxng
tasks_from: main.yml
- meta: flush_handlers - meta: flush_handlers

23
ansible_collections/nullified/infrastructure/extensions/molecule/default/platform_vars.yml
View file

@ -12,3 +12,26 @@ external_provisioner_source_ips:
- '198.18.0.0/15' - '198.18.0.0/15'
security_sysctl_configuration: security_sysctl_configuration:
'vm.overcommit_memory': 1 'vm.overcommit_memory': 1
searxng_conf_redis_url: "rediss://127.0.0.1:6379?ssl_cert_reqs=none"
searxng_limiter_botdetection_pass_ip:
- '172.16.0.0/12'
- '192.168.0.0/16'
nginx_sites:
- name: searxng
content: |-
server {
listen 80;
location / {
uwsgi_pass unix:///run/uwsgi/searxng.socket;
include uwsgi_params;
uwsgi_param HTTP_HOST $host;
uwsgi_param HTTP_CONNECTION $http_connection;
uwsgi_param HTTP_X_SCHEME $scheme;
uwsgi_param HTTP_X_REAL_IP $remote_addr;
uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
}
}

31
ansible_collections/nullified/infrastructure/roles/searxng/README.md Normal file
View file

@ -0,0 +1,31 @@
Role Name
=========
@todo
Requirements
------------
- Redis
- uWSGI
@todo
Role Variables
--------------
@todo
Dependencies
------------
@todo
Example Playbook
----------------
@todo
License
-------
[MIT](https://opensource.org/license/mit)

34
ansible_collections/nullified/infrastructure/roles/searxng/defaults/main.yml Normal file
View file

@ -0,0 +1,34 @@
---
searxng_conf_redis_enabled: true
searxng_conf_redis_url:
searxng_install_uwsgi: true
searxng_uwsgi_socket_dir: "/run/uwsgi"
searxng_uwsgi_config_filepath: "/etc/uwgsi/apps/searxng.ini"
searxng_git_dir: "/srv/git/searxng.git"
searxng_git_version: "HEAD"
searxng_user: "searxng"
searxng_group: "searxng"
searxng_socket_group: "nginx"
searxng_install_dir: "/etc/searxng"
# settings.yml values
searxng_conf_enable_open_metrics: 'true'
searxng_conf_open_metrics_password: ''
searxng_conf_search_languages: ['all', 'en', 'fr', 'de', 'es', 'it']
searxng_conf_search_ban_time_on_fail: 10
searxng_conf_search_favicon_resolver: ''
searxng_conf_search_max_ban_time_on_fail: 120
searxng_conf_server_port: 8888
searxng_conf_server_bind_address: "127.0.0.1"
searxng_conf_server_limiter: true
searxng_conf_server_public_instance: true
searxng_conf_server_image_proxy: true
searxng_conf_ui_default_locale:
searxng_conf_engines_invidious_base_url:
- https://invidious.nerdvpn.de
- https://inv.nadeko.net
- https://yewtu.be
# limiter.toml
searxng_limiter_realip_ipv4_prefix: 32
searxng_limiter_realip_ipv6_prefix: 64
searxng_limiter_botdetection_block_ip: []
searxng_limiter_botdetection_pass_ip: []

11
ansible_collections/nullified/infrastructure/roles/searxng/handlers/main.yml Normal file
View file

@ -0,0 +1,11 @@
---
- name: restart service
become: true
ansible.builtin.systemd:
name: '{{ item }}'
enabled: true
state: restarted
daemon_reload: true
loop:
- searxng.socket
- searxng.service

13
ansible_collections/nullified/infrastructure/roles/searxng/meta/main.yml Normal file
View file

@ -0,0 +1,13 @@
---
galaxy_info:
author: Florian L.
namespace: nullified
description:
license: MIT
min_ansible_version: 2.15
platforms:
- name: Debian
versions:
- bookworm
galaxy_tags: []
dependencies: []

48
ansible_collections/nullified/infrastructure/roles/searxng/tasks/backend_uwsgi_setup.yml Normal file
View file

