feat!: copy config into container

It is no longer recommended to mount /etc/searxng to a directory for configuration files. Instead, only mount /etc/searxng/auth for the tokens.txt file

Dockerfile

@@ -1,7 +1,7 @@
 # use alpine as base for searx and set workdir as well as env vars
 FROM alpine:3.20 AS base
 
-ENV GID=991 UID=991 UWSGI_WORKERS=1 UWSGI_THREADS=16 UPSTREAM_COMMIT=28d1240fce945a48a2c61c29fff83336410c4c77
+ENV GID=991 UID=991 UWSGI_WORKERS=1 UWSGI_THREADS=16 UPSTREAM_COMMIT=73d50f57481cfe2951c3231b2f5dfd70c0e6b49f
 
 COPY ./requirements.txt .
 
@@ -45,15 +45,15 @@ RUN addgroup -g ${GID} searxng \
 && chown -R searxng:searxng . \
 && su searxng -c "/usr/bin/python3 -m searx.version freeze"
 
-# copy run.sh
-COPY ./src/run.sh /usr/local/bin/run.sh
-
 # include patches for authorized api access
 COPY ./src/auth/auth.py searx/auth.py
 RUN sed -i -e "/if output_format not in settings\\['search'\\]\\['formats'\\]:/a\\        from searx.auth import valid_api_key\\n        if (not valid_api_key(request)):" -e 's|flask.abort(403)|    flask.abort(403)|' /usr/local/searxng/searx/webapp.py \
 && sed -i "/return Response('', mimetype='text\/css')/a \\\\n@app.route('/<key>/search', methods=['GET', 'POST'])\\ndef search_key(key=None):\\n    from searx.auth import auth_search_key\\n    return auth_search_key(request, key)" /usr/local/searxng/searx/webapp.py \
 && sed -i "/3\. If the IP is not in either list, the request is not blocked\./a\\    from searx.auth import valid_api_key\\n    if (valid_api_key(request)):\\n        return None" searx/limiter.py
 
+# copy run.sh
+COPY ./src/run.sh /usr/local/bin/run.sh
+
 # make run.sh executable, copy uwsgi server ini, set default settings, precompile static theme files
 RUN cp -r -v dockerfiles/uwsgi.ini /etc/uwsgi/; \
 chmod +x /usr/local/bin/run.sh; \
@@ -61,6 +61,11 @@ su searxng -c "/usr/bin/python3 -m compileall -q searx"; \
 find /usr/local/searxng/searx/static -a \( -name '*.html' -o -name '*.css' -o -name '*.js' -o -name '*.svg' -o -name '*.ttf' -o -name '*.eot' \) \
 -type f -exec gzip -9 -k {} \+ -exec brotli --best {} \+
 
+# copy searxng settings
+COPY ./config/settings.yml /etc/searxng/settings.yml
+# copy limiter settings
+COPY ./config/limiter.toml /etc/searxng/limiter.toml
+
 # expose port and set tini as CMD; default user is searxng
 USER searxng
 EXPOSE 8080

config/limiter.toml

@@ -0,0 +1,17 @@
+[real_ip]
+x_for = 2
+
+# bans on ipv6 apply to the whole /40 block
+# households typically get /32 to /64 so this is a good compromise
+ipv6_prefix = 40
+
+[botdetection.ip_lists]
+pass_ip = [
+    '51.159.53.89/32',                           # Allow https://cryptcheck.fr
+    '2001:bc8:1200:4:208:a2ff:fe0c:67ea/64'      # Allow https://cryptcheck.fr
+]
+
+pass_searxng_org = true
+
+[botdetection.ip_limit]
+link_token = true

