+1

k8s/nebula/apps/kustomization.yaml

reviewed

··· 7 7 - collab 8 8 - comms 9 9 - security 10 10 + - services 10 11 - monitoring 11 12 - networking 12 13 # - system

+5

k8s/nebula/apps/services/kustomization.yaml

reviewed

··· 1 1 + apiVersion: kustomize.config.k8s.io/v1beta1 2 2 + kind: Kustomization 3 3 + resources: 4 4 + - ./ns.yaml 5 5 + - ./searxng/ks.yaml

+4

k8s/nebula/apps/services/ns.yaml

reviewed

··· 1 1 + apiVersion: v1 2 2 + kind: Namespace 3 3 + metadata: 4 4 + name: services

+21

k8s/nebula/apps/services/searxng/app/es.yaml

reviewed

··· 1 1 + --- 2 2 + # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json 3 3 + apiVersion: external-secrets.io/v1beta1 4 4 + kind: ExternalSecret 5 5 + metadata: 6 6 + name: &app searxng 7 7 + spec: 8 8 + refreshInterval: 1h 9 9 + secretStoreRef: 10 10 + kind: ClusterSecretStore 11 11 + name: onepassword-connect 12 12 + target: 13 13 + name: *app 14 14 + creationPolicy: Owner 15 15 + template: 16 16 + engineVersion: v2 17 17 + data: 18 18 + SEARXNG_SECRET: "{{ .SEARXNG_SECRET_KEY }}" 19 19 + dataFrom: 20 20 + - extract: 21 21 + key: searxng

+103

k8s/nebula/apps/services/searxng/app/hr.yaml

reviewed

··· 1 1 + --- 2 2 + # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 3 + apiVersion: helm.toolkit.fluxcd.io/v2 4 4 + kind: HelmRelease 5 5 + metadata: 6 6 + name: searxng 7 7 + spec: 8 8 + interval: 30m 9 9 + chart: 10 10 + spec: 11 11 + chart: app-template 12 12 + version: 3.6.1 13 13 + interval: 30m 14 14 + sourceRef: 15 15 + kind: HelmRepository 16 16 + name: bjw-s 17 17 + namespace: flux-system 18 18 + 19 19 + values: 20 20 + controllers: 21 21 + searxng: 22 22 + strategy: RollingUpdate 23 23 + annotations: 24 24 + reloader.stakater.com/auto: "true" 25 25 + 26 26 + containers: 27 27 + main: 28 28 + image: 29 29 + repository: docker.io/searxng/searxng 30 30 + tag: 2024.6.30-39aaac40d 31 31 + env: 32 32 + SEARXNG_BASE_URL: https://search.skylab.fi 33 33 + SEARXNG_URL: https://search.skylab.fi 34 34 + SEARXNG_PORT: &httpPort 8080 35 35 + SEARXNG_REDIS_URL: redis://dragonfly.databases.svc.cluster.local:6379 36 36 + envFrom: 37 37 + - secretRef: 38 38 + name: searxng 39 39 + probes: 40 40 + liveness: &probes 41 41 + enabled: true 42 42 + custom: true 43 43 + spec: 44 44 + httpGet: 45 45 + path: /stats 46 46 + port: 8080 47 47 + initialDelaySeconds: 0 48 48 + periodSeconds: 10 49 49 + timeoutSeconds: 1 50 50 + failureThreshold: 3 51 51 + readiness: *probes 52 52 + resources: 53 53 + requests: 54 54 + cpu: 10m 55 55 + memory: 256Mi 56 56 + limits: 57 57 + memory: 2Gi 58 58 + securityContext: 59 59 + allowPrivilegeEscalation: false 60 60 + readOnlyRootFilesystem: true 61 61 + capabilities: 62 62 + drop: 63 63 + - ALL 64 64 + add: 65 65 + - CHOWN 66 66 + - SETGID 67 67 + - SETUID 68 68 + - DAC_OVERRIDE 69 69 + 70 70 + service: 71 71 + app: 72 72 + controller: searxng 73 73 + ports: 74 74 + http: 75 75 + port: *httpPort 76 76 + 77 77 + ingress: 78 78 + app: 79 79 + className: "internal-nginx" 80 80 + hosts: 81 81 + - host: search.skylab.fi 82 82 + paths: 83 83 + - path: / 84 84 + service: 85 85 + identifier: app 86 86 + port: http 87 87 + 88 88 + persistence: 89 89 + config: 90 90 + type: configMap 91 91 + name: searxng-configmap 92 92 + globalMounts: 93 93 + - path: /etc/searxng/settings.yml 94 94 + subPath: settings.yml 95 95 + readOnly: true 96 96 + - path: /etc/searxng/limiter.toml 97 97 + subPath: limiter.toml 98 98 + readOnly: true 99 99 + tmpfs: 100 100 + enabled: true 101 101 + type: emptyDir 102 102 + globalMounts: 103 103 + - path: /etc/searxng

