Merge remote-tracking branch 'refs/remotes/upstream/master'

# Conflicts:
#	docker-compose.yaml

.env

@@ -1,23 +1,7 @@
-# hostname
+# By default listen on https://localhost
-SEARX_HOSTNAME=localhost
+# To change this:
+# * uncomment SEARXNG_HOSTNAME, and replace <host> by the SearXNG hostname
+# * uncomment LETSENCRYPT_EMAIL, and replace <email> by your email (require to create a Let's Encrypt certificate)
 
-# comment both if SEARX_HOSTNAME is NOT localhost
+# SEARXNG_HOSTNAME=<host>
-SEARX_PROTOCOL=https://
+# LETSENCRYPT_EMAIL=<email>
-SEARX_TLS=self_signed
-
-# automatically update settings to the new version
-# comment this line if you made / will make some modifications to the settings
-SEARX_COMMAND=-f
-
-# Let's encrypt contact information
-LETSENCRYPT_EMAIL=email@example.com
-
-# Do you agree Let's Encrypt TOS https://letsencrypt.org/repository/
-LETSENCRYPT_AGREE=false
-
-# use openssl rand -base64 33
-MORTY_KEY=ReplaceWithARealKey!
-
-# filtron ( /filtron/rules ), use for example "tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1"
-FILTRON_USER=filtron
-FILTRON_PASSWORD=SetARealPassword

.gitignore

@@ -1,6 +1,6 @@
 *~
 
-searx-docker.service
+searxng-docker.service
 caddy
 srv
-searx
+searxng/uwsgi.ini

Caddyfile

@@ -1,21 +1,38 @@
-{$SEARX_PROTOCOL}{$SEARX_HOSTNAME} {
+{
-  tls {$SEARX_TLS}
+  admin off
-  gzip {
+}
-        not /morty
-  }
-  root /srv
 
-  header /config {
+{$SEARXNG_HOSTNAME} {
-        Access-Control-Allow-Methods "GET, OPTIONS"
+  log {
-        Access-Control-Allow-Origin  "*"
+        output discard
   }
 
-  header /status {
+  tls {$SEARXNG_TLS}
-        Access-Control-Allow-Methods "GET, OPTIONS"
+
-        Access-Control-Allow-Origin  "*"
+  @api {
+        path /config
+        path /healthz
+        path /stats/errors
+        path /stats/checker
   }
 
-  header / {
+  @static {
+        path /static/*
+  }
+
+  @notstatic {
+        not path /static/*
+  }
+
+  @imageproxy {
+        path /image_proxy
+  }
+
+  @notimageproxy {
+        not path /image_proxy
+  }
+
+  header {
         # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
         Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 
@@ -25,18 +42,11 @@
         # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
         X-Content-Type-Options "nosniff"
 
-        # Disallow the site to be rendered within a frame (clickjacking protection)
-        X-Frame-Options "SAMEORIGIN"
-
-        # CSP (see http://content-security-policy.com/ )
-        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
-
         # Disable some features
-        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
+        Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
 
-        # Cache
+        # Disable some features (legacy)
-        Cache-Control "no-cache, no-store"
+        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
-        Pragma "no-cache"
 
         # Referer
         Referrer-Policy "no-referrer"
@@ -48,36 +58,42 @@
         -Server
   }
 
-  header /morty {
+  header @api {
-        Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'"
+        Access-Control-Allow-Methods "GET, OPTIONS"
+        Access-Control-Allow-Origin  "*"
   }
 
-  header /static {
+  # Cache
+  header @static {
+        # Cache
         Cache-Control "public, max-age=31536000"
-        -Pragma
+        defer
   }
 
-  rewrite / {
+  header @notstatic {
-        regexp ^/status$
+        # No Cache
-        to /searx-checker/status.json
+        Cache-Control "no-cache, no-store"
+        Pragma "no-cache"
   }
 
