add searxng (#27)

* init searxng
* debug searxng
* debug permission issue
* debug docker img
* update docs

.github/workflows/build-docker.yml

@@ -4,13 +4,14 @@ on:
   push:
     branches: [ "main" ]
     paths-ignore: [ "*.md" ]
-
   pull_request:
     branches: [ "main" ]
     paths-ignore: [ "*.md" ]
-
   workflow_dispatch:  # Allows you to run this workflow manually from the Actions tab
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true  
 
 env:
   BUILDKIT_PROGRESS: "plain"  # Full logs for CI build.
@@ -73,6 +74,16 @@ jobs:
       - run: |
           source ./tool.sh && build_image openresty latest docker_openresty/Dockerfile && push_image
 
+  ## OpenResty as gateway
+  qpod_searxng:
+    name: 'searxng'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          source ./tool.sh && build_image searxng latest docker_searxng/searxng.Dockerfile && push_image
+
+
   ## DevBox - base
   qpod_base-dev:
     name: 'developer,base-dev'

docker_devbox/work/start-caddy.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+[ $BASH ] && [ -f /etc/profile  ] && [ -z $ENTER_PROFILE ] && . /etc/profile
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+URL_PREFIX=${JUPYTERHUB_SERVICE_PREFIX:-"/"} exec /usr/local/bin/caddy run --config  /etc/caddy/Caddyfile

docker_devbox/work/start-supervisord.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+[ $BASH ] && [ -f /etc/profile  ] && [ -z $ENTER_PROFILE ] && . /etc/profile
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+LOG_FORMAT=json exec supervisord -c /etc/supervisord/supervisord.conf

docker_searxng/README.md

@@ -0,0 +1,30 @@
+# SearxNG
+
+## Start standalone version with docker-compose
+
+**Notice**: remember to check the `SEARXNG_BASE_URL` and `SEARXNG_HOSTNAME` environment variable in the config file.
+
+Make sure the `SEARXNG_BASE_URL` variables points to a URL prefix that users use to open webpage in browser.
+
+```bash
+cd demo
+
+# export SEARXNG_HOSTNAME="http://localhost:81"
+docker-compose -f ./docker-compose.searxng-standalone.yml up -d
+```
+
+## Debug with Docker
+
+```bash
+docker run -d --rm \
+    --name=svc-searxng \
+    --hostname=svc-searxng \
+    -p 8000:8000 \
+    -e SEARXNG_HOSTNAME=":8000" \
+    -e SEARXNG_BASE_URL=https://${localhost:8000}/ \
+    -e UWSGI_WORKERS=${SEARXNG_UWSGI_WORKERS:-4} \
+    -e UWSGI_THREADS=${SEARXNG_UWSGI_THREADS:-4} \
+    qpod/searxng
+
+ docker exec -it svc-searxng bash
+```

docker_searxng/demo/docker-compose.searxng-standalone.yml

@@ -0,0 +1,33 @@
+networks:
+  net-searxng:
+
+services:
+  svc-searxng:
+    container_name: svc-searxng
+    image: docker.io/qpod/searxng:latest
+    restart: unless-stopped
+    networks:
+      - net-searxng
+    ports:
+      - "8000:8000"
+    # volumes:
+      # - ./searxng/settings.yml:/etc/searxng/settings.yml:rw
+      # - ./searxng/limiter.toml:/etc/searxng/limiter.toml:rw
+      # - ./searxng/Caddyfile:/etc/searxng/Caddyfile:rw
+      # - ./searxng/supervisord.conf:/etc/searxng/supervisord.conf:rw
+    environment:
+      - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost:8000}/
+      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:8000}
+      - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
+      - UWSGI_WORKERS=${SEARXNG_UWSGI_WORKERS:-4}
+      - UWSGI_THREADS=${SEARXNG_UWSGI_THREADS:-4}
+    # user: root
+    # command: ["/opt/searxng/start-supervisord.sh"]
+    # command: ["tail", "-f", "/dev/null"]
+    # cap_drop: ["ALL"]
+    # cap_add: ["AUDIT_WRITE", "CHOWN", "SETGID", "SETUID", "NET_BIND_SERVICE"]
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1m"
+        max-file: "1"