config/settings.yml

@@ -0,0 +1,174 @@
+general:
+  debug: false
+  instance_name: "Astrial Search",
+  privacypolicy_url: "https://astrial.org/privacy"
+  donation_url: false
+  contact_url: "https://astrial.org"
+  enable_metrics: true
+
+brand:
+  new_issue_url: https://github.com/searxng/searxng/issues/new
+  docs_url: https://docs.searxng.org/
+  public_instances: https://searx.space
+  wiki_url: https://github.com/searxng/searxng/wiki
+  issue_url: https://github.com/searxng/searxng/issues
+
+search:
+  # 0: none, 1: moderate, 2: strict
+  safe_search: 0
+  autocomplete: ""
+  favicon_resolver: ""
+  default_lang: "auto"
+  ban_time_on_fail: 5 # seconds
+  max_ban_timeon_fail: 60 # seconds
+  suspended_times:
+    # Engine suspension time after error (in seconds; set to 0 to disable)
+    # For error "Access denied" and "HTTP error [402, 403]"
+    SearxEngineAccessDenied: 86400
+    # For error "CAPTCHA"
+    SearxEngineCaptcha: 86400
+    # For error "Too many request" and "HTTP error 429"
+    SearxEngineTooManyRequests: 3600
+    # Cloudflare CAPTCHA
+    cf_SearxEngineCaptcha: 1296000
+    cf_SearxEngineAccessDenied: 86400
+    # ReCAPTCHA
+    recaptcha_SearxEngineCaptcha: 604800
+
+  # [html, csv, json, rss]
+  formats:
+    - html
+    - json
+
+server:
+  port: 8080
+  bind_address: "0.0.0.0"
+  base_url: "https://search.astrial.org/"
+  limiter: true
+  public_instance: true
+  secret_key: '' # overwritten by ${SEARXNG_SECRET_KEY}
+  image_proxy: true
+  # 1.0 or 1.1
+  http_protocol_version: "1.1"
+  method: "POST"
+  default_http_headers:
+    X-Content-Type-Options: nosniff
+    X-Download-Options: noopen
+    X-Robots-Tag: noindex, nofollow
+    Referrer-Policy: no-referrer
+
+redis:
+  url: '' # overwritten by ${SEARXNG_REDIS_URL}
+
+ui:
+  static_path: ''
+  # cache busting
+  static_use_hash: true
+  templates_path: ''
+  query_in_title: false
+  infinite_scroll: false
+  default_theme: "simple"
+  center_alignment: false
+  default_locale: ""
+  theme_args:
+    simple_style: auto
+  search_on_category_select: true
+  # default, vim
+  hotkeys: default
+  # pretty, full, host
+  url_formatting: pretty
+
+# lock settings on preference page
+preferences:
+  lock: [autocomplete]
+
+outgoing:
+  request_timeout: 3 # seconds
+  useragent_suffix: "+webmaster [at] astrial [dot] org"
+  # max concurrent connections
+  pool_connections: 100
+  # max keepalive connections
+  pool_maxsize: 20
+  enable_http2: true
+
+categories_as_tabs:
+  general:
+  images:
+  videos:
+  news:
+  map:
+  music:
+  it:
+  science:
+  files:
+  social media:
+
+### Engines ###
+engines:
+  - name: wikipedia
+    engine: wikipedia
+    shortcut: wiki
+    display_type: [infobox, list]
+    categories: [general]
+
+  - name: wikinews
+    engine: mediawiki
+    shortcut: wikin
+    categories: [news]
+    base_url: "https://{language}.wikinews.org/"
+    search_type: text
+    srsort: create_timestamp_desc
+    about:
+      website: "https://www.wikinews.org/"
+      wikidata_id: Q964
+    
+  - name: wiktionary
+    engine: mediawiki
+    shortcut: wikit
+    categories: [dictionaries, wikimedia]
+    base_url: "https://{language}.wiktionary.org/"
+    search_type: text
+    about:
+      website: https://www.wiktionary.org/
+      wikidata_id: Q151
+  
+  - name: bing
+    engine: bing
+    shortcut: b
+
+  - name: bing images
+    engine: bing_images
+    shortcut: bii
+
+  - name: bing news
+    engine: bing_news
+    shortcut: bin
+
+  - name: bing videos
+    engine: bing_videos
+    shortcut: biv
+
+  - name: google
+    engine: google
+    shortcut: g
+  
+  - name: google images
+    engine: google_images
+    shortcut: goi
+
+  - name: google news
+    engine: google_news
+    shortcut: gon
+
+  - name: google scholar
+    engine: google_scholar
+    shortcut: gos
+
+  - name: youtube
+    engine: youtube_noapi
+    shortcut: yt
+
+    # Art Institute of Chicago
+  - name: artic
+    engine: artic
+    shortcut: arc

src/auth/auth.py

@@ -13,7 +13,7 @@ def get_tokens():
     global valid_tokens_set
     if valid_tokens_set is None:
         try:
-            with open("/etc/searxng/auth_tokens.txt") as file:
+            with open("/etc/searxng/auth/tokens.txt") as file:
                 valid_tokens_set = {line.strip() for line in file}
         except Exception:
             valid_tokens_set = set()