{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.modules.services.searx;
in
{
  options.modules.services.searx = {
    enable = mkEnableOption "searx metasearch engine";
    package = mkOption { type = types.package; default = pkgs.searxng; };
    domain = mkOption { type = types.str; };
    realHost = mkOption { type = types.str; };
    secrets.searx-env = mkOption { type = types.path; description = "path to the searx secret envfile"; };
  };

  config = mkIf cfg.enable {
    services.searx = {
      enable = true;
      package = cfg.package;
      environmentFile = cfg.secrets.searx-env;
      runInUwsgi = true;
      settings = {
        use_default_settings = true;

        general.instance_name = "exotic.sh search";
        server.secret_key = "@SEARX_SECRET_KEY@";
      };
      uwsgiConfig = {
        socket = "/run/searx/searx.sock";
        chmod-socket = "660";
        cache2 = "name=searx_cache,items=2000,blocks=2000,blocksize=4096,bitmap=1";
        disable-logging = true; # public service
      };
    };

    users.extraUsers.nginx.extraGroups = [ "searx" ];

    services.nginx.virtualHosts.${cfg.realHost} = {
      forceSSL = true;
      useACMEHost = cfg.domain;
      locations."/".extraConfig = ''
        proxy_set_header Host $host;
        access_log off; # public service
        uwsgi_pass unix:/run/searx/searx.sock;
        include ${pkgs.nginx}/conf/uwsgi_params;
      '';
      locations."/static/".alias = "${cfg.package}/share/static/";
    };
  };
}