@ -0,0 +1,48 @@
---
- name: setup uWSGI
become: true
when: searxng_install_uwsgi is truthy
block:
- name: setup directories
ansible.builtin.file:
path: '{{ item }}'
owner: '{{ searxng_user }}'
group: '{{ searxng_group }}'
mode: '0700'
state: directory
loop:
- '{{ searxng_uwsgi_config_filepath | dirname }}'
- name: install dependencies
ansible.builtin.apt:
update_cache: true
force_apt_get: true
state: present
cache_valid_time: 3600
pkg:
- libpcre3
- libpcre3-dev
- name: install uWSGI
ansible.builtin.pip:
name:
- 'uwsgi{{ searxng_uwsgi_version_constraint if searxng_uwsgi_version_constraint is truthy }}'
virtualenv: '{{ searxng_install_dir }}/.venv'
- name: install uWSGI configuration
ansible.builtin.template:
src: ../templates/uwsgi/uwsgi.ini.j2
dest: '{{ searxng_uwsgi_config_filepath }}'
owner: '{{ searxng_user }}'
group: '{{ searxng_group }}'
mode: 'u=rw,g=r,o='
- name: install systemd unit files
become: true
ansible.builtin.template:
src: '../templates/systemd/searxng.{{ item }}.j2'
dest: '{{ systemd_unit_directory }}/searxng.{{ item }}'
owner: root
group: root
mode: 'u=rwX,g=rX,o='
notify:
- 'searxng : restart service'
loop:
- service
- socket

17
ansible_collections/nullified/infrastructure/roles/searxng/tasks/gather_facts.yml Normal file
View file

@ -0,0 +1,17 @@
---
- name: find systemd unit directory
become: true
ansible.builtin.command: pkg-config systemd --variable=systemd_system_conf_dir
changed_when: false
register: systemd_unit_directory_cmd
- name: find systemd version
become: true
ansible.builtin.shell: >
systemctl --version | awk '{if($1=="systemd" && $2~"^[0-9]+$"){print $2}}'
changed_when: false
register: systemd_version_cmd
- name: set facts
ansible.builtin.set_fact:
systemd_unit_directory: "{{ systemd_unit_directory_cmd.stdout }}"
systemd_version: "{{ systemd_version_cmd.stdout | int }}"
searxng_conf_server_secret_key: "{{ searxng_conf_server_secret_key | default(lookup('ansible.builtin.password', '/dev/null', length=64), true) }}"

106
ansible_collections/nullified/infrastructure/roles/searxng/tasks/main.yml Normal file
View file

@ -0,0 +1,106 @@
---
- name: install dependencies
become: true
ansible.builtin.apt:
update_cache: true
force_apt_get: true
state: present
cache_valid_time: 3600
pkg:
- build-essential
- git
- libffi-dev
- libssl-dev
- libxslt-dev
- pkgconf
- python3-babel
- python3-dev
- python3-virtualenv
- python3-yaml
- zlib1g-dev
- name: gather facts
ansible.builtin.include_tasks: gather_facts.yml
- name: create service group
become: true
ansible.builtin.group:
name: '{{ searxng_group }}'
system: true
state: present
- name: create service user
become: true
ansible.builtin.user:
name: '{{ searxng_user }}'
group: '{{ searxng_group }}'
shell: '/usr/bin/bash'
home: '{{ searxng_install_dir }}'
create_home: true
system: true
state: present
- name: mark git repository as safe
become: true
ansible.builtin.shell: >
git config --global --get safe.directory {{ searxng_git_dir }} ||
git config --global --add safe.directory {{ searxng_git_dir }}
- name: clone repository
become: true
ansible.builtin.git:
repo: '{{ searxng_git_repository }}'
dest: '{{ searxng_git_dir }}'
single_branch: true
version: '{{ searxng_git_version }}'
- name: setup virtualenv
become: true
ansible.builtin.pip:
requirements: '{{ searxng_git_dir }}/requirements.txt'
virtualenv: '{{ searxng_install_dir }}/.venv'
virtualenv_site_packages: true
extra_args: '--use-pep517 --no-build-isolation -e {{ searxng_git_dir }}'
- name: set ownership
become: true
ansible.builtin.file:
path: '{{ searxng_install_dir }}'
owner: '{{ searxng_user }}'
group: '{{ searxng_group }}'
mode: 'u=rwX,g=rX,o='
recurse: yes
follow: false
- name: setup shell environment
become: true
ansible.builtin.lineinfile:
path: '{{ searxng_install_dir }}/.profile'
line: 'source {{ searxng_install_dir }}/.venv/bin/activate'
search_string: 'source {{ searxng_install_dir }}/.venv/bin/activate'
create: true
mode: '0640'
owner: '{{ searxng_user }}'
group: '{{ searxng_group }}'
state: present
- name: setup configuration file
become: true
ansible.builtin.template:
src: '../templates/settings.yml.j2'
dest: '{{ searxng_install_dir }}/settings.yml'
owner: '{{ searxng_user }}'
group: '{{ searxng_group }}'
mode: 'u=rw,g=r,o='
- name: setup limiter configuration
become: true
when: (searxng_conf_server_limiter | default(True, True)) is truthy
ansible.builtin.template:
src: '../templates/limiter.toml.j2'
dest: '{{ searxng_install_dir }}/limiter.toml'
owner: '{{ searxng_user }}'
group: '{{ searxng_group }}'
mode: 'u=rw,g=r,o='
- name: setup backend
ansible.builtin.include_tasks: 'backend_{{ searxng_backend }}_setup.yml'
- name: fix permissions
become: true
ansible.builtin.file:
path: '{{ searxng_git_dir }}'
owner: '{{ searxng_user }}'
group: '{{ searxng_group }}'
recurse: true
state: directory
- name: flush handlers
ansible.builtin.meta: flush_handlers

