8mo ago

SearXNG Instance on NixOS

I've been trying to create a public instance of SearXNG by using NixOS, Cloudflare and Nginx, but I can't seem to make it open to the internet and I've ran out of ideas. Is there anything I'm overlooking?

 undefined

    
services.searx = {
    enable = true;
    redisCreateLocally = true;
        limiterSettings = {
      real_ip = {
        x_for = 1;

        ipv4_prefix = 32;
        ipv6_prefix = 56;
      };
    botdetection = {
        ip_limit = {
          filter_link_local = true;
          link_token = true;
        };
        ip_lists = {
          pass_ip = [
            "192.168.0.0/16"
            "fe80::/10"
          ];
          pass_searxng_org = true;
        };
      };
    };
    runInUwsgi = true;
    uwsgiConfig = {
      socket = "/run/searx/searx.sock";
      http = ":8888";
      chmod-socket = "660";
      disable-logging = true;
    };
    settings = {
      general = {
        debug = false;
        instance_name = "SearXNG Instance";
        donation_url = false;
        contact_url = false;
        enable_metrics = false;
      };

      ui = {
        static_use_hash = true;
        theme_args.simple_style = "dark";
        query_in_title = true;
        center_alignment = true;
        results_on_new_tab = false;
      };

      search = {
        safe_search = 2;
        autocomplete_min = 2;
        autocomplete = "duckduckgo";
      };

      server = {
        port = 8888;
        bind_address = "0.0.0.0";
        secret_key = config.sops.secrets.searx.path;
        image_proxy = true;
        method = "GET";

        default_locale = "en";
        default_lang = "en-US";
        base_url = "https://myinstance.org";
        public_instance = true;
      };
      engines = lib.mapAttrsToList (name: value: {inherit name;} // value) {
        "duckduckgo".disabled = false;
        "brave".disabled = true;
      };
      outgoing = {
        request_timeout = 5.0;
        max_request_timeout = 15.0;
        pool_connections = 100;
        pool_maxsize = 15;
        enable_http2 = true;
      };
    };
  };

 undefined

    
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      "myinstance.org" = {
        forceSSL = true;
        sslCertificate = config.sops.secrets."SSL-Certificates/Cloudflare/Cert".path;
        sslCertificateKey = config.sops.secrets."SSL-Certificates/Cloudflare/Key".path;
        locations = {
          "/" = {
            extraConfig = ''
              uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};
            '';
          };
        };
      };
    };
  };

5 comments

I see you've activated the services but have you opened the firewall to outside traffic? Can't remember which option that is...
Port 80 and 443 should do the trick. I see your searchxng instance is bound to 0.0.0.0, but it might be better to be explicit and use localhost after opening your firewall. You wouldn't want the public internet to access it directly (I assume).
Anti Commercial-AI license
- Yeah, good point about the localhost. The ports are fine however. The actual error that I'm getting is coming from nginx: *1 connect() to unix:/run/searx/searx.sock failed (13: Permission denied) while connecting to upstream. I have added the searx and nginx groups to my main user (which I have to find a workout for anyway, since it might prove to be a security problem), yet it still does not work.
  
  Oooh! Check the users of searx and nginx! They don't use your user but their own ones. You might have to add the searx user to the nginx user's group, or vice versa, or a new common group.
  Anti Commercial-AI license