From 7f802aaca626ddd47c6fa2ecd5a16fe201d7acfb Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Fri, 6 Feb 2026 13:27:29 +0100
Subject: [PATCH] feat(nix): refactor Searx configuration into separate module

- Moved Searx-related settings from `default.nix` and `nginx.nix` to a dedicated `searx.nix` module for improved modularity and maintainability.
- Updated references and ACME certificate configuration to align with the new structure.
- Simplifies management of Searx service and its associated secrets.
---
 systems/x86_64-linux/sgx/acme.nix    |  1 -
 systems/x86_64-linux/sgx/default.nix | 16 +------------
 systems/x86_64-linux/sgx/nginx.nix   |  5 ----
 systems/x86_64-linux/sgx/searx.nix   | 34 ++++++++++++++++++++++++++++
 4 files changed, 35 insertions(+), 21 deletions(-)
 create mode 100644 systems/x86_64-linux/sgx/searx.nix

diff --git a/systems/x86_64-linux/sgx/acme.nix b/systems/x86_64-linux/sgx/acme.nix
index 5cf5b00..e97b483 100644
--- a/systems/x86_64-linux/sgx/acme.nix
+++ b/systems/x86_64-linux/sgx/acme.nix
@@ -15,7 +15,6 @@
         "openwebui.hoyer.world"
         "syncthing.hoyer.world"
         "home.hoyer.world"
-        "search.hoyer.world"
       ];
     };
   };
diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix
index f1b31f3..8c6e961 100644
--- a/systems/x86_64-linux/sgx/default.nix
+++ b/systems/x86_64-linux/sgx/default.nix
@@ -10,13 +10,13 @@
     ./nginx.nix
     ./mail.nix
     ./wyoming.nix
+    ./searx.nix
   ];
 
   boot.tmp.useTmpfs = false;
 
   sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml;
   sops.secrets.backup-pw.sopsFile = ../../../.secrets/sgx/backup-s3.yaml;
-  sops.secrets."searx/secret_key".sopsFile = ../../../.secrets/sgx/searx.yaml;
 
   environment.systemPackages = with pkgs; [
     claude-code
@@ -24,20 +24,6 @@
 
   services.tailscale.enable = true;
 
-  services.searx = {
-    enable = true;
-    configureNginx = true;
-    domain = "search.hoyer.world";
-    uwsgiConfig = {
-      http = ":8081";
-    };
-    settings = {
-      server = {
-        secret_key = config.sops.secrets."searx/secret_key".path;
-      };
-    };
-  };
-
   metacfg = {
     services.nginxBase.enable = true;
     services.acmeBase.enable = true;
diff --git a/systems/x86_64-linux/sgx/nginx.nix b/systems/x86_64-linux/sgx/nginx.nix
index 4006896..6331d9b 100644
--- a/systems/x86_64-linux/sgx/nginx.nix
+++ b/systems/x86_64-linux/sgx/nginx.nix
@@ -32,10 +32,5 @@
         proxyWebsockets = true;
       };
     };
-    "search.hoyer.world" = {
-      enableACME = false;
-      useACMEHost = "search.hoyer.world";
-      forceSSL = true;
-    };
   };
 }
diff --git a/systems/x86_64-linux/sgx/searx.nix b/systems/x86_64-linux/sgx/searx.nix
new file mode 100644
index 0000000..9cc1c3a
--- /dev/null
+++ b/systems/x86_64-linux/sgx/searx.nix
@@ -0,0 +1,34 @@
+{ pkgs, config, ... }:
+{
+  sops.secrets."searx/secret_key".sopsFile = ../../../.secrets/sgx/searx.yaml;
+
+  services.searx = {
+    enable = true;
+    configureNginx = true;
+    domain = "search.hoyer.world";
+    uwsgiConfig = {
+      http = ":8081";
+    };
+    settings = {
+      server = {
+        secret_key = config.sops.secrets."searx/secret_key".path;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "search.hoyer.world" = {
+      enableACME = false;
+      useACMEHost = "search.hoyer.world";
+      forceSSL = true;
+    };
+  };
+
+  security.acme.certs = {
+    "internal.hoyer.world" = {
+      extraDomainNames = [
+        "search.hoyer.world"
+      ];
+    };
+  };
+}