0
ansible_collections/nullified/infrastructure/roles/searxng/templates/.gitkeep Normal file
View file

23
ansible_collections/nullified/infrastructure/roles/searxng/templates/limiter.toml.j2 Normal file
View file

@ -0,0 +1,23 @@
[real_ip]
ipv4_prefix = {{ searxng_limiter_realip_ipv4_prefix | default(32, True) }}
ipv6_prefix = {{ searxng_limiter_realip_ipv6_prefix | default(64, True) }}
[botdetection.ip_limit]
link_token = true
[botdetection.ip_lists]
{% set datalist = [] -%}
{%- for item in (searxng_limiter_botdetection_block_ip | default([])) -%}
{{- datalist.append("'{}'".format(item)) if item -}}
{%- endfor %}
block_ip = [
{{ datalist | join(', ') | wordwrap(60, wrapstring="\n\t", break_long_words=False) }}
]
{% set datalist = [] -%}
{%- for item in (searxng_limiter_botdetection_pass_ip | default([])) -%}
{{- datalist.append("'{}'".format(item)) if item -}}
{%- endfor %}
pass_ip = [
{{ datalist | join(', ') | wordwrap(60, wrapstring="\n\t", break_long_words=False) }}
]

482
ansible_collections/nullified/infrastructure/roles/searxng/templates/settings.yml.j2 Normal file
View file

