add(acme,nginx): add certificate generation and nginx for the services

This replaces caddy and the port exposure, this is more efficent and easier to manage in the future.
2025-05-25 00:32:54 +02:00 · 2025-05-25 00:32:54 +02:00 · 5792e478af
commit 5792e478af
parent 7dd87536aa
9 changed files with 244 additions and 74 deletions
--- a/modules/nixos/services/searxng/default.nix
+++ b/modules/nixos/services/searxng/default.nix
@ -12,37 +12,86 @@ in
 {
  options.${namespace}.services.searxng = with types; {
    enable = mkBoolOpt false "SearXNG";
-    redlib = mkBoolOpt true "Whether or not to enable redlib.";
+
+    domain = mkOption {
+      description = "The domain to serve searxng on.";
+      type = types.nullOr types.str;
+      default = "search.stahl.sh";
+    };
+
+    nginx = {
+      enable = mkEnableOption {
+        description = "Enable nginx for this service.";
+        type = types.bool;
+        default = true;
+      };
+    };
+
+    redlib = {
+      enable = mkEnableOption {
+        description = "Whether or not to enable redlib.";
+        type = type.bool;
+        default = true;
+      };
+
+      domain = mkOption {
+        description = "The domain to serve reddit on.";
+        type = types.nullOr types.str;
+        default = "reddit.stahl.sh";
+      };
+    };
+
  };

  config = mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [ 1340 ];
+    networking.firewall.allowedTCPPorts = mkIf cfg.nginx.enable [
+      80
+      443
+    ];

    services.searx = {
      enable = true;
      environmentFile = "/run/secrets/searxng";
      settings.server = {
        port = "1340";
-        bind_address = "0.0.0.0";
+        bind_address = "127.0.0.1";
        use_default_settings = true;
        secret_key = "@secret_key@";
      };
    };

-    services.redlib = mkIf cfg.redlib {
+    services.redlib = mkIf cfg.redlib.enable {
      enable = true;
-      address = "0.0.0.0";
+      address = "127.0.0.1";
      port = 1341;
-      openFirewall = true;
    };

-    services.searx.settings.searx = mkIf cfg.redlib {
+    services.searx.settings.searx = mkIf cfg.redlib.enable {
      plugins.hostnames.SXNGPlugin.active = true;
    };

-    services.searx.settings.hostnames.replace = mkIf cfg.redlib {
-      "(.*\.)?reddit\.com$" = "reddit.monapona.dev";
-      "(.*\.)?redd\.it$" = "reddit.monapona.dev";
+    services.searx.settings.hostnames.replace = mkIf cfg.redlib.enable {
+      "(.*\.)?reddit\.com$" = cfg.redlib.domain;
+      "(.*\.)?redd\.it$" = cfg.redlib.domain;
+    };
+
+    awesome-flake.services.acme.enable = mkIf cfg.nginx.enable true;
+
+    services.nginx = mkIf cfg.nginx.enable {
+      enable = true;
+
+      virtualHosts = {
+        "${cfg.domain}" = {
+          forceSSL = true;
+          useACMEHost = "stahl.sh";
+          locations."/".proxyPass = "http://127.0.01:1340";
+        };
+        "${cfg.redlib.domain}" = mkIf cfg.redlib.enable {
+          forceSSL = true;
+          useACMEHost = "stahl.sh";
+          locations."/".proxyPass = "http://127.0.01:1341";
+        };
+      };
    };

    sops.secrets.searxng = {