+14

k8s/nebula/apps/services/searxng/app/kustomization.yaml

reviewed

··· 1 1 + --- 2 2 + # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 3 + apiVersion: kustomize.config.k8s.io/v1beta1 4 4 + kind: Kustomization 5 5 + resources: 6 6 + - ./es.yaml 7 7 + - ./hr.yaml 8 8 + configMapGenerator: 9 9 + - name: searxng-configmap 10 10 + files: 11 11 + - ./resources/limiter.toml 12 12 + - ./resources/settings.yml 13 13 + generatorOptions: 14 14 + disableNameSuffixHash: true

+40

k8s/nebula/apps/services/searxng/app/resources/limiter.toml

reviewed

··· 1 1 + [real_ip] 2 2 + 3 3 + # Number of values to trust for X-Forwarded-For. 4 4 + 5 5 + x_for = 1 6 6 + 7 7 + # The prefix defines the number of leading bits in an address that are compared 8 8 + # to determine whether an address is part of a (client) network. 9 9 + 10 10 + ipv4_prefix = 32 11 11 + ipv6_prefix = 48 12 12 + 13 13 + [botdetection.ip_limit] 14 14 + 15 15 + # To get unlimited access in a local network, by default link-lokal addresses 16 16 + # (networks) are not monitored by the ip_limit 17 17 + filter_link_local = true 18 18 + 19 19 + # activate link_token method in the ip_limit method 20 20 + link_token = false 21 21 + 22 22 + [botdetection.ip_lists] 23 23 + 24 24 + # In the limiter, the ip_lists method has priority over all other methods -> if 25 25 + # an IP is in the pass_ip list, it has unrestricted access, and it is also not 26 26 + # checked if e.g. the "user agent" suggests a bot (e.g. curl). 27 27 + 28 28 + block_ip = [ 29 29 + ] 30 30 + 31 31 + pass_ip = [ 32 32 + '192.168.0.0/16', 33 33 + '10.0.0.0/8', 34 34 + 'fd9d:7a72:44eb:a::/64', 35 35 + '2001:14ba:45a:210f::/64' 36 36 + ] 37 37 + 38 38 + # Activate passlist of (hardcoded) IPs from the SearXNG organization, 39 39 + # e.g. `check.searx.space`. 40 40 + pass_searxng_org = false

+57

k8s/nebula/apps/services/searxng/app/resources/settings.yml

reviewed

··· 1 1 + --- 2 2 + use_default_settings: true 3 3 + 4 4 + server: 5 5 + limiter: true 6 6 + image_proxy: true 7 7 + method: GET # https://github.com/searxng/searxng/pull/3619 8 8 + public_instance: false 9 9 + 10 10 + search: 11 11 + autocomplete: google 12 12 + favicon_resolver: duckduckgo 13 13 + languages: 14 14 + - all 15 15 + - en 16 16 + - en-US 17 17 + - fi 18 18 + - fi-FI 19 19 + 20 20 + general: 21 21 + instance_name: Skylab Search 22 22 + 23 23 + ui: 24 24 + default_theme: simple 25 25 + infinite_scroll: true 26 26 + query_in_title: true 27 27 + results_on_new_tab: true 28 28 + static_use_hash: true 29 29 + theme_args: 30 30 + simple_style: auto 31 31 + 32 32 + categories_as_tabs: 33 33 + general: 34 34 + images: 35 35 + videos: 36 36 + map: 37 37 + 38 38 + enabled_plugins: 39 39 + - Basic Calculator 40 40 + - Hash plugin 41 41 + - Hostnames plugin 42 42 + - Open Access DOI rewrite 43 43 + - Self Informations 44 44 + - Tracker URL remover 45 45 + - Unit converter plugin 46 46 + 47 47 + hostnames: 48 48 + high_priority: 49 49 + - (.*)\/blog\/(.*) 50 50 + - (.*\.)?wikipedia.org$ 51 51 + - (.*\.)?github.com$ 52 52 + - (.*\.)?reddit.com$ 53 53 + - (.*\.)?docker.com$ 54 54 + - (.*\.)?archlinux.org$ 55 55 + - (.*\.)?stackoverflow.com$ 56 56 + - (.*\.)?askubuntu.com$ 57 57 + - (.*\.)?superuser.com$

+25

k8s/nebula/apps/services/searxng/ks.yaml

reviewed

··· 1 1 + --- 2 2 + # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 3 + apiVersion: kustomize.toolkit.fluxcd.io/v1 4 4 + kind: Kustomization 5 5 + metadata: 6 6 + name: &app searxng 7 7 + namespace: flux-system 8 8 + labels: 9 9 + substitution.flux.home.arpa/enabled: "true" 10 10 + spec: 11 11 + path: "./k8s/nebula/apps/services/searxng/app/" 12 12 + prune: true 13 13 + sourceRef: 14 14 + kind: GitRepository 15 15 + name: flux-system 16 16 + interval: 30m 17 17 + retryInterval: 1m 18 18 + timeout: 3m 19 19 + targetNamespace: services 20 20 + commonMetadata: 21 21 + labels: 22 22 + app.kubernetes.io/name: *app 23 23 + postBuild: 24 24 + substitute: 25 25 + APP: *app