[utils/searxng.sh] implement new script to install SearXNG

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>

9 files changed, 202 insertions, 95 deletions

diff --git a/utils/templates/etc/httpd/sites-available/searxng.conf b/utils/templates/etc/httpd/sites-available/searxng.conf
new file mode 100644
index 000000000..5278640c3
--- /dev/null
+++ b/utils/templates/etc/httpd/sites-available/searxng.conf
@@ -0,0 +1,41 @@
+# -*- coding: utf-8; mode: apache -*-
+
+LoadModule ssl_module           ${APACHE_MODULES}/mod_ssl.so
+LoadModule headers_module       ${APACHE_MODULES}/mod_headers.so
+LoadModule proxy_module         ${APACHE_MODULES}/mod_proxy.so
+LoadModule proxy_http_module    ${APACHE_MODULES}/mod_proxy_http.so
+# LoadModule setenvif_module      ${APACHE_MODULES}/mod_setenvif.so
+#
+# SetEnvIf Request_URI "${SEARXNG_URL_PATH}" dontlog
+# CustomLog /dev/null combined env=dontlog
+
+<Location ${SEARXNG_URL_PATH}>
+
+    Require all granted
+    Order deny,allow
+    Deny from all
+    # Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1
+    Allow from all
+
+    # add the trailing slash
+    RedirectMatch  308 ${SEARXNG_URL_PATH}\$ ${SEARXNG_URL_PATH}/
+
+    ProxyPreserveHost On
+    ProxyPass http://${SEARXNG_INTERNAL_HTTP}
+
+    # see flaskfix.py
+    RequestHeader set X-Scheme %{REQUEST_SCHEME}s
+    RequestHeader set X-Script-Name ${SEARXNG_URL_PATH}
+
+    # see limiter.py
+    RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+    RequestHeader append X-Forwarded-For %{REMOTE_ADDR}s
+
+</Location>
+
+# uWSGI serves the static files and in settings.yml we use::
+#
+#   ui:
+#     static_use_hash: true
+#
+# Alias ${SEARXNG_URL_PATH}/static/ ${SEARXNG_STATIC}/
diff --git a/utils/templates/etc/httpd/sites-available/searxng.conf:socket b/utils/templates/etc/httpd/sites-available/searxng.conf:socket
new file mode 100644
index 000000000..b55ea7560
--- /dev/null
+++ b/utils/templates/etc/httpd/sites-available/searxng.conf:socket
@@ -0,0 +1,41 @@
+# -*- coding: utf-8; mode: apache -*-
+
+LoadModule ssl_module           ${APACHE_MODULES}/mod_ssl.so
+LoadModule headers_module       ${APACHE_MODULES}/mod_headers.so
+LoadModule proxy_module         ${APACHE_MODULES}/mod_proxy.so
+LoadModule proxy_uwsgi_module   ${APACHE_MODULES}/mod_proxy_uwsgi.so
+# LoadModule setenvif_module      ${APACHE_MODULES}/mod_setenvif.so
+#
+# SetEnvIf Request_URI "${SEARXNG_URL_PATH}" dontlog
+# CustomLog /dev/null combined env=dontlog
+
+<Location ${SEARXNG_URL_PATH}>
+
+    Require all granted
+    Order deny,allow
+    Deny from all
+    # Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1
+    Allow from all
+
+    # add the trailing slash
+    RedirectMatch  308 ${SEARXNG_URL_PATH}\$ ${SEARXNG_URL_PATH}/
+
+    ProxyPreserveHost On
+    ProxyPass unix:${SEARXNG_UWSGI_SOCKET}|uwsgi://uwsgi-uds-searxng/
+
+    # see flaskfix.py
