{ config, pkgs, ... }:

let
  domain = "search.giugl.io";
in
{
  services = {
    redis.servers."searx" = { enable = true; port = 4456; };
    searx = {
      enable = true;
      package = pkgs.unstablePkgs.searxng;

      environmentFile = /secrets/searx/env;
      settings = {
        server = {
          secret_key = "@SEARX_SECRET_KEY@";
          port = 4455;
        };

        general = {
          instance_name = "PepoSearch";
          contact_url = "mailto:search@depasquale.giugl.io";
          enable_metrics = true;
        };

        search = {
          safe_search = 0;
          autocomplete = "google";
          prefer_configured_language = false;
        };

        ui = {
          infinite_scroll = true;
          query_in_title = true;
          results_on_new_tab = true;
          theme_args.simple_style = "dark";
        };

        redis.url = "redis://127.0.0.1:${toString config.services.redis.servers."searx".port}";

        engines = [
          { name = "google"; disabled = false; }
          { name = "bing"; disabled = false; }
          { name = "qwant"; disabled = false; }
          { name = "brave"; disabled = false; }
          # keep getting access denied (!?)
          { name = "duckduckgo"; disabled = true; }
        ];
      };
    };
  };

  architect.vhost.${domain} = with config.architect.networks; {
    dnsInterfaces = [ "tailscale" ];
    locations."/" = {
      port = config.services.searx.settings.server.port;
      allowLan = true;

      allow = [
        tailscale.net
      ];
    };
  };
}