-  proxy / localhost:4040 {
+  # CSP (see http://content-security-policy.com/ )
-        transparent
+  header @imageproxy {
-        header_upstream X-Forwarded-TlsProto {tls_protocol}
+        Content-Security-Policy "default-src 'none'; img-src 'self' data:"
-        header_upstream X-Forwarded-TlsCipher {tls_cipher}
-        header_upstream X-Forwarded-HttpsProto {proto}
-
-        except /searx-checker/status.json
   }
 
-  basicauth /filtron {$FILTRON_USER} {$FILTRON_PASSWORD}
+  header @notimageproxy {
-  proxy /filtron/rules localhost:4041 {
+        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
-        without /filtron
   }
 
-  proxy /morty localhost:3000
+  # SearXNG
+  handle {
+        encode zstd gzip
 
-  limits 10KB
+        reverse_proxy localhost:8080 {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Real-IP {remote_host}
+        }
+  }
 
 }

README.md

@@ -1,60 +1,88 @@
-# searx-docker
+# searxng-docker
 
-Create a new searx instance in five minutes using Docker (see https://github.com/asciimoo/searx/issues/1561 )
+Create a new SearXNG instance in five minutes using Docker
-
-This is a work in progress, the bot protection is basic and not battle tested, and later on, may [change](https://github.com/unixfox/antibot-proxy).
 
 ## What is included ?
 
 | Name | Description | Docker image | Dockerfile |
 | -- | -- | -- | -- |
-| [Caddy](https://github.com/caddyserver/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [abiosoft/caddy:1.0.3-no-stats](https://hub.docker.com/r/abiosoft/caddy) | [Dockerfile](https://github.com/abiosoft/caddy-docker/blob/master/Dockerfile-no-stats) |
+| [Caddy](https://github.com/caddyserver/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [docker.io/library/caddy:2-alpine](https://hub.docker.com/_/caddy)           | [Dockerfile](https://github.com/caddyserver/caddy-docker/blob/master/Dockerfile.tmpl) |
-| [Filtron](https://github.com/asciimoo/filtron) |  Filtering reverse HTTP proxy, bot and abuse protection | [dalf/filtron:latest](https://hub.docker.com/r/dalf/filtron) | See [asciimoo/filtron#4](https://github.com/asciimoo/filtron/pull/4) |
+| [SearXNG](https://github.com/searxng/searxng) | SearXNG by itself                                              | [docker.io/searxng/searxng:latest](https://hub.docker.com/r/searxng/searxng) | [Dockerfile](https://github.com/searxng/searxng/blob/master/Dockerfile)               |
-| [Searx](https://github.com/asciimoo/searx) | searx by itself | [searx/searx:latest](https://hub.docker.com/r/searx/searx) | [Dockerfile](https://github.com/searx/searx/blob/master/Dockerfile) |
+| [Valkey](https://github.com/valkey-io/valkey) | In-memory database                                             | [cgr.dev/chainguard/valkey:latest](https://cgr.dev/chainguard/valkey)        | [Valkey-image](https://github.com/chainguard-images/images/tree/main/images/valkey)             |
-| [Morty](https://github.com/asciimoo/morty) | Privacy aware web content sanitizer proxy as a service. | [dalf/morty:latest](https://hub.docker.com/r/dalf/morty) | [Dockerfile](https://github.com/dalf/morty/blob/master/Dockerfile) |
-| [Searx-checker](https://github.com/searx/searx-checker) | Check which engines return results of the instance.<br>JSON result available at<br>```https://{SEARX_HOSTNAME}/status```<br>Automatically updated every 24h | [searx/searx-checker:latest](https://hub.docker.com/r/searx/searx-checker) | [Dockerfile](https://github.com/searx/searx-checker/blob/master/Dockerfile) |
 
