feat(nix): refactor Searx configuration into separate module

- Moved Searx-related settings from `default.nix` and `nginx.nix` to a dedicated `searx.nix` module for improved modularity and maintainability. - Updated references and ACME certificate configuration to align with the new structure. - Simplifies management of Searx service and its associated secrets.
2026-02-06 13:27:29 +01:00 · 2026-02-06 13:27:29 +01:00 · 7f802aaca6
commit 7f802aaca6
parent 3a66722da1
4 changed files with 35 additions and 21 deletions
--- a/systems/x86_64-linux/sgx/acme.nix
+++ b/systems/x86_64-linux/sgx/acme.nix
@ -15,7 +15,6 @@
        "openwebui.hoyer.world"
        "syncthing.hoyer.world"
        "home.hoyer.world"
-        "search.hoyer.world"
      ];
    };
  };
--- a/systems/x86_64-linux/sgx/default.nix
+++ b/systems/x86_64-linux/sgx/default.nix
@ -10,13 +10,13 @@
    ./nginx.nix
    ./mail.nix
    ./wyoming.nix
+    ./searx.nix
  ];

  boot.tmp.useTmpfs = false;

  sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml;
  sops.secrets.backup-pw.sopsFile = ../../../.secrets/sgx/backup-s3.yaml;
-  sops.secrets."searx/secret_key".sopsFile = ../../../.secrets/sgx/searx.yaml;

  environment.systemPackages = with pkgs; [
    claude-code
@ -24,20 +24,6 @@

  services.tailscale.enable = true;

-  services.searx = {
-    enable = true;
-    configureNginx = true;
-    domain = "search.hoyer.world";
-    uwsgiConfig = {
-      http = ":8081";
-    };
-    settings = {
-      server = {
-        secret_key = config.sops.secrets."searx/secret_key".path;
-      };
-    };
-  };
-
  metacfg = {
    services.nginxBase.enable = true;
    services.acmeBase.enable = true;
--- a/systems/x86_64-linux/sgx/nginx.nix
+++ b/systems/x86_64-linux/sgx/nginx.nix
@ -32,10 +32,5 @@
        proxyWebsockets = true;
      };
    };
-    "search.hoyer.world" = {
-      enableACME = false;
-      useACMEHost = "search.hoyer.world";
-      forceSSL = true;
-    };
  };
 }
--- a/systems/x86_64-linux/sgx/searx.nix
+++ b/systems/x86_64-linux/sgx/searx.nix
@ -0,0 +1,34 @@
+{ pkgs, config, ... }:
+{
+  sops.secrets."searx/secret_key".sopsFile = ../../../.secrets/sgx/searx.yaml;
+
+  services.searx = {
+    enable = true;
+    configureNginx = true;
+    domain = "search.hoyer.world";
+    uwsgiConfig = {
+      http = ":8081";
+    };
+    settings = {
+      server = {
+        secret_key = config.sops.secrets."searx/secret_key".path;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "search.hoyer.world" = {
+      enableACME = false;
+      useACMEHost = "search.hoyer.world";
+      forceSSL = true;
+    };
+  };
+
+  security.acme.certs = {
+    "internal.hoyer.world" = {
+      extraDomainNames = [
+        "search.hoyer.world"
+      ];
+    };
+  };
+}