From c4e56cf5b1513d71ed984f4bdb5fc77fa472db18 Mon Sep 17 00:00:00 2001
From: Teck Meng <furyx@hotmail.com>
Date: Mon, 10 Jun 2024 20:32:25 +0800
Subject: [PATCH] Refactor makefile to add deployment for searxng stack

---
 makefile                   |  8 +++++
 swarm/core.yml             |  8 +++++
 swarm/searxng.yml          | 71 ++++++++++++++++++++++++++++++++++++++
 swarm/searxng/limiter.toml |  6 ++++
 swarm/searxng/settings.yml | 11 ++++++
 5 files changed, 104 insertions(+)
 create mode 100644 swarm/searxng.yml
 create mode 100644 swarm/searxng/limiter.toml
 create mode 100644 swarm/searxng/settings.yml

diff --git a/makefile b/makefile
index 3173743..caeb12a 100644
--- a/makefile
+++ b/makefile
@@ -105,4 +105,12 @@ deploy-thelounge: pull
 	set +a ;\
 	docker stack deploy --compose-file ./swarm/thelounge.yml thelounge ;\
 	}
+deploy-searxng: pull
+	{ \
+	echo "Deploying the searxng stack..." ;\
+	set -a ;\
+	. ./swarm/.env ;\
+	set +a ;\
+	docker stack deploy --compose-file ./swarm/searxng.yml searxng ;\
+	}
 # git submodule update --init --recursive
\ No newline at end of file
diff --git a/swarm/core.yml b/swarm/core.yml
index 9374386..862e982 100644
--- a/swarm/core.yml
+++ b/swarm/core.yml
@@ -61,6 +61,14 @@ services:
         - traefik.http.middlewares.rate-limit.ratelimit.average=384
         - traefik.http.middlewares.rate-limit.ratelimit.burst=128
         - traefik.http.middlewares.rate-limit.ratelimit.period=10s
+        - traefik.http.middlewares.xbot.headers.browserXssFilter=true
+        - traefik.http.middlewares.xbot.headers.contentTypeNosniff=true
+        - traefik.http.middlewares.xbot.headers.frameDeny=true
+        - traefik.http.middlewares.xbot.headers.stsPreload=true
+        - traefik.http.middlewares.xbot.headers.stsSeconds=31536000
+        - traefik.http.middlewares.xbot.headers.stsIncludeSubdomains=true
+        - traefik.http.middlewares.xbot.headers.permissionsPolicy="accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), layout-animations=(), legacy-image-formats=(), magnetometer=(), microphone=(), midi=(), oversized-images=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), wake-lock=(), xr-spatial-tracking=()"
+        - traefik.http.middlewares.xbot.headers.referrerPolicy="no-referrer"
         - treafik.http.middlewares.neo4j_strip.stripprefix.prefixes=/neo4j
         # traefik-https the actual router using HTTPS
         - traefik.http.routers.traefik-public-https.rule=Host(`dashboard.${DOMAIN?Variable not set}`)
diff --git a/swarm/searxng.yml b/swarm/searxng.yml
new file mode 100644
index 0000000..15ea157
--- /dev/null
+++ b/swarm/searxng.yml
@@ -0,0 +1,71 @@
+volumes:
+  valkey_data2: {}
+
+networks:
+  searxng:
+    driver: overlay
+    attachable: true
+  traefik-public:
+    external: true
+
+services:
+
+  redis_valkey:
+    image: docker.io/valkey/valkey:7-alpine
+    command: valkey-server --save 30 1 --loglevel warning
+    restart: unless-stopped
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+    volumes:
+      - valkey_data2:/data
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1m"
+        max-file: "1"
+    networks:
+      - searxng
+    deploy:
+      placement:
+        constraints:
+          - node.labels.valkey.redis == true
+
+  searxng:
+    image: docker.io/searxng/searxng:latest
+    restart: unless-stopped
+    environment:
+      - LIMITER=true
+      - SEARXNG_BASE_URL=https://search.${DOMAIN}/
+    volumes:
+      - /var/data/config/searxng:/etc/searxng:rw
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1m"
+        max-file: "1"
+    depends_on:
+      - redis
+    networks:
+      - searxng
+      - traefik-public
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=traefik-public
+        - traefik.constraint-label=traefik-public
+        - traefik.http.routers.searxng-rtr.entrypoints=https
+        - traefik.http.routers.searxng-rtr.rule=Host(`search.${DOMAIN}`)
+        - traefik.http.routers.searxng-rtr.middlewares=xbot
+        - traefik.http.routers.searxng-rtr.tls.certresolver=le
+        - traefik.http.routers.searxng-rtr.service=searxng-svc
+        - traefik.http.services.searxng-svc.loadbalancer.server.port=8080
\ No newline at end of file
diff --git a/swarm/searxng/limiter.toml b/swarm/searxng/limiter.toml
new file mode 100644
index 0000000..c7bfbfb
--- /dev/null
+++ b/swarm/searxng/limiter.toml
@@ -0,0 +1,6 @@
+# This configuration file updates the default configuration file
+# See https://github.com/searxng/searxng/blob/master/searx/botdetection/limiter.toml
+
+[botdetection.ip_limit]
+# activate link_token method in the ip_limit method
+link_token = true
diff --git a/swarm/searxng/settings.yml b/swarm/searxng/settings.yml
new file mode 100644
index 0000000..51a3056
--- /dev/null
+++ b/swarm/searxng/settings.yml
@@ -0,0 +1,11 @@
+# see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings
+use_default_settings: true
+server:
+  # base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
+  secret_key: "ultrasecretkey"  # change this!
+  limiter: true  # can be disabled for a private instance
+  image_proxy: true
+ui:
+  static_use_hash: true
+redis:
+  url: redis://redis_valkey:6379/0
\ No newline at end of file