docker_searxng/searxng.Dockerfile

@@ -0,0 +1,55 @@
+# Distributed under the terms of the Modified BSD License.
+
+ARG BASE_NAMESPACE
+ARG BASE_IMG="base"
+
+FROM ${BASE_NAMESPACE:+$BASE_NAMESPACE/}${BASE_IMG}
+
+COPY work /tmp/searxng
+
+RUN set -eux \
+ && SEARXNG_GID=977 && SEARXNG_UID=977 \
+ && addgroup -gid ${SEARXNG_GID} searxng \
+ && adduser  -uid ${SEARXNG_UID} --disabled-password --home /opt/searxng -shell /bin/bash --ingroup searxng searxng \
+ && usermod -aG root searxng \
+ && apt-get -qq update -yq --fix-missing && apt-get -qq install -yq --no-install-recommends \
+      libxslt-dev zlib1g-dev libffi-dev libssl-dev \
+ && pip install -U pyyaml uwsgi \
+ && cd /opt/searxng \
+ && git config --global --add safe.directory /opt/searxng \
+ && git init && git remote add origin https://github.com/searxng/searxng \
+ && git fetch && git checkout -t origin/master \
+ && pip install --use-pep517 --no-build-isolation -e . \
+ && mv /tmp/searxng/* /opt/searxng && ln -sf /opt/searxng/etc /etc/searxng \
+ && ln -sf /opt/searxng /usr/local/ \
+ # ----------------------------- Install supervisord
+ && source /opt/utils/script-setup-sys.sh && setup_supervisord \
+ # ----------------------------- Install caddy
+ && source /opt/utils/script-setup-net.sh && setup_caddy \
+ # Clean up and display components version information...
+ && fix_permission searxng /opt/searxng/ \
+ && chmod +x /opt/searxng/*.sh \
+ && chmod -R ugo+rws /var/log /var/run \
+ && list_installed_packages && install__clean
+
+ENV SEARXNG_HOSTNAME="http://localhost:8000"
+ENV SEARXNG_TLS=internal
+
+ENV SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
+ENV SEARXNG_SETTINGS_PATH="/etc/searxng/settings.yml"
+ENV UWSGI_SETTINGS_PATH="/opt/searxng/dockerfiles/uwsgi.ini"
+ENV UWSGI_WORKERS=4
+ENV UWSGI_THREADS=4
+
+ENTRYPOINT ["tini", "-g", "--"]
+
+# '-c' option make bash commands are read from string.
+#   If there are arguments after the string, they are assigned to the positional parameters, starting with $0.
+# '-o pipefail'  prevents errors in a pipeline from being masked.
+#   If any command in a pipeline fails, that return code will be used as the return code of the whole pipeline.
+# '--login': make bash first reads and executes commands from  the file /etc/profile, if that file exists.
+#   After that, it looks for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order, and reads and executes commands from the first one that exists and is readable.
+SHELL ["/bin/bash", "--login", "-o", "pipefail", "-c"]
+WORKDIR /opt/searxng
+CMD ["/opt/searxng/start-supervisord.sh"]
+EXPOSE 8080 9001 8000

docker_searxng/work/etc/Caddyfile

@@ -0,0 +1,100 @@
+# ref: https://github.com/searxng/searxng-docker/blob/master/Caddyfile
+{
+  admin off
+}
+
+{$SEARXNG_HOSTNAME} {
+  log {
+        output discard
+  }
+
+  # tls {$SEARXNG_TLS}
+
+  @api {
+        path /config
+        path /healthz
+        path /stats/errors
+        path /stats/checker
+  }
+
+  @static {
+        path /static/*
+  }
+
+  @notstatic {
+        not path /static/*
+  }
+
+  @imageproxy {
+        path /image_proxy
+  }
+
+  @notimageproxy {
+        not path /image_proxy
+  }
+
+  header {
+        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+
+        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+        X-XSS-Protection "1; mode=block"
+
+        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        X-Content-Type-Options "nosniff"
+
+        # Disable some features
+        Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
+
+        # Disable some features (legacy)
+        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
+
+        # Referer
+        Referrer-Policy "no-referrer"
+
+        # X-Robots-Tag
+        X-Robots-Tag "noindex, noarchive, nofollow"
+
+        # Remove Server header
+        -Server
+  }
+
+  header @api {
+        Access-Control-Allow-Methods "GET, OPTIONS"
+        Access-Control-Allow-Origin  "*"
+  }
+
+  # Cache
+  header @static {
+        # Cache
+        Cache-Control "public, max-age=31536000"
+        defer
+  }
+
+  header @notstatic {
+        # No Cache
+        Cache-Control "no-cache, no-store"
+        Pragma "no-cache"
+  }
+
+  # CSP (see http://content-security-policy.com/ )
+  header @imageproxy {
+        Content-Security-Policy "default-src 'none'; img-src 'self' data:"
+  }
+
+  header @notimageproxy {
+        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
+  }
+
+  # SearXNG
+  handle {
+        encode zstd gzip
+
+        reverse_proxy localhost:8080 {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Real-IP {remote_host}
+        }
+  }
+
+}

docker_searxng/work/etc/limiter.toml

@@ -0,0 +1,6 @@
+# This configuration file updates the default configuration file
+# See https://github.com/searxng/searxng/blob/master/searx/limiter.toml
+
+[botdetection.ip_limit]
+# activate link_token method in the ip_limit method
+link_token = true

docker_searxng/work/etc/settings.yml

@@ -0,0 +1,11 @@
+# see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings
+use_default_settings: true
+server:
+  # base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
+  secret_key: "ultrasecretkey"  # change this!
+  image_proxy: true
+  limiter: false  # can be disabled for a private instance, requires redis when enabled
+ui:
+  static_use_hash: true
+# redis:
+#  url: redis://redis:6379/0