 ## How to use it
+
 - [Install docker](https://docs.docker.com/install/)
-- [Install docker-compose](https://docs.docker.com/compose/install/) (be sure that docker-compose version is at least 1.9.0).
+- Get searxng-docker
-- Get searx-docker
+  ```sh
-```sh
+  cd /usr/local
-cd /usr/local
+  git clone https://github.com/searxng/searxng-docker.git
-git clone https://github.com/searx/searx-docker.git
+  cd searxng-docker
-cd searx-docker
+  ```
-```
+- Edit the [.env](https://github.com/searxng/searxng-docker/blob/master/.env) file to set the hostname and an email
-- Edit the [.env](https://github.com/searx/searx-docker/blob/master/.env) file according to your need
+- Generate the secret key `sed -i "s|ultrasecretkey|$(openssl rand -hex 32)|g" searxng/settings.yml`
-- Check everything is working: ```./start.sh```,
+- Edit the [searxng/settings.yml](https://github.com/searxng/searxng-docker/blob/master/searxng/settings.yml) file according to your need
-- ```cp searx-docker.service.template searx-docker.service```
+- Check everything is working: `docker compose up`
-- edit the content of ```WorkingDirectory``` in the ```searx-docker.service``` file (only if the installation path is different from /usr/local/searx-docker)
+- Run SearXNG in the background: `docker compose up -d`
-- Install the systemd unit :
+
-```sh
+> [!WARNING]  
-systemctl enable $(pwd)/searx-docker.service
+> If you use an older version of docker desktop (`< 3.6.0`), you may have to install Docker Compose v1.
-systemctl start searx-docker.service
+> Accordingly, you should modify the commands in this documentation to suit Docker Compose v1. For instance, change 'docker compose up' to 'docker-compose up'.
-```
+>
+> [Install the docker-compose plugin](https://docs.docker.com/compose/install/#scenario-two-install-the-compose-plugin) (be sure that docker-compose version is at least 1.9.0)
+
+## How to access the logs
+
+To access the logs from all the containers use: `docker compose logs -f`.
+
+To access the logs of one specific container:
+
+- Caddy: `docker compose logs -f caddy`
+- SearXNG: `docker compose logs -f searxng`
+- Valkey: `docker compose logs -f redis`
+
+### Start SearXNG with systemd
+
+You can skip this step if you don't use systemd.
+
+- ```cp searxng-docker.service.template searxng-docker.service```
+- edit the content of ```WorkingDirectory``` in the ```searxng-docker.service``` file (only if the installation path is different from /usr/local/searxng-docker)
+- Install the systemd unit:
+  ```sh
+  systemctl enable $(pwd)/searxng-docker.service
+  systemctl start searxng-docker.service
+  ```
 
 ## Note on the image proxy feature
 
-The searx image proxy is activated by default using [Morty](https://github.com/asciimoo/morty).
+The SearXNG image proxy is activated by default.
 
-The default [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) allow the browser to access to {SEARX_HOSTNAME} and ```https://*.tile.openstreetmap.org;```.
+The default [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) allow the browser to access to ```${SEARXNG_HOSTNAME}``` and ```https://*.tile.openstreetmap.org;```.
 
-If some users wants to disable the image proxy, you have to modify [./Caddyfile](https://github.com/searx/searx-docker/blob/master/Caddyfile). Replace the ```img-src 'self' data: https://*.tile.openstreetmap.org;``` by ```img-src * data:;```
+If some users want to disable the image proxy, you have to modify [./Caddyfile](https://github.com/searxng/searxng-docker/blob/master/Caddyfile). Replace the ```img-src 'self' data: https://*.tile.openstreetmap.org;``` by ```img-src * data:;```.
-
-## Custom docker-compose.yaml
-
-Do not modify docker-compose.yaml otherwise you won't be able to update easily from the git repository.
-
-It is possible to the [extend feature](https://docs.docker.com/compose/extends/) of docker-compose :
-- stop the service : ```systemctl stop searx-docker.service```
-- create a new docker-compose-extend.yaml, check with ```start.sh```
-- update searx-docker.service (see SEARX_DOCKERCOMPOSEFILE)
-- restart the servie  : ```systemctl restart searx-docker.service```
 
