From 5ad54f4cac079c6ff4a7902a751f73091aca883f Mon Sep 17 00:00:00 2001
From: cuqmbr <me@cuqmbr.xyz>
Date: Sun, 29 Jun 2025 21:15:23 +0300
Subject: [PATCH] add redis support to searxng role

valkey container is created but the software must be installed manually
---
 README.md                                     |   3 +
 .../common/group_vars/load_balancers.yml      |   4 +-
 .../inventories/dev/group_vars/searxng.yml    |  24 +++-
 ansible/roles/searxng/tasks/main.yml          |   7 ++
 terraform/common/firewall_ipsets.tf           |  16 +++
 terraform/dev/valkey.tf                       | 109 ++++++++++++++++++
 6 files changed, 160 insertions(+), 3 deletions(-)
 create mode 100644 README.md
 create mode 100644 terraform/dev/valkey.tf

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..226ecbe
--- /dev/null
+++ b/README.md
@@ -0,0 +1,3 @@
+### Todo
+
+- Create role for installing and configuring Valkey
diff --git a/ansible/inventories/common/group_vars/load_balancers.yml b/ansible/inventories/common/group_vars/load_balancers.yml
index 0a937cd..10a36c6 100644
--- a/ansible/inventories/common/group_vars/load_balancers.yml
+++ b/ansible/inventories/common/group_vars/load_balancers.yml
@@ -48,7 +48,9 @@ nginx_settings:
           names:
             - searxng.dev.cuqmbr.xyz
             - searxng.dev.cuqmbr.home
-      # - upstream:
+          statements:
+            - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
+            - proxy_set_header X-Real-IP $remote_addr
       #     name: prometheus
       #     servers:
       #       - 192.168.0.252:9090
diff --git a/ansible/inventories/dev/group_vars/searxng.yml b/ansible/inventories/dev/group_vars/searxng.yml
index e6ee389..e4a1e9c 100644
--- a/ansible/inventories/dev/group_vars/searxng.yml
+++ b/ansible/inventories/dev/group_vars/searxng.yml
@@ -25,7 +25,7 @@ users:
 
 searxng_homedir: /opt/searxng
 
-searxng_git_commit: e52e9bb4b699e39d9ce51874ea339d4773717389
+searxng_git_commit: 60be0f453e9e4a5fc48aeb4706e75af0a4047b36
 
 searxng_settings:
   use_default_settings: true
@@ -66,7 +66,27 @@ searxng_settings:
       X-Download-Options: noopen
       X-Robots-Tag: noindex, nofollow
       Referrer-Policy: no-referrer
-    limiter: false
+    limiter: true
+
+  redis:
+    url: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      66323631326264383161376136303730353336663065346235313464333237356436356566373233
+      3165633436383130383364303865666534313139666163640a316664653239373464366239343961
+      32653631323337633738626464633662313631636631623538376638656161356434633261383138
+      6163353138343135370a643034343837633534626237656263656138386135303661343837663166
+      38343839373564643964663630616230623962646164313732316631323263666231343931653634
+      66326234333163636331666230656530396262623037316136643534323338633630616134656464
+      36353633633065313666366331316238393134393035346232353462666161653162333632393233
+      62646332393065346434343636636131386136313938653539663865376661303238396563313633
+      38616138343337306233373733636634326334326635386361666662363834366166646337393266
+      34653739623364373135313638643938626635373362343966343664306661363334353061623434
+      36373135616561653133653066336464383737336134626337393261356630616532343233376264
+      62386135356263346562313034386334316532343038366435386564623038343634663033643963
+      62353363643163653763333335386235626666393434343136373832363566323730306134646130
+      37313163613733333835303363363932343264356662633262373661346463653936316162636332
+      33633237656362363938653735313834376537333532343039653038326563633063323965633463
+      37366662313263396637
 
   ui:
     static_use_hash: true
diff --git a/ansible/roles/searxng/tasks/main.yml b/ansible/roles/searxng/tasks/main.yml
index b7d9979..08c6f84 100644
--- a/ansible/roles/searxng/tasks/main.yml
+++ b/ansible/roles/searxng/tasks/main.yml
@@ -41,6 +41,7 @@
     version: "{{ searxng_git_commit }}"
     force: true
     single_branch: true
+  register: git_clone_result
 