+    RequestHeader set X-Scheme %{REQUEST_SCHEME}s
+    RequestHeader set X-Script-Name ${SEARXNG_URL_PATH}
+
+    # see limiter.py
+    RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+    RequestHeader append X-Forwarded-For %{REMOTE_ADDR}s
+
+</Location>
+
+# uWSGI serves the static files and in settings.yml we use::
+#
+#   ui:
+#     static_use_hash: true
+#
+# Alias ${SEARXNG_URL_PATH}/static/ ${SEARXNG_STATIC}/
diff --git a/utils/templates/etc/nginx/default.apps-available/searxng.conf b/utils/templates/etc/nginx/default.apps-available/searxng.conf
new file mode 100644
index 000000000..7225a8f96
--- /dev/null
+++ b/utils/templates/etc/nginx/default.apps-available/searxng.conf
@@ -0,0 +1,29 @@
+location ${SEARXNG_URL_PATH} {
+
+    proxy_pass http://${SEARXNG_INTERNAL_HTTP};
+
+    proxy_set_header   Host             \$host;
+    proxy_set_header   Connection       \$http_connection;
+
+    # see flaskfix.py
+    proxy_set_header   X-Scheme         \$scheme;
+    proxy_set_header   X-Script-Name    ${SEARXNG_URL_PATH};
+
+    # see limiter.py
+    proxy_set_header   X-Real-IP        \$remote_addr;
+    proxy_set_header   X-Forwarded-For  \$proxy_add_x_forwarded_for;
+
+    # proxy_buffering  off;
+    # proxy_request_buffering off;
+    # proxy_buffer_size 8k;
+
+}
+
+# uWSGI serves the static files and in settings.yml we use::
+#
+#   ui:
+#     static_use_hash: true
+#
+# location ${SEARXNG_URL_PATH}/static/ {
+#     alias ${SEARXNG_STATIC}/;
+# }
diff --git a/utils/templates/etc/nginx/default.apps-available/searxng.conf:socket b/utils/templates/etc/nginx/default.apps-available/searxng.conf:socket
new file mode 100644
index 000000000..7a74eab48
--- /dev/null
+++ b/utils/templates/etc/nginx/default.apps-available/searxng.conf:socket
@@ -0,0 +1,26 @@
+location ${SEARXNG_URL_PATH} {
+
+    uwsgi_pass unix://${SEARXNG_UWSGI_SOCKET};
+
+    include uwsgi_params;
+
+    uwsgi_param    HTTP_HOST             \$host;
+    uwsgi_param    HTTP_CONNECTION       \$http_connection;
+
+    # see flaskfix.py
+    uwsgi_param    HTTP_X_SCHEME         \$scheme;
+    uwsgi_param    HTTP_X_SCRIPT_NAME    ${SEARXNG_URL_PATH};
+
+    # see limiter.py
+    uwsgi_param    HTTP_X_REAL_IP        \$remote_addr;
+    uwsgi_param    HTTP_X_FORWARDED_FOR  \$proxy_add_x_forwarded_for;
+}
+
+# uWSGI serves the static files and in settings.yml we use::
+#
+#   ui:
+#     static_use_hash: true
+#
+# location ${SEARXNG_URL_PATH}/static/ {
+#     alias ${SEARXNG_STATIC}/;
+# }
diff --git a/utils/templates/etc/searxng/settings.yml b/utils/templates/etc/searxng/settings.yml
index 860f4f5e9..aee21474d 100644
--- a/utils/templates/etc/searxng/settings.yml
+++ b/utils/templates/etc/searxng/settings.yml
@@ -1,46 +1,55 @@
-# SearXNG settings, before editing this file read:
-#
-#     https://docs.searxng.org/admin/engines/settings.html
+# SearXNG settings
 
 use_default_settings: true
 
 general:
-  # Debug mode, only for development
   debug: false
-  # change displayed name
-  # instance_name: "SearXNG"
+  instance_name: "SearXNG"
 
 search:
-  # Filter results. 0: None, 1: Moderate, 2: Strict
-  safe_search: 0
-  # Existing autocomplete backends: "dbpedia", "duckduckgo", "google",
-  # "startpage", "swisscows", "qwant", "wikipedia" - leave blank to turn it off
-  # by default.
-  autocomplete: ''
-  # Default search language - leave blank to detect from browser information or
-  # use codes from 'languages.py'
-  default_lang: ''
-  # remove format to deny access, use lower case.
-  formats:
-    - html
+  safe_search: 2
+  autocomplete: 'duckduckgo'
 
 server:
-  secret_key: "ultrasecretkey"  # change this!
-  # Proxying image results through SearXNG
-  image_proxy: false
+  secret_key: "ultrasecretkey"
+  limiter: true
+  image_proxy: true
+
+redis:
+  url: unix:///usr/local/searxng-redis/run/redis.sock?db=0
+
+ui:
+  static_use_hash: true
 
-# result_proxy:
-#   url: http://127.0.0.1:3000/
-#   key: !!binary "your_morty_proxy_key"
+# preferences:
+#   lock:
+#     - autocomplete
+#     - method
+
+enabled_plugins:
+  - 'Hash plugin'
+  - 'Search on category select'
+  - 'Self Informations'
+  - 'Tracker URL remover'
+  - 'Ahmia blacklist'
+  # - 'Hostname replace'  # see hostname_replace configuration below
+  # - 'Infinite scroll'
+  # - 'Open Access DOI rewrite'
+  # - 'Vim-like hotkeys'
 
 # plugins:
 #   - only_show_green_results
 
-# engines:
-#
-#   - name: duckduckgo
-#     disabled: false
+# hostname_replace:
 #
+#   # twitter --> nitter
+#   '(www\.)?twitter\.com$': 'nitter.net'
+
+engines:
+
+  - name: google
+    use_mobile_ui: true
+
 #   - name: fdroid
 #     disabled: false
 #
@@ -48,6 +57,13 @@ server:
 #     disabled: false
 #
 #   - name: mediathekviewweb
-#     engine: mediathekviewweb
-#     shortcut: mvw
-#     categories: general
+#     categories: TV
+#     disabled: false
+#
+#   - name: invidious
+#     disabled: false
+#     base_url:
+#       - https://invidious.snopyta.org
+#       - https://invidious.tiekoetter.com
+#       - https://invidio.xamh.de
+#       - https://inv.riverside.rocks
diff --git a/utils/templates/etc/uwsgi/apps-archlinux/searxng.ini b/utils/templates/etc/uwsgi/apps-archlinux/searxng.ini
index 931746306..04c32c662 100644
--- a/utils/templates/etc/uwsgi/apps-archlinux/searxng.ini
+++ b/utils/templates/etc/uwsgi/apps-archlinux/searxng.ini
@@ -65,29 +65,19 @@ pythonpath = ${SEARXNG_SRC}
 
 # speak to upstream
 # -----------------
-#
-# Activate the 'http' configuration for filtron or activate the 'socket'
-# configuration if you setup your HTTP server to use uWSGI protocol via sockets.
 
-# using IP:
-#
 # https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http
 # Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html
 
 http = ${SEARXNG_INTERNAL_HTTP}
 
-# using unix-sockets:
-#
-# Don't forget to create the folder where the sockets should take place::
+# uWSGI serves the static files and in settings.yml we use::
 #
-#   mkdir -p "$(dirname ${SEARXNG_UWSGI_SOCKET})"
-#   chown -R "${SERVICE_USER}:${SERVICE_GROUP}" "$(dirname ${SEARXNG_UWSGI_SOCKET})"
+#   ui:
+#     static_use_hash: true
 #
-# socket = ${SEARXNG_UWSGI_SOCKET}
-
-# uwsgi serves the static files
-# expires set to one year since there are hashes
 static-map = /static=${SEARXNG_STATIC}
+# expires set to one year since there are hashes
 static-expires = /* 31557600
 static-gzip-all = True
 offload-threads = %k
diff --git a/utils/templates/etc/uwsgi/apps-archlinux/searxng.ini:socket b/utils/templates/etc/uwsgi/apps-archlinux/searxng.ini:socket
index 158973140..bbfaf63be 100644
--- a/utils/templates/etc/uwsgi/apps-archlinux/searxng.ini:socket
+++ b/utils/templates/etc/uwsgi/apps-archlinux/searxng.ini:socket
@@ -65,24 +65,7 @@ pythonpath = ${SEARXNG_SRC}
 
 # speak to upstream
 # -----------------
-#
-# Activate the 'http' configuration for filtron or activate the 'socket'
-# configuration if you setup your HTTP server to use uWSGI protocol via sockets.
-
-# using IP:
-#
-# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http
-# Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html
-
-# http = ${SEARXNG_INTERNAL_HTTP}
 
-# using unix-sockets:
-#
-# Don't forget to create the folder where the sockets should take place::
-#
-#   mkdir -p "$(dirname ${SEARXNG_UWSGI_SOCKET})"
-#   chown -R "${SERVICE_USER}:${SERVICE_GROUP}" "$(dirname ${SEARXNG_UWSGI_SOCKET})"
-#
 socket = ${SEARXNG_UWSGI_SOCKET}
 