 ## Multi Architecture Docker images
 
-For now only the amd64 platform is supported.
+Supported architecture:
+
+- amd64
+- arm64
+- arm/v7
 
 ## How to update ?
 
-Check the content of [```update.sh```](https://github.com/searx/searx-docker/blob/master/update.sh)
+To update the SearXNG stack:
+
+```sh
+git pull
+docker compose pull
+docker compose up -d
+```
+
+Or the old way (with the old docker-compose version):
+
+```sh
+git pull
+docker-compose pull
+docker-compose up -d
+```

docker-compose.yaml

@@ -1,101 +1,77 @@
-version: '3.7'
+version: "3.7"
 
 services:
-
   caddy:
     container_name: caddy
-    image: abiosoft/caddy:1.0.3-no-stats
+    image: docker.io/library/caddy:2-alpine
-    ports:
-      - 80:80
-      - 443:443
     network_mode: host
-    command: -email ${LETSENCRYPT_EMAIL} -agree=${LETSENCRYPT_AGREE} -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile
+    restart: unless-stopped
     volumes:
-      - ./Caddyfile:/etc/Caddyfile:rw
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
-      - ./caddy:/root/.caddy:rw
+      - caddy-data:/data:rw
-      - ./srv:/srv:rw
+      - caddy-config:/config:rw
-      - searx-checker:/srv/searx-checker:rw
     environment:
-      - SEARX_HOSTNAME=${SEARX_HOSTNAME}
+      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
-      - SEARX_PROTOCOL=${SEARX_PROTOCOL:-}
+      - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
-      - SEARX_TLS=${SEARX_TLS:-}
-      - FILTRON_USER=${FILTRON_USER}
-      - FILTRON_PASSWORD=${FILTRON_PASSWORD}
     cap_drop:
       - ALL
     cap_add:
       - NET_BIND_SERVICE
-      - DAC_OVERRIDE
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1m"
+        max-file: "1"
 
-  filtron:
+  redis:
-    container_name: filtron
+    container_name: redis
-    image: dalf/filtron
+    image: cgr.dev/chainguard/valkey:latest
-    restart: always
+    command: --save 30 1 --loglevel warning
-    ports:
+    restart: unless-stopped
-      - 4040:4040
-      - 4041:4041
     networks:
-      - searx
+      - searxng
-    command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searx:8080
     volumes:
-      - ./rules.json:/etc/filtron/rules.json:rw
+      - valkey-data:/data
-    read_only: true
     cap_drop:
       - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1m"
+        max-file: "1"
 
-  searx:
+  searxng:
-    container_name: searx
+    container_name: searxng
-    image: searx/searx:latest
+    image: docker.io/fauli1221/ponysearch:latest
-    restart: always
+    restart: unless-stopped
     networks:
-      - searx
+      - searxng
-    command: ${SEARX_COMMAND:-}
+    ports:
+      - "127.0.0.1:8080:8080"
     volumes:
-      - ./searx:/etc/searx:rw
+      - ./searxng:/etc/searxng:rw
     environment:
-      - BIND_ADDRESS=0.0.0.0:8080
+      - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
-      - BASE_URL=https://${SEARX_HOSTNAME}/
-      - MORTY_URL=https://${SEARX_HOSTNAME}/morty/
-      - MORTY_KEY=${MORTY_KEY}
     cap_drop:
       - ALL
     cap_add:
       - CHOWN
       - SETGID
       - SETUID
-      - DAC_OVERRIDE
-
-  morty:
-    container_name: morty
-    image: dalf/morty
-    restart: always
-    ports:
-      - 3000:3000
-    networks:
-      - searx
-    command: -listen 0.0.0.0:3000 -timeout 6 -ipv6
-    environment:
-      - MORTY_KEY=${MORTY_KEY}
     logging:
-      driver: none
+      driver: "json-file"
-    read_only: true
+      options:
-    cap_drop:
+        max-size: "1m"
-      - ALL
+        max-file: "1"
-
-  searx-checker:
-    container_name: searx-checker
-    image: searx/searx-checker
-    restart: always
-    networks:
-      - searx
-    command: -cron -o html/data/status.json http://searx:8080
-    volumes:
-      - searx-checker:/usr/local/searx-checker/html/data:rw
 