@ -0,0 +1,482 @@
use_default_settings: true
general:
instance_name: "SearXNG"
enable_metrics: {{ searxng_conf_enable_open_metrics | default(false, True) | bool }}
open_metrics: {{ searxng_conf_open_metrics_password | default('', True) | quote }}
server:
base_url: {{ searxng_conf_server_base_url | default(False, True) | bool }}
limiter: {{ searxng_conf_server_limiter | default(true, True) | bool }}
public_instance: {{ searxng_conf_server_public_instance | default(true, True) | bool }}
secret_key: {{ searxng_conf_server_secret_key | to_yaml }}
image_proxy: {{ searxng_conf_server_image_proxy | default(true, True) | bool }}
method: "POST"
default_http_headers:
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Robots-Tag: noindex, nofollow
Referrer-Policy: no-referrer
{% if searxng_conf_redis_enabled | default(True, True) is truthy %}
redis:
url: {{ searxng_conf_redis_url }}
{% endif %}
search:
safe_search: 0
autocomplete: {{ searxng_conf_search_autocomplete | default('duckduckgo', True) | quote }}
autocomplete_min: 4
favicon_resolver: {{ searxng_conf_search_favicon_resolver | default('', True) | quote }}
default_lang: {{ searxng_conf_search_default_lang | default('auto', True) | quote }}
languages: {{ searxng_conf_search_languages | default(['all', 'en', 'fr', 'de'], True) | to_yaml }}
ban_time_on_fail: {{ searxng_conf_search_ban_time_on_fail | default(10, True) }}
max_ban_time_on_fail: {{ searxng_conf_search_max_ban_time_on_fail | default(120, True) }}
suspended_times:
SearxEngineAccessDenied: 86400
SearxEngineCaptcha: 86400
SearxEngineTooManyRequests: 3600
cf_SearxEngineCaptcha: 1296000
cf_SearxEngineAccessDenied: 86400
recaptcha_SearxEngineCaptcha: 604800
formats:
- html
ui:
query_in_title: false
infinite_scroll: true
default_theme: simple
center_alignment: false
default_locale: {{ searxng_conf_ui_default_locale | default("", True) | to_yaml }}
results_on_new_tab: true
theme_args:
simple_style: auto
hotkeys: default
url_formatting: pretty
# preferences:
# lock:
# - categories
# - language
# - autocomplete
# - favicon
# - safesearch
# - method
# - doi_resolver
# - locale
# - theme
# - results_on_new_tab
# - infinite_scroll
# - search_on_category_select
# - method
# - image_proxy
# - query_in_title
# searx supports result proxification using an external service:
# https://github.com/asciimoo/morty uncomment below section if you have running
# morty proxy the key is base64 encoded (keep the !!binary notation)
# Note: since commit af77ec3, morty accepts a base64 encoded key.
#
# result_proxy:
# url: http://127.0.0.1:3000/
# # the key is a base64 encoded string, the YAML !!binary prefix is optional
# key: !!binary "your_morty_proxy_key"
# # [true|false] enable the "proxy" button next to each result
# proxify_results: true
outgoing:
request_timeout: 3.0
max_request_timeout: 10.0
useragent_suffix: ""
pool_connections: 100
pool_maxsize: 20
enable_http2: true
# uncomment below section if you want to use a custom server certificate
# see https://www.python-httpx.org/advanced/#changing-the-verification-defaults
# and https://www.python-httpx.org/compatibility/#ssl-configuration
# verify: ~/.mitmproxy/mitmproxy-ca-cert.cer
#
# uncomment below section if you want to use a proxyq see: SOCKS proxies
# https://2.python-requests.org/en/latest/user/advanced/#proxies
# are also supported: see
# https://2.python-requests.org/en/latest/user/advanced/#socks
#
# proxies:
# all://:
# - http://proxy1:8080
# - http://proxy2:8080
#
# using_tor_proxy: true
#
# Extra seconds to add in order to account for the time taken by the proxy
#
# extra_proxy_timeout: 10
#
# uncomment below section only if you have more than one network interface
# which can be the source of outgoing search requests
#
# source_ips:
# - 1.1.1.1
# - 1.1.1.2
# - fe80::/126
# Plugin configuration, for more details see
# https://docs.searxng.org/admin/settings/settings_plugins.html
plugins:
searx.plugins.calculator.SXNGPlugin:
active: true
searx.plugins.hash_plugin.SXNGPlugin:
active: true
searx.plugins.self_info.SXNGPlugin:
active: true
searx.plugins.unit_converter.SXNGPlugin:
active: true
searx.plugins.ahmia_filter.SXNGPlugin:
active: true
searx.plugins.hostnames.SXNGPlugin:
active: true
searx.plugins.oa_doi_rewrite.SXNGPlugin:
active: false
searx.plugins.tor_check.SXNGPlugin:
active: false
searx.plugins.tracker_url_remover.SXNGPlugin:
active: true
# Configuration of the "Hostnames plugin":
# hostnames:
# replace:
# '(.*\.)?youtube\.com$': 'invidious.example.com'
# '(.*\.)?youtu\.be$': 'invidious.example.com'
# '(.*\.)?reddit\.com$': 'teddit.example.com'
# '(.*\.)?redd\.it$': 'teddit.example.com'
# '(www\.)?twitter\.com$': 'nitter.example.com'
# remove:
# - '(.*\.)?facebook.com$'
# low_priority:
# - '(.*\.)?google(\..*)?$'
# high_priority:
# - '(.*\.)?wikipedia.org$'
#
# Alternatively you can use external files for configuring the "Hostnames plugin":
#
# hostnames:
# replace: 'rewrite-hosts.yml'
#
# Content of 'rewrite-hosts.yml' (place the file in the same directory as 'settings.yml'):
# '(.*\.)?youtube\.com$': 'invidious.example.com'
# '(.*\.)?youtu\.be$': 'invidious.example.com'
#
checker:
# disable checker when in debug mode
off_when_debug: true
additional_tests:
rosebud: &test_rosebud
matrix:
query: rosebud
lang: en
result_container:
- not_empty
- ['one_title_contains', 'citizen kane']
test:
- unique_results
android: &test_android
matrix:
query: ['android']
lang: ['en', 'de', 'fr', 'zh-CN']
result_container:
- not_empty
- ['one_title_contains', 'google']
test:
- unique_results
tests:
infobox: &tests_infobox
infobox:
matrix:
query: ["linux", "new york", "bbc"]
result_container:
- has_infobox
categories_as_tabs:
general:
images:
videos:
news:
map:
music:
it:
science:
files:
engines:
- name: annas archive
engine: annas_archive
disabled: true
shortcut: aa
- name: arxiv
engine: arxiv
shortcut: arx
timeout: 4.0