 # uWSGI serves the static files and in settings.yml we use::
diff --git a/utils/templates/etc/uwsgi/apps-available/searxng.ini b/utils/templates/etc/uwsgi/apps-available/searxng.ini
index 1926b446d..5ea7d991a 100644
--- a/utils/templates/etc/uwsgi/apps-available/searxng.ini
+++ b/utils/templates/etc/uwsgi/apps-available/searxng.ini
@@ -6,7 +6,11 @@
 #
 # https://uwsgi-docs.readthedocs.io/en/latest/Options.html#uwsgi-core
 
-# Who will run the code
+# Who will run the code / Hint: in emperor-tyrant mode uid & gid setting will be
+# ignored [1].  Mode emperor-tyrant is the default on fedora (/etc/uwsgi.ini).
+#
+# [1] https://uwsgi-docs.readthedocs.io/en/latest/Emperor.html#tyrant-mode-secure-multi-user-hosting
+#
 uid = ${SERVICE_USER}
 gid = ${SERVICE_GROUP}
 
@@ -64,29 +68,19 @@ pythonpath = ${SEARXNG_SRC}
 
 # speak to upstream
 # -----------------
-#
-# Activate the 'http' configuration for filtron or activate the 'socket'
-# configuration if you setup your HTTP server to use uWSGI protocol via sockets.
 
-# using IP:
-#
 # https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http
 # Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html
 
 http = ${SEARXNG_INTERNAL_HTTP}
 
-# using unix-sockets:
+# uWSGI serves the static files and in settings.yml we use::
 #
-# Don't forget to create the folder where the sockets should take place::
+#   ui:
+#     static_use_hash: true
 #
-#   mkdir -p "$(dirname ${SEARXNG_UWSGI_SOCKET})"
-#   chown -R "${SERVICE_USER}:${SERVICE_GROUP}" "$(dirname ${SEARXNG_UWSGI_SOCKET})"
-#
-# socket = ${SEARXNG_UWSGI_SOCKET}
-
-# uwsgi serves the static files
-# expires set to one year since there are hashes
 static-map = /static=${SEARXNG_STATIC}
+# expires set to one year since there are hashes
 static-expires = /* 31557600
 static-gzip-all = True
 offload-threads = %k
diff --git a/utils/templates/etc/uwsgi/apps-available/searxng.ini:socket b/utils/templates/etc/uwsgi/apps-available/searxng.ini:socket
index 796d18b8e..304ea3500 100644
--- a/utils/templates/etc/uwsgi/apps-available/searxng.ini:socket
+++ b/utils/templates/etc/uwsgi/apps-available/searxng.ini:socket
@@ -6,7 +6,11 @@
 #
 # https://uwsgi-docs.readthedocs.io/en/latest/Options.html#uwsgi-core
 
-# Who will run the code
+# Who will run the code / Hint: in emperor-tyrant mode uid & gid setting will be
+# ignored [1].  Mode emperor-tyrant is the default on fedora (/etc/uwsgi.ini).
+#
+# [1] https://uwsgi-docs.readthedocs.io/en/latest/Emperor.html#tyrant-mode-secure-multi-user-hosting
+#
 uid = ${SERVICE_USER}
 gid = ${SERVICE_GROUP}
 
@@ -64,24 +68,7 @@ pythonpath = ${SEARXNG_SRC}
 
 # speak to upstream
 # -----------------
-#
-# Activate the 'http' configuration for filtron or activate the 'socket'
-# configuration if you setup your HTTP server to use uWSGI protocol via sockets.
-
-# using IP:
-#
-# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http
-# Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html
 
-# http = ${SEARXNG_INTERNAL_HTTP}
-
-# using unix-sockets:
-#
-# Don't forget to create the folder where the sockets should take place::
-#
-#   mkdir -p "$(dirname ${SEARXNG_UWSGI_SOCKET})"
-#   chown -R "${SERVICE_USER}:${SERVICE_GROUP}" "$(dirname ${SEARXNG_UWSGI_SOCKET})"
-#
 socket = ${SEARXNG_UWSGI_SOCKET}
 
 # uWSGI serves the static files and in settings.yml we use::