initial

.env.sample

@@ -6,3 +6,7 @@ DOMAIN=searxng.example.com
 #EXTRA_DOMAINS=', `www.searxng.example.com`'
 
 LETS_ENCRYPT_ENV=production
+
+SECRET_SECRET_KEY_VERSION=v1
+
+SEARXNG_BASE_URL=https://$DOMAIN/

abra.sh

@@ -1,2 +1,5 @@
 # Set any config versions here
 # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
+
+export SETTINGS_VERSION=v1
+export LIMITER_VERSION=v1

compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   app:
-    image: nginx:1.27.5
+    image: searxng/searxng:2026.1.2-3d88876a3
     networks:
       - proxy
     deploy:
@@ -9,7 +9,7 @@ services:
         condition: on-failure
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
@@ -23,17 +23,56 @@ services:
         # - "traefik.http.middlewares.${STACK_NAME}-redirectscheme.redirectscheme.scheme=https"
         # - "traefik.http.middlewares.${STACK_NAME}-redirectscheme.redirectscheme.permanent=true"
         ## When you're ready for release, run "abra recipe sync <name>" to set this
-        - "coop-cloud.${STACK_NAME}.version="
+        - "coop-cloud.${STACK_NAME}.version=0.0.1+2026.1.2"
         ## Enable backups: https://docs.coopcloud.tech/maintainers/handbook/#how-do-i-configure-backuprestore
         # - "backupbot.backup=true"
         # - "backupbot.backup.path=/some/path"
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost"]
-      interval: 30s
-      timeout: 10s
-      retries: 10
-      start_period: 1m
+    volumes:
+      - data:/var/cache/searxng
+    configs:
+      - source: settings
+        target: /etc/searxng/settings.yml
+        mode: 0555
+      - source: limiter
+        target: /etc/searxng/limiter.toml
+        mode: 0555
+    secrets:
+      - secret_key
+#    healthcheck:
+#      test: ["CMD", "curl", "-f", "http://localhost"]
+#      interval: 30s
+#      timeout: 10s
+#      retries: 10
+#      start_period: 1m
+
+  redis:
+    image: docker.io/valkey/valkey:8-alpine
+    command: valkey-server --save 30 1 --loglevel warning
+    networks:
+      - proxy
+    volumes:
+      - redis-data:/data
 
 networks:
   proxy:
     external: true
+
+volumes:
+  config:
+  data:
+  redis-data:
+
+configs:
+  settings:
+    name: ${STACK_NAME}_settings_${SETTINGS_VERSION}
+    file: settings.yml.tmpl
+    template_driver: golang
+  limiter:
+    name: ${STACK_NAME}_limiter_${LIMITER_VERSION}
+    file: limiter.toml.tmpl
+    template_driver: golang
+
+secrets:
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}

limiter.toml.tmpl

@@ -0,0 +1,17 @@
+# This configuration file updates the default configuration file
+# See https://github.com/searxng/searxng/blob/master/searx/limiter.toml
+
+[botdetection]
+trusted_proxies = [
+  '127.0.0.0/8',
+  '::1',
+  # '192.168.0.0/16',
+  # '172.16.0.0/12',
+  # '10.0.0.0/8',
+  # 'fd00::/8',
+]
+
+[botdetection.ip_limit]
+# activate advanced bot protection
+# this can be disabled if running an instance that's not available for public use on the internet
+link_token = true

settings.yml.tmpl

@@ -0,0 +1,9 @@
+# see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings
+use_default_settings: true
+server:
+  # base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
+  secret_key: "{{ secret "secret_key" }}"
+  limiter: true  # this can be disabled if not running an instance for public usage on the internet
+  image_proxy: true
+redis:
+  url: redis://redis:6379/0