 networks:
-  searx:
+  searxng:
-    ipam:
-      driver: default
 
 volumes:
-  searx-checker:
+  caddy-data:
+  caddy-config:
+  valkey-data:

rules.json

@@ -1,138 +0,0 @@
-[
-    {
-        "name": "searx.space",
-        "filters": ["Header:X-Forwarded-For=(2001:41d0:8:de3::1|176.31.252.227)"],
-        "stop": true,
-        "actions": [{ "name": "log"}]
-    },
-    {
-        "name": "IP limit, all paths",
-        "interval": 3,
-        "limit": 25,
-        "aggregations": ["Header:X-Forwarded-For"],
-        "actions": [
-            {"name": "block",
-             "params": {"message": "Rate limit exceeded, try again later."}}
-        ]
-    },
-    {
-        "name": "useragent limit, all paths",
-        "interval": 30,
-        "limit": 200,
-        "aggregations": ["Header:X-Forwarded-For", "Header:User-Agent"],
-        "stop": true,
-        "actions": [
-            {"name": "block",
-             "params": {"message": "Rate limit exceeded, try again later."}}
-        ]
-    },
-    {
-        "name": "search request",
-        "filters": ["Param:q", "Path=^(/|/search)$"],
-        "subrules": [
-            {
-                "name": "robot agent forbidden",
-                "limit": 0,
-                "stop": true,
-                "filters": ["Header:User-Agent=([Cc][Uu][Rr][Ll]|[wW]get|Scrapy|splash|JavaFX|FeedFetcher|python-requests|Go-http-client|Java|Jakarta|okhttp|HttpClient|Jersey|Python|libwww-perl|Ruby|SynHttpClient|UniversalFeedParser)"],
-                "actions": [
-                    {"name": "block",
-                     "params": {"message": "Rate limit exceeded"}}
-                ]
-            },
-            {
-                "name": "bot forbidden",
-                "limit": 0,
-                "stop": true,
-                "filters": ["Header:User-Agent=(Googlebot|GoogleImageProxy|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT|Sogou|Abonti|Pixray|Spinn3r|SemrushBot|Exabot|ZmEu|BLEXBot|bitlybot)"],
-                "actions": [
-                    {"name": "block",
-                     "params": {"message": "Rate limit exceeded"}}
-                ]
-            },
-            {
-                "name": "block missing accept-language",
-                "filters": ["!Header:Accept-Language"],
-                "limit": 0,
-                "stop": true,
-                "actions": [
-                    {"name": "block",
-                     "params": {"message": "Rate limit exceeded"}}
-                ]
-            },
-            {
-                "name": "block Connection:close",
-                "filters": ["Header:Connection=close"],
-                "limit": 0,
-                "stop": true,
-                "actions": [
-                    {"name": "block",
-                     "params": {"message": "Rate limit exceeded"}}
-                ]
-            },
-            {
-                "name": "block no gzip support",
-                "filters": ["!Header:Accept-Encoding=(^gzip$|^gzip[;,]|[; ]gzip$|[; ]gzip[;,])"],
-                "limit": 0,
-                "stop": true,
-                "actions": [
-                    {"name": "block",
-                     "params": {"message": "Rate limit exceeded"}}
-                ]
-            },
-            {
-                "name": "block no deflate support",
-                "filters": ["!Header:Accept-Encoding=(^deflate$|^deflate[;,]|[; ]deflate$|[; ]deflate[;,])"],
-                "limit": 0,
-                "stop": true,
-                "actions": [
-                    {"name": "block",
-                     "params": {"message": "Rate limit exceeded"}}
-                ]
-            },
-            {
-                "name": "block accept everything",
-                "filters": ["!Header:Accept=text/html"],
-                "limit": 0,
-                "stop": true,
-                "actions": [
-                    {"name": "block",
-                     "params": {"message": "Rate limit exceeded"}}
-                ]
-            },
-            {
-                "name": "rss/json limit",
-                "interval": 3600,
-                "limit": 4,
-                "stop": true,
-                "filters": ["Param:format=(csv|json|rss)"],
-                "aggregations": ["Header:X-Forwarded-For"],
-                "actions": [
-                    {"name": "block",
-		     "params": {"message": "Rate limit exceeded, try again later."}}
-                ]
-            },
-            {
-                "name": "IP limit",
-                "interval": 3,
-                "limit": 3,
-                "aggregations": ["Header:X-Forwarded-For"],
-                "actions": [
-                    {"name": "block",
-                     "params": {"message": "Rate limit exceeded, try again later."}}
-                ]
-            },
-            {
-                "name": "IP and useragent limit",
-                "interval": 600,
-                "limit": 60,
-                "stop": true,
-                "aggregations": ["Header:X-Forwarded-For", "Header:User-Agent"],
-                "actions": [
-                    {"name": "block",
-                     "params": {"message": "Rate limit exceeded, try again later."}}
-		]
-            }
-        ]
-    }
-]

searx-docker.service.template

@@ -1,16 +0,0 @@
-[Unit]
-Description=searx service
-Requires=docker.service
-After=docker.service
-
-[Service]
-Restart=always
-
-Environment=SEARX_DIR=/usr/local/searx-docker
-Environment=SEARX_DOCKERCOMPOSEFILE=docker-compose.yaml
-
-ExecStart=/bin/sh -c "${SEARX_DIR}/start.sh"
-ExecStop=/bin/sh -c "${SEARX_DIR}/stop.sh"
-
-[Install]
-WantedBy=multi-user.target

searxng-docker.service.template

@@ -0,0 +1,16 @@
+[Unit]
+Description=SearXNG service
+Requires=docker.service
+After=docker.service
+
+[Service]
+Restart=on-failure
+
+Environment=SEARXNG_DOCKERCOMPOSEFILE=docker-compose.yaml
+
+WorkingDirectory=/usr/local/searxng-docker
+ExecStart=/usr/local/bin/docker compose -f ${SEARXNG_DOCKERCOMPOSEFILE} up --remove-orphans
+ExecStop=/usr/local/bin/docker compose -f ${SEARXNG_DOCKERCOMPOSEFILE} down
+
+[Install]
+WantedBy=multi-user.target

searxng/limiter.toml

@@ -0,0 +1,6 @@
+# This configuration file updates the default configuration file
+# See https://github.com/searxng/searxng/blob/master/searx/botdetection/limiter.toml
+
+[botdetection.ip_limit]
+# activate link_token method in the ip_limit method
+link_token = true

searxng/settings.yml

@@ -0,0 +1,11 @@
+# see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings
+use_default_settings: true
+server:
+  # base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
+  secret_key: "ultrasecretkey"  # change this!
+  limiter: true  # can be disabled for a private instance
+  image_proxy: true
+ui:
+  static_use_hash: true
+redis:
+  url: redis://redis:6379/0

start.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-BASE_DIR="$(dirname -- "`readlink -f -- "$0"`")"
-cd -- "$BASE_DIR"
-
-. ./util.sh
-
-$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v
-$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE rm -fv
-$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE up

stop.sh

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-BASE_DIR="$(dirname -- "`readlink -f -- "$0"`")"
-cd -- "$BASE_DIR"
-
-. ./util.sh
-
-$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v