- name: wikipedia
engine: wikipedia
shortcut: wp
# add "list" to the array to get results in the results list
display_type: ["infobox"]
categories: [general]
- name: bing
engine: bing
shortcut: bi
disabled: true
- name: bing images
engine: bing_images
shortcut: bii
- name: bitbucket
engine: xpath
paging: true
search_url: https://bitbucket.org/repo/all/{pageno}?name={query}
url_xpath: //article[@class="repo-summary"]//a[@class="repo-link"]/@href
title_xpath: //article[@class="repo-summary"]//a[@class="repo-link"]
content_xpath: //article[@class="repo-summary"]/p
categories: [it, repos]
timeout: 4.0
disabled: true
shortcut: bb
about:
website: https://bitbucket.org/
wikidata_id: Q2493781
official_api_documentation: https://developer.atlassian.com/bitbucket
use_official_api: false
require_api_key: false
results: HTML
- name: media.ccc.de
engine: ccc_media
shortcut: c3tv
# We don't set language: de here because media.ccc.de is not just
# for a German audience. It contains many English videos and many
# German videos have English subtitles.
disabled: true
- name: ddg definitions
engine: duckduckgo_definitions
shortcut: ddd
weight: 2
disabled: true
tests: *tests_infobox
- name: docker hub
engine: docker_hub
shortcut: dh
categories: [it, packages]
- name: wikidata
engine: wikidata
shortcut: wd
timeout: 3.0
weight: 2
# add "list" to the array to get results in the results list
display_type: ["infobox"]
tests: *tests_infobox
categories: [general]
- name: duckduckgo
engine: duckduckgo
shortcut: ddg
- name: duckduckgo images
engine: duckduckgo_extra
categories: [images, web]
ddg_category: images
shortcut: ddi
disabled: true
- name: duckduckgo videos
engine: duckduckgo_extra
categories: [videos, web]
ddg_category: videos
shortcut: ddv
disabled: true
- name: duckduckgo news
engine: duckduckgo_extra
categories: [news, web]
ddg_category: news
shortcut: ddn
disabled: true
- name: tineye
engine: tineye
shortcut: tin
timeout: 9.0
disabled: true
- name: 1x
engine: www1x
shortcut: 1x
timeout: 3.0
disabled: true
- name: github
engine: github
shortcut: gh
- name: goodreads
engine: goodreads
shortcut: good
timeout: 4.0
disabled: true
- name: google
engine: google
shortcut: go
# additional_tests:
# android: *test_android
- name: google images
engine: google_images
shortcut: goi
# additional_tests:
# android: *test_android
# dali:
# matrix:
# query: ['Dali Christ']
# lang: ['en', 'de', 'fr', 'zh-CN']
# result_container:
# - ['one_title_contains', 'Salvador']
- name: google scholar
engine: google_scholar
shortcut: gos
- name: material icons
engine: material_icons
categories: images
shortcut: mi
disabled: true
- name: hackernews
engine: hackernews
shortcut: hn
disabled: false
- name: invidious
engine: invidious
# Instances will be selected randomly, see https://api.invidious.io/ for
# instances that are stable (good uptime) and close to you.
base_url: {{ searxng_conf_engines_invidious_base_url | default([], True) | to_yaml }}
shortcut: iv
timeout: 3.0
disabled: true
- name: library genesis
engine: xpath
# search_url: https://libgen.is/search.php?req={query}
search_url: https://libgen.rs/search.php?req={query}
url_xpath: //a[contains(@href,"book/index.php?md5")]/@href
title_xpath: //a[contains(@href,"book/")]/text()[1]
content_xpath: //td/a[1][contains(@href,"=author")]/text()
categories: files
timeout: 7.0
disabled: true
shortcut: lg
about:
website: https://libgen.fun/
wikidata_id: Q22017206
official_api_documentation:
use_official_api: false
require_api_key: false
results: HTML
- name: z-library
engine: zlibrary
shortcut: zlib
categories: files
timeout: 7.0
- name: openstreetmap
engine: openstreetmap
shortcut: osm
- name: qwant
qwant_categ: web
engine: qwant
shortcut: qw
categories: [general, web]
additional_tests:
rosebud: *test_rosebud
- name: qwant news
qwant_categ: news
engine: qwant
shortcut: qwn
categories: news
network: qwant
- name: qwant images
qwant_categ: images
engine: qwant
shortcut: qwi
categories: [images, web]
network: qwant
- name: qwant videos
qwant_categ: videos
engine: qwant
shortcut: qwv
categories: [videos, web]
network: qwant
- name: startpage
engine: startpage
shortcut: sp
startpage_categ: web
categories: [general, web]
additional_tests:
rosebud: *test_rosebud
- name: startpage news
engine: startpage
startpage_categ: news
categories: [news, web]
shortcut: spn
- name: startpage images
engine: startpage
startpage_categ: images
categories: [images, web]
shortcut: spi
- name: wikibooks
engine: mediawiki
weight: 0.5
shortcut: wb
categories: [general, wikimedia]
base_url: "https://{language}.wikibooks.org/"
search_type: text
disabled: true
about:
website: https://www.wikibooks.org/
wikidata_id: Q367
- name: wikiquote
engine: mediawiki
weight: 0.5
shortcut: wq
categories: [general, wikimedia]
base_url: "https://{language}.wikiquote.org/"
search_type: text
disabled: true
additional_tests:
rosebud: *test_rosebud
about:
website: https://www.wikiquote.org/
wikidata_id: Q369
- name: wikisource
engine: mediawiki
weight: 0.5
shortcut: ws
categories: [general, wikimedia]
base_url: "https://{language}.wikisource.org/"
search_type: text
disabled: true
about:
website: https://www.wikisource.org/
wikidata_id: Q263
- name: wiktionary
engine: mediawiki
shortcut: wt
categories: [dictionaries, wikimedia]
base_url: "https://{language}.wiktionary.org/"
search_type: text
about:
website: https://www.wiktionary.org/
wikidata_id: Q151
- name: peertube
engine: peertube
shortcut: ptb
paging: true
# alternatives see: https://instances.joinpeertube.org/instances
# base_url: https://tube.4aem.com
categories: videos
disabled: true
timeout: 6.0
doi_resolvers:
oadoi.org: 'https://oadoi.org/'
doi.org: 'https://doi.org/'
doai.io: 'https://dissem.in/'
sci-hub.se: 'https://sci-hub.se/'
sci-hub.st: 'https://sci-hub.st/'
sci-hub.ru: 'https://sci-hub.ru/'
default_doi_resolver: 'oadoi.org'

60
ansible_collections/nullified/infrastructure/roles/searxng/templates/systemd/searxng.service.j2 Normal file
View file

@ -0,0 +1,60 @@
[Unit]
Description=SearxNG service
#Documentation=
After=network-online.target
Wants=searxng.socket
[Service]
User={{ searxng_user }}
Group={{ searxng_group }}
Type=notify
NotifyAccess=all
UMask=007
ExecStart={{ searxng_install_dir }}/.venv/bin/uwsgi \
--ini "{{ searxng_uwsgi_config_filepath }}" \
--socket "{{ searxng_uwsgi_socket_dir }}/searxng.socket"
Restart=on-failure
RestartSec=3
TimeoutStopSec=300
WorkingDirectory=~
KillSignal=SIGQUIT
StandardError=journal
# Security Hardening
PrivateTmp=true
CapabilityBoundingSet=CAP_SYS_RESOURCE
{% if systemd_version | int >= 187 %}
NoNewPrivileges=true
SystemCallFilter=@system-service
{% endif %}
{%+ if systemd_version | int >= 209 %}SystemCallArchitectures=native{%- endif +%}
{% if systemd_version | int >= 214 %}
ProtectHome=true
ProtectSystem=true
{% endif %}
{% if systemd_version | int >= 231 %}
ReadOnlyPaths=/
ReadWritePaths={{ searxng_install_dir }} {{ searxng_uwsgi_socket_dir }} {{ searxng_uwsgi_config_filepath }} {{ searxng_git_dir }}
RestrictRealtime=true
{% endif %}
{% if systemd_version | int >= 232 %}
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
RemoveIPC=true
{% endif %}
{% if systemd_version | int >= 233 %}
MountAPIVFS=true
RestrictNamespaces=ipc net mnt pid
{% endif %}
{%+ if systemd_version | int >= 235 %}LockPersonality=true{%- endif +%}
{% if systemd_version | int >= 242 %}
ProtectHostname=true
RestrictSUIDSGID=true
{% endif %}
{%+ if systemd_version | int >= 244 %}ProtectKernelLogs=true{%- endif +%}
{%+ if systemd_version | int >= 245 %}ProtectClock=true{%- endif +%}
{%+ if systemd_version | int >= 247 %}ProtectProc=invisible{%- endif +%}
[Install]
WantedBy=multi-user.target

