6.2 KiB
SearXNG Service Configuration Guide
Overview
This module provides a secure, privacy-focused SearXNG metasearch engine configuration designed for home lab environments. Key features include:
- Privacy-first: No query logging, private instance settings
- Network Security: Only accessible from Tailscale VPN network
- Reverse Proxy: Uses your reverse-proxy machine for outbound traffic
- Security Hardening: Systemd security restrictions, Content Security Policy headers
- Easy Configuration: Simple NixOS module with sensible defaults
Architecture
[Client on Tailscale]
↓ (HTTP/HTTPS)
[SearXNG Service]
↓ (Search requests via HTTP proxy)
[Reverse Proxy]
↓ (Outbound to internet)
[Search Engines]
Configuration
Basic Setup
Add to your machine's configuration.nix
:
{
imports = [ ../../modules/services/SearXNG.nix ];
services.searxng-lab = {
enable = true;
hostName = "searxng.your-lab.internal";
reverseProxyHost = "reverse-proxy"; # Your reverse proxy hostname
};
}
Advanced Configuration
{
services.searxng-lab = {
enable = true;
hostName = "search.lab.local";
port = 8888; # SearXNG backend port
reverseProxyHost = "proxy.lab.local";
reverseProxyPort = 3128; # HTTP proxy port
openFirewall = true; # Open port 80 for HTTP access
tailscaleOnly = true; # Restrict to Tailscale network
nginxVhost = true; # Create Nginx reverse proxy
};
}
Reverse Proxy Configuration
Your reverse-proxy machine needs to provide HTTP proxy functionality. Add this to your reverse-proxy configuration:
# On reverse-proxy machine
services.squid = {
enable = true;
configText = ''
# Basic proxy configuration
http_port 3128
# Allow connections from your home lab network
acl homelab src 192.168.1.0/24
acl homelab src 100.0.0.0/8 # Tailscale network
# Allow CONNECT for HTTPS
acl CONNECT method CONNECT
acl SSL_ports port 443
# Access rules
http_access allow homelab
http_access deny all
# Don't log for privacy
access_log none
# Hide client IP from destination servers
forwarded_for delete
'';
};
# Open firewall for proxy
networking.firewall.allowedTCPPorts = [ 3128 ];
Network Access
Tailscale Setup
Ensure Tailscale is configured on both the SearXNG host and client machines:
# On SearXNG host and client machines
services.tailscale.enable = true;
DNS Configuration
Add hostname resolution to your machines:
networking.hosts = {
"100.x.x.x" = [ "searxng.lab.local" ]; # Replace with actual Tailscale IP
};
Security Features
Network Restrictions
- Only accepts connections from Tailscale network (100.0.0.0/8)
- Nginx access controls deny non-Tailscale traffic
- Systemd IPAddressAllow/Deny for service-level restrictions
Privacy Protection
- No query logging enabled
- Private instance (not listed publicly)
- Rate limiting to prevent abuse
- Secure headers (CSP, HSTS, etc.)
Systemd Hardening
- NoNewPrivileges: Prevents privilege escalation
- PrivateTmp: Isolated temporary directory
- ProtectSystem: Read-only system directories
- RestrictAddressFamilies: Only IPv4/IPv6 allowed
Usage
-
Deploy the Configuration:
nixos-rebuild switch
-
Check Service Status:
systemctl status searxng systemctl status nginx
-
Access the Interface: Navigate to
http://searxng.lab.local
from a Tailscale-connected device -
Test Search: Try searching for something to verify it works and uses the proxy
Troubleshooting
Check Service Logs
journalctl -u searxng -f
journalctl -u nginx -f
Test Network Connectivity
# Test if SearXNG is running
curl -s http://localhost:8888 | head
# Test proxy connectivity from SearXNG host
curl -x http://reverse-proxy:3128 http://httpbin.org/ip
# Test Tailscale connectivity
ping 100.x.x.x # Replace with your Tailscale IP
Verify Proxy Usage
Check that searches go through your reverse proxy by monitoring its logs:
# On reverse-proxy machine
journalctl -u squid -f
Debug Network Access
# Test access restriction
curl -H "Host: searxng.lab.local" http://your-tailscale-ip/
# Check Nginx access logs
tail -f /var/log/nginx/access.log
Customization
Search Engines
Modify the searxngSettings
in the module to enable/disable specific search engines:
# In the module configuration
engines = [
{
name = "google";
disabled = false;
}
{
name = "bing";
disabled = true;
}
];
Themes and UI
Change the UI theme and settings:
ui = {
default_theme = "oscar"; # Other options: simple, oscar, pix-art
infinite_scroll = true;
center_alignment = true;
};
Rate Limiting
Adjust rate limiting settings:
server = {
limiter = true;
public_instance = false;
method = "POST";
};
Integration with Other Services
Monitoring
Add Prometheus monitoring (optional):
services.prometheus.exporters.nginx.enable = true;
services.prometheus.scrapeConfigs = [
{
job_name = "searxng";
static_configs = [
{ targets = [ "localhost:8888" ]; }
];
}
];
Backup
Include SearXNG data in your backup strategy:
# Add to your backup configuration
"/var/lib/searxng"
Security Considerations
- Keep Updated: Regularly update SearXNG package
- Monitor Access: Review Nginx access logs periodically
- Proxy Security: Ensure reverse proxy is properly secured
- Tailscale Security: Use Tailscale ACLs to further restrict access
- Instance Privacy: Never expose this instance publicly
Performance Tuning
For High Usage
# Increase worker processes
systemd.services.searxng.serviceConfig.MemoryMax = "1G";
# Nginx caching
services.nginx.virtualHosts."searxng.lab.local".locations."/static/" = {
expires = "1d";
extraConfig = "add_header Cache-Control public;";
};
For Low Resources
# Reduce memory usage
systemd.services.searxng.serviceConfig.MemoryMax = "256M";
# Disable image proxy if not needed
server.image_proxy = false;