update.sh

@@ -1,92 +0,0 @@
-#!/bin/sh
-#
-# Disclaimer: this is more a documentation than code to execute
-#
-
-# change if require
-SERVICE_NAME="searx-docker.service"
-
-# change if require :
-# fastforward : only fast-forward
-# rebase : rebase with autostash, at your own risk
-UPDATE_TYPE="fastforward"
-
-BASE_DIR="$(dirname -- "`readlink -f -- "$0"`")"
-cd -- "$BASE_DIR"
-
-# check if git presence
-if [ ! -x "$(which git)" ]; then
-    echo "git not found" 1>&2
-    exit 1
-fi
-
-# check if the current user owns the local git repository
-git_owner=$(stat -c '%U' .git)
-if [ "$git_owner" != "$(whoami)" ]; then
-    echo "The .git repository is own by $git_owner" 1>&2
-    exit 1
-fi
-
-# warning if the current branch is not master
-current_branch=$(git rev-parse --abbrev-ref HEAD)
-if [ "$current_branch" != "master" ]; then
-    echo "Warning: master won't be updated, only $current_branch"
-fi
-
-# git fetch first
-git fetch origin master
-
-# is everything already up-to-date ?
-current_commit=$(git rev-parse $current_branch)
-origin_master_commit=$(git rev-parse origin/master)
-if [ "$current_commit" = "$origin_master_commit" ]; then
-    echo "Already up-to-date, commit $current_commit"
-    exit 0
-fi
-
-# docker stuff
-SEARX_DOCKERCOMPOSE=$(grep "Environment=SEARX_DOCKERCOMPOSEFILE=" "$SERVICE_NAME" | awk -F\= '{ print $3 }')
-. ./util.sh
-
-if [ ! -x "$(which systemctl)" ]; then
-    echo "systemctl not found" 1>&2
-    exit 1
-fi
-
-# stop the systemd service now, because after the update
-# the code might be out of sync with the current running services
-systemctl stop "${SERVICE_NAME}"
-
-# update
-case "$UPDATE_TYPE" in
-    "fastforward")
-	git pull --ff-only origin master
-	;;
-    "rebase")
-	git pull --rebase --autostash origin master
-	;;
-esac
-
-# Check conflicts
-if [ $(git ls-files -u | wc -l) -gt 0 ]; then
-    echo "There are git conflicts"
-else
-    # update docker images
-    docker-compose -f $DOCKERCOMPOSEFILE pull
-
-    # remove dangling images
-    docker rmi $(docker images -f "dangling=true" -q)
-
-    # display searx version
-    SEARX_IMAGE=$(cat $DOCKERCOMPOSEFILE | grep "searx/searx" | grep -v "searx-checker" | awk '{ print $2 }')
-    SEARX_VERSION=$(docker inspect -f '{{index .Config.Labels "org.label-schema.version"}}' $SEARX_IMAGE)
-    echo "Searx version: $SEARX_VERSION"
-    docker images --digests "searx/*:latest"
-
-    # update searx configuration
-    source ./.env
-    docker-compose -f $DOCKERCOMPOSEFILE run searx ${SEARX_COMMAND} -d
-
-    # let the user see
-    echo "Use\nsystemctl start \"${SERVICE_NAME}\"\nto restart searx"
-fi

util.sh

@@ -1,26 +0,0 @@
-set -e
-
-DOCKERCOMPOSE=$(which docker-compose || echo "/usr/local/bin/docker-compose")
-DOCKERCOMPOSEFILE="${DOCKERCOMPOSEFILE:-docker-compose.yaml}"
-
-echo "use ${DOCKERCOMPOSEFILE}"
-
-if [ ! -x "$(which docker)" ]; then
-    echo "docker not found" 1>&2
-    exit 1
-fi
-
-if ! docker version > /dev/null 2>&1; then
-    echo "can't execute docker (current user: $(whoami))" 1>&2
-    exit 1
-fi
-
-if [ ! -x "${DOCKERCOMPOSE}" ]; then
-    echo "docker-compose not found" 1>&2
-    exit 1
-fi
-
-if [ ! -f "${DOCKERCOMPOSEFILE}" ]; then
-    echo "${DOCKERCOMPOSEFILE} not found" 1>&2
-    exit 1
-fi