From 83db39c83ff5a3aab2d3dba4b8875b19382e83da Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Wed, 17 Jul 2024 17:00:17 -0500 Subject: [PATCH] Add Searxng. --- kubernetes/apps/default/kustomization.yaml | 1 + .../default/searxng/app/externalsecret.yaml | 19 +++ .../apps/default/searxng/app/helmrelease.yaml | 109 ++++++++++++++++++ .../default/searxng/app/kustomization.yaml | 14 +++ .../searxng/app/resources/limiter.toml | 37 ++++++ .../searxng/app/resources/settings.yml | 47 ++++++++ kubernetes/apps/default/searxng/ks.yaml | 27 +++++ 7 files changed, 254 insertions(+) create mode 100644 kubernetes/apps/default/searxng/app/externalsecret.yaml create mode 100644 kubernetes/apps/default/searxng/app/helmrelease.yaml create mode 100644 kubernetes/apps/default/searxng/app/kustomization.yaml create mode 100644 kubernetes/apps/default/searxng/app/resources/limiter.toml create mode 100644 kubernetes/apps/default/searxng/app/resources/settings.yml create mode 100644 kubernetes/apps/default/searxng/ks.yaml diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml index 4bc24bab..d3e906c6 100644 --- a/kubernetes/apps/default/kustomization.yaml +++ b/kubernetes/apps/default/kustomization.yaml @@ -13,6 +13,7 @@ resources: - ./radarr/ks.yaml - ./recyclarr/ks.yaml - ./sabnzbd/ks.yaml + - ./searxng/ks.yaml - ./sonarr/ks.yaml - ./tautulli/ks.yaml - ./unpackerr/ks.yaml diff --git a/kubernetes/apps/default/searxng/app/externalsecret.yaml b/kubernetes/apps/default/searxng/app/externalsecret.yaml new file mode 100644 index 00000000..982251f8 --- /dev/null +++ b/kubernetes/apps/default/searxng/app/externalsecret.yaml @@ -0,0 +1,19 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: searxng +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: searxng-secret + template: + engineVersion: v2 + data: + SEARXNG_SECRET: "{{ .SEARXNG_SECRET }}" + dataFrom: + - extract: + key: searxng diff --git a/kubernetes/apps/default/searxng/app/helmrelease.yaml b/kubernetes/apps/default/searxng/app/helmrelease.yaml new file mode 100644 index 00000000..2b02a208 --- /dev/null +++ b/kubernetes/apps/default/searxng/app/helmrelease.yaml @@ -0,0 +1,109 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: searxng +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + strategy: rollback + values: + controllers: + searxng: + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: docker.io/searxng/searxng + tag: 2024.7.7-ef103ba80 + env: + TZ: America/Chicago + SEARXNG_BASE_URL: https://search.jahanson.tech + SEARXNG_URL: https://search.jahanson.tech + SEARXNG_PORT: &port "8080" + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /stats + port: *port + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + startup: + enabled: false + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + add: + - CHOWN + - SETGID + - SETUID + - DAC_OVERRIDE + resources: + requests: + cpu: 10m + limits: + memory: 3Gi + service: + app: + controller: searxng + ports: + http: + port: *port + ingress: + app: + enabled: true + className: internal-nginx + hosts: + - host: &host "search.jahanson.tech" + paths: + - path: / + service: + identifier: app + port: http + tls: + - hosts: + - *host + persistence: + config: + type: configMap + name: searxng-configmap + advancedMounts: + searxng: + app: + - path: /etc/searxng/settings.yml + subPath: settings.yml + readOnly: true + - path: /etc/searxng/limiter.toml + subPath: limiter.toml + readOnly: true + tmp: + type: emptyDir + advancedMounts: + searxng: + app: + - path: /etc/searxng diff --git a/kubernetes/apps/default/searxng/app/kustomization.yaml b/kubernetes/apps/default/searxng/app/kustomization.yaml new file mode 100644 index 00000000..1b412dd1 --- /dev/null +++ b/kubernetes/apps/default/searxng/app/kustomization.yaml @@ -0,0 +1,14 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./externalsecret.yaml + - ./helmrelease.yaml +configMapGenerator: + - name: searxng-configmap + files: + - settings.yml=./resources/settings.yaml + - limiter.toml=./resources/limiter.toml +generatorOptions: + disableNameSuffixHash: true diff --git a/kubernetes/apps/default/searxng/app/resources/limiter.toml b/kubernetes/apps/default/searxng/app/resources/limiter.toml new file mode 100644 index 00000000..67db5734 --- /dev/null +++ b/kubernetes/apps/default/searxng/app/resources/limiter.toml @@ -0,0 +1,37 @@ +[real_ip] + +# Number of values to trust for X-Forwarded-For. + +x_for = 1 + +# The prefix defines the number of leading bits in an address that are compared +# to determine whether or not an address is part of a (client) network. + +ipv4_prefix = 32 +ipv6_prefix = 48 + +[botdetection.ip_limit] + +# To get unlimited access in a local network, by default link-lokal addresses +# (networks) are not monitored by the ip_limit +filter_link_local = true + +# activate link_token method in the ip_limit method +link_token = false + +[botdetection.ip_lists] + +# In the limiter, the ip_lists method has priority over all other methods -> if +# an IP is in the pass_ip list, it has unrestricted access and it is also not +# checked if e.g. the "user agent" suggests a bot (e.g. curl). + +block_ip = [ +] + +pass_ip = [ + '10.1.2.0/24', # IPv4 private network +] + +# Activate passlist of (hardcoded) IPs from the SearXNG organization, +# e.g. `check.searx.space`. +pass_searxng_org = false diff --git a/kubernetes/apps/default/searxng/app/resources/settings.yml b/kubernetes/apps/default/searxng/app/resources/settings.yml new file mode 100644 index 00000000..c999bd6f --- /dev/null +++ b/kubernetes/apps/default/searxng/app/resources/settings.yml @@ -0,0 +1,47 @@ +--- +use_default_settings: true + +server: + limiter: true + image_proxy: true + +redis: + url: redis://dragonfly.database.svc.cluster.local:6379?db=10 + +search: + autocomplete: google + +general: + instance_name: HansonSearch + +ui: + static_use_hash: true + default_theme: simple + theme_args: + simple_style: dark + infinite_scroll: true + results_on_new_tab: true + +enabled_plugins: + - Basic Calculator + - Hash plugin + - Hostname replace + - Open Access DOI rewrite + - Self Informations + - Tracker URL remover + - Unit converter plugin + +hostnames: + high_priority: + - (.*)\/blog\/(.*) + - (.*\.)?wikipedia.org$ + - (.*\.)?github.com$ + - (.*\.)?reddit.com$ + - (.*\.)?linuxserver.io$ + - (.*\.)?docker.com$ + - (.*\.)?archlinux.org$ + - (.*\.)?stackoverflow.com$ + - (.*\.)?askubuntu.com$ + - (.*\.)?superuser.com$ + # replace: + # (www\.)?reddit\.com$: redlib.rostvik.site diff --git a/kubernetes/apps/default/searxng/ks.yaml b/kubernetes/apps/default/searxng/ks.yaml new file mode 100644 index 00000000..530337c4 --- /dev/null +++ b/kubernetes/apps/default/searxng/ks.yaml @@ -0,0 +1,27 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app searxng + namespace: flux-system +spec: + targetNamespace: default + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: dragonfly + - name: external-secrets-stores + path: ./kubernetes/apps/default/searxng/app + prune: true + sourceRef: + kind: GitRepository + name: homelab + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app