first commit

.env

@@ -0,0 +1 @@
+IMAGEAPP=docker.io/searxng/searxng:2024.4.29-c0b6c26ee

.gitea/workflows/deploy.yaml

@@ -0,0 +1,18 @@
+on: push
+
+jobs:
+  build:
+    name: test
+    runs-on: debian
+    steps:
+      - uses: actions/checkout@v1
+      - name: setup env
+        run: |
+          cat <<EOF >> .env
+          BASE_URL="${{ gitea.ref_name }}.$(tr / '\n' <<< "${{ gitea.repository }}" | tac | tr '\n' .)k8s.gmoker.com"
+          EOF
+          cat .env
+
+      - uses: actions/k8sdeploy@v1
+        with:
+          kubeconfig: "${{ secrets.K8S }}"

README.md

@@ -0,0 +1 @@
+# SearXNG

compose.yaml

@@ -0,0 +1,18 @@
+---
+services:
+  redis:
+    image: docker.io/redis:latest
+    restart: unless-stopped
+    tmpfs:
+      - /data/
+
+  app:
+    image: "$IMAGEAPP"
+    restart: unless-stopped
+    ports:
+      - "8080:8080"
+    environment:
+      - SEARXNG_SECRET=secret
+    volumes:
+      - ./limiter.toml:/etc/searxng/limiter.toml:ro
+      - ./settings.yml:/etc/searxng/settings.yml:ro

diff.sh

@@ -0,0 +1,13 @@
+#!/bin/bash -e
+
+. ./.env
+
+DOCKER_API='https://hub.docker.com/v2/namespaces/searxng/repositories/searxng'
+REPO='https://github.com/searxng/searxng/raw'
+
+new_tag="$(curl -L "$DOCKER_API/tags" | jq -r '.results[3].name')"
+new_commit="$(grep -Eo '\w+$' <<< "$new_tag")"
+
+$EDITOR -d -c "wincmd l" -- "$REPO/$new_commit/searx/settings.yml" settings.yml
+
+sed -i "/^IMAGEAPP=/s/:.*/:$new_tag/" .env

limiter.toml

@@ -0,0 +1,40 @@
+[real_ip]
+
+# Number of values to trust for X-Forwarded-For.
+
+x_for = 1
+
+# The prefix defines the number of leading bits in an address that are compared
+# to determine whether or not an address is part of a (client) network.
+
+ipv4_prefix = 32
+ipv6_prefix = 48
+
+[botdetection.ip_limit]
+
+# To get unlimited access in a local network, by default link-lokal addresses
+# (networks) are not monitored by the ip_limit
+filter_link_local = false
+
+# activate link_token method in the ip_limit method
+link_token = false
+
+[botdetection.ip_lists]
+
+# In the limiter, the ip_lists method has priority over all other methods -> if
+# an IP is in the pass_ip list, it has unrestricted access and it is also not
+# checked if e.g. the "user agent" suggests a bot (e.g. curl).
+
+block_ip = [
+  # '93.184.216.34',  # IPv4 of example.org
+  # '257.1.1.1',      # invalid IP --> will be ignored, logged in ERROR class
+]
+
+pass_ip = [
+  # '192.168.0.0/16',      # IPv4 private network
+  # 'fe80::/10'            # IPv6 linklocal / wins over botdetection.ip_limit.filter_link_local
+]
+
+# Activate passlist of (hardcoded) IPs from the SearXNG organization,
+# e.g. `check.searx.space`.
+pass_searxng_org = true

manifests/bin/deploy.sh

@@ -0,0 +1,42 @@
+#!/bin/bash -e
+set -o pipefail
+
+function kapply() {
+    for f in "$@"; do
+        kubectl apply -f \
+            <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
+    done
+}
+
+function kcreatesec() {
+    kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
+}
+
+function kcreatecm() {
+    kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
+}
+
+function kgseckey() {
+    local sec="$1"; shift
+    local key="$1"; shift
+
+    kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d
+}
+
+function kgcmkey() {
+    local cm="$1"; shift
+    local key="$1"; shift
+
+    kubectl get configmap "$cm" -o jsonpath="{.data.$key}"
+}
+
+
+kcreatesec searxng-secrets \
+    --from-literal=SEARXNG_SECRET="$(kgseckey searxng-secrets SEARXNG_SECRET || openssl rand -hex 32)"
+
+kcreatecm searxng-settings --from-file=settings.yml
+kcreatecm searxng-limiter  --from-file=limiter.toml
+
+kapply common/redis.yaml common/app.yaml
+
+kubectl rollout restart deployment app

manifests/bin/devel.sh

@@ -0,0 +1,5 @@
+#!/bin/bash -e
+
+export NB_REPLICAS=1
+
+. ./manifests/bin/deploy.sh

manifests/bin/prod.sh

@@ -0,0 +1,5 @@
+#!/bin/bash -e
+
+export NB_REPLICAS=3
+
+. ./manifests/bin/deploy.sh

manifests/common/app.yaml

@@ -0,0 +1,82 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: app
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: nginx
+  tls:
+    - secretName: tls-app
+      hosts:
+        - "$BASE_URL"
+  rules:
+    - host: "$BASE_URL"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: app
+                port:
+                  name: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: app
+  labels:
+    app: app
+spec:
+  selector:
+    app: app
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app
+  labels:
+    app: app
+spec:
+  replicas: $NB_REPLICAS
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      imagePullSecrets:
+        - name: regcred
+      containers:
+        - name: app
+          image: "$IMAGEAPP"
+          ports:
+            - name: http
+              containerPort: 8080
+          envFrom:
+            - secretRef:
+                name: searxng-secrets
+          volumeMounts:
+            - name: limiter
+              mountPath: /etc/searxng/limiter.toml
+              subPath: limiter.toml
+              readOnly: true
+            - name: settings
+              mountPath: /etc/searxng/settings.yml
+              subPath: settings.yml
+              readOnly: true
+      volumes:
+        - name: settings
+          configMap:
+            name: searxng-settings
+        - name: limiter
+          configMap:
+            name: searxng-limiter

manifests/common/redis.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  labels:
+    app: redis
+spec:
+  selector:
+    app: redis
+  ports:
+    - name: redis
+      port: 6379
+      targetPort: redis
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis
+spec:
+  selector:
+    matchLabels:
+      app: redis
+  serviceName: redis
+  replicas: $NB_REPLICAS
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: docker.io/redis:latest
+          ports:
+            - name: redis
+              containerPort: 6379
+          volumeMounts:
+            - name: data
+              mountPath: /data/
+      volumes:
+        - name: data
+          emptyDir: {}