15
ansible_collections/nullified/infrastructure/roles/searxng/templates/systemd/searxng.socket.j2 Normal file
View file

@ -0,0 +1,15 @@
[Unit]
Description=SearxNG uWSGI socket
#Documentation=
After=network-online.target
[Socket]
ListenStream={{ searxng_uwsgi_socket_dir }}/searxng.socket
SocketMode=0660
{% if systemd_version | int >= 214 %}
SocketUser={{ searxng_user }}
SocketGroup={{ searxng_socket_group | default(searxng_group, True) }}
{% endif %}
[Install]
WantedBy=sockets.target

35
ansible_collections/nullified/infrastructure/roles/searxng/templates/uwsgi/uwsgi.ini.j2 Normal file
View file

@ -0,0 +1,35 @@
# -*- mode: conf; coding: utf-8 -*-
[uwsgi]
uid = {{ searxng_user }}
gid = {{ searxng_group }}
master = True
lazy-apps = true
cheap = True
idle = 600
die-on-idle = False
manage-script-name = True
env = LANG=C.UTF-8
env = LANGUAGE=C.UTF-8
env = LC_ALL=C.UTF-8
env = SEARXNG_SETTINGS_PATH={{ searxng_install_dir }}/settings.yml
virtualenv = {{ searxng_install_dir }}/.venv
pythonpath = {{ searxng_git_dir }}
chdir = {{ searxng_git_dir }}/searx
disable-logging = true
chmod-socket = 660
single-interpreter = true
enable-threads = true
workers = %k
threads = 4
static-map = /static={{ searxng_git_dir }}/searx/static
static-gzip-all = True
offload-threads = %k
socket = {{ searxng_uwsgi_socket_dir }}/searxng.socket
buffer-size = 8192
module = searx.webapp

2
ansible_collections/nullified/infrastructure/roles/searxng/tests/inventory Normal file
View file

@ -0,0 +1,2 @@
localhost

5
ansible_collections/nullified/infrastructure/roles/searxng/tests/test.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- test

4
ansible_collections/nullified/infrastructure/roles/searxng/vars/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
searxng_git_repository: "https://github.com/searxng/searxng.git"
searxng_uwsgi_version_constraint:
searxng_backend: uwsgi

10
playbooks/external.yml
View file

@ -67,3 +67,13 @@
apply: apply:
tags: [valkey] tags: [valkey]
tags: [valkey] tags: [valkey]
- name: setup searxng instances
hosts: external:&searxng
tasks:
- name: include searxng role
ansible.builtin.include_role:
name: nullified.infrastructure.searxng
apply:
tags: [searxng]
tags: [searxng]