 - name: Install pip dependencies.
   ansible.builtin.pip:
@@ -53,6 +54,12 @@
       - pyyaml
     state: present
 
+- name: Remove searxng settings file.
+  ansible.builtin.file:
+    path: /etc/searxng/settings.yml
+    state: absent
+  when: git_clone_result.changed
+
 - name: Compile searxng.
   ansible.builtin.pip:
     virtualenv: "{{ searxng_pyenv }}"
diff --git a/terraform/common/firewall_ipsets.tf b/terraform/common/firewall_ipsets.tf
index fc6fc7f..3c2b47e 100644
--- a/terraform/common/firewall_ipsets.tf
+++ b/terraform/common/firewall_ipsets.tf
@@ -33,3 +33,19 @@ resource "proxmox_virtual_environment_firewall_ipset" "dev_loggers" {
     comment = "searxng"
   }
 }
+
+resource "proxmox_virtual_environment_firewall_ipset" "dev_valkey_clients" {
+
+  name    = "valkey_clients"
+  comment = "Nodes that can connect to valkey Node."
+
+  cidr {
+    name    = "192.168.0.15"
+    comment = "searxng"
+  }
+}
+
+output "dev_valkey_clients_ipset" {
+  value     = proxmox_virtual_environment_firewall_ipset.dev_valkey_clients
+  sensitive = true
+}
diff --git a/terraform/dev/valkey.tf b/terraform/dev/valkey.tf
new file mode 100644
index 0000000..b4fcbdf
--- /dev/null
+++ b/terraform/dev/valkey.tf
@@ -0,0 +1,109 @@
+resource "proxmox_virtual_environment_container" "valkey" {
+  node_name = "pve"
+
+  vm_id = 1040
+
+  tags = ["dev", "database", "cache"]
+
+  unprivileged = true
+
+  cpu {
+    cores = 1
+  }
+
+  memory {
+    dedicated = 512
+  }
+
+  disk {
+    datastore_id = var.datastore_id
+    size         = 4
+  }
+
+  network_interface {
+    bridge   = var.internal_network_bridge_name
+    name     = "eth-dev"
+    firewall = true
+    enabled  = true
+  }
+
+  initialization {
+    hostname = "valkey"
+    ip_config {
+      ipv4 {
+        address = "192.168.0.4/24"
+        gateway = "192.168.0.1"
+      }
+    }
+    user_account {
+      keys = [var.ssh_public_key]
+    }
+  }
+
+  operating_system {
+    template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
+    type             = "debian"
+  }
+
+  started = true
+
+  startup {
+    order      = 100
+    up_delay   = 0
+    down_delay = 0
+  }
+
+  features {
+    nesting = true
+  }
+}
+
+resource "proxmox_virtual_environment_firewall_options" "valkey" {
+  depends_on = [proxmox_virtual_environment_container.valkey]
+
+  node_name = proxmox_virtual_environment_container.valkey.node_name
+  vm_id     = proxmox_virtual_environment_container.valkey.vm_id
+
+  enabled       = true
+  dhcp          = true
+  input_policy  = "DROP"
+  output_policy = "ACCEPT"
+}
+
+resource "proxmox_virtual_environment_firewall_rules" "valkey" {
+  depends_on = [proxmox_virtual_environment_container.valkey]
+
+  node_name = proxmox_virtual_environment_container.valkey.node_name
+  vm_id     = proxmox_virtual_environment_container.valkey.vm_id
+
+  rule {
+    type    = "in"
+    source  = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
+    proto   = "tcp"
+    dport   = "22"
+    action  = "ACCEPT"
+    comment = "SSH from Bastion."
+  }
+
+  rule {
+    type    = "in"
+    proto   = "icmp"
+    dport   = "8"
+    action  = "ACCEPT"
+    comment = "Ping."
+  }
+
+  rule {
+    security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
+    comment        = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
+  }
+
+  rule {
+    type    = "in"
+    source  = "+${data.terraform_remote_state.common.outputs.dev_valkey_clients_ipset.name}"
+    proto   = "tcp"
+    dport   = "6379"
+    action  = "ACCEPT"
+    comment = "Access valkey from client nodes."
+  }
+}