searxng: new role

group_vars/all/vars.yml

@@ -75,6 +75,9 @@ pve_targets:
 - pve01.ffrgb
 - pve02.ffrgb
 
+searxng_domain: sx.regensburg.freifunk.net
+searxng_domains: sx.ffrgb.net sx.regensburg.freifunk.net
+
 site: ffrgb
 site_domain: regensburg.freifunk.net
 

hosts

@@ -6,6 +6,7 @@ netbox.regensburg.freifunk.net
 ns1.regensburg.freifunk.net
 resolver.regensburg.freifunk.net
 stats.regensburg.freifunk.net
+sx.regensburg.freifunk.net
 tiles.regensburg.freifunk.net
 web.regensburg.freifunk.net
 unms.ffrgb ansible_host=10.90.224.101

roles/searxng/handlers/main.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart searxng
+  service: name=searxng state=restarted
+
+- name: Restart searxng-reload
+  service: name=searxng-reload state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/searxng/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/searxng/tasks/main.yml

@@ -0,0 +1,61 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker.io
+    - docker-compose
+
+- name: Create searxng group
+  group: name=searxng
+
+- name: Create searxng user
+  user:
+    name: searxng
+    home: /opt/searxng
+    shell: /bin/bash
+    group: searxng
+    groups: docker
+
+- name: Configure searxng container
+  template: src=docker-compose.yml.j2 dest=/opt/searxng/docker-compose.yml
+  notify: Restart searxng
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ searxng_domain }}.key -out /etc/nginx/ssl/{{ searxng_domain }}.crt -days 730 -subj "/CN={{ searxng_domain }}" creates=/etc/nginx/ssl/{{ searxng_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for searxng
+  template: src=certs.j2 dest=/etc/acertmgr/{{ searxng_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/searxng
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/searxng dest=/etc/nginx/sites-enabled/searxng state=link
+  notify: Restart nginx
+
+# TODO config files inside /opt/searxng/searxng
+
+- name: Systemd unit for searxng
+  template: src=searxng.service.j2 dest=/etc/systemd/system/searxng.service
+  notify:
+  - Reload systemd
+  - Restart searxng
+
+- name: Systemd unit for searxng-reload
+  template: src=searxng-reload.{{ item }}.j2 dest=/etc/systemd/system/searxng-reload.{{ item }}
+  with_items:
+  - "service"
+  - "timer"
+  notify:
+  - Reload systemd
+  - Restart searxng-reload
+
+- name: Start the searxng service
+  service: name=searxng state=started enabled=yes
+
+- name: Enable auto update timer
+  service: name=searxng-reload.timer state=started enabled=yes

roles/searxng/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ searxng_domains }}:
+- path: /etc/nginx/ssl/{{ searxng_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ searxng_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/searxng/templates/docker-compose.yml.j2

@@ -0,0 +1,34 @@
+---
+version: "3.4"
+services:
+  redis:
+    image: redis:alpine
+    tmpfs:
+      - /var/lib/redis
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+
+  searxng:
+    image: searxng/searxng:latest
+    ports:
+      - "127.0.0.1:8000:8080"
+    volumes:
+      - ./searxng:/etc/searxng:rw
+    environment:
+      - SEARXNG_BASE_URL=https://{{ searxng_domain }}/
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1m"
+        max-file: "1"

roles/searxng/templates/searxng-reload.service.j2

@@ -0,0 +1,7 @@
+[Unit]
+Description=Refresh searxng images
+
+[Service]
+Type=oneshot
+
+ExecStart=/bin/systemctl reload-or-restart searxng.service

roles/searxng/templates/searxng-reload.timer.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=Refresh searxng images
+Requires=searxng.service
+After=searxng.service
+
+[Timer]
+OnCalendar=*:0/15
+
+[Install]
+WantedBy=timers.target

roles/searxng/templates/searxng.service.j2

@@ -0,0 +1,34 @@
+[Unit]
+Description=searxng service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=searxng
+Group=searxng
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/searxng
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+# Update images
+ExecStartPre=-/usr/bin/docker-compose pull --quiet
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+# Refresh on reload
+ExecReload=-/usr/bin/docker-compose pull --quiet
+ExecReload=/usr/bin/docker-compose up -d
+
+[Install]
+WantedBy=multi-user.target

roles/searxng/templates/vhost.j2

@@ -0,0 +1,37 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ searxng_domains }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ searxng_domains }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ searxng_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ searxng_domain }}.crt;
+
+	# set max upload size
+	client_max_body_size 8M;
+
+	location / {
+		proxy_pass http://localhost:8000;
+		proxy_set_header Connection $http_connection;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+}

site.yml

@@ -56,6 +56,11 @@
   - speedtest
   - web_svc
 
+- name: Setup searxng server
+  hosts: sx.regensburg.freifunk.net
+  roles:
+  - searxng
+
 - name: Setup resolver
   hosts: resolver.regensburg.freifunk.net
   roles: