Generate SearXNG secret on first boot

2026-06-01 11:03:02 +09:00
parent 89093d0b9f
commit 71d74290f0
4 changed files with 21 additions and 2 deletions
--- a/.env.example
+++ b/.env.example
@@ -31,6 +31,10 @@ LLM_HOST=localhost
 # Docker Compose overrides this to http://searxng:8080 for in-network access.
 SEARXNG_INSTANCE=http://localhost:8080

+# Optional SearXNG cookie/CSRF secret. If blank, Docker generates one on first boot
+# and stores it in the searxng-data volume.
+# SEARXNG_SECRET=
+
 # ============================================================
 # Database
 # ============================================================
--- a/README.md
+++ b/README.md
@@ -170,6 +170,7 @@ Key settings:
 | `LLM_HOSTS` | -- | Comma-separated list for model discovery |
 | `OPENAI_API_KEY` | -- | Optional OpenAI key. Prefer adding providers in the app unless pre-seeding. |
 | `SEARXNG_INSTANCE` | `http://localhost:8080` | SearXNG URL. Docker overrides this to `http://searxng:8080`. |
+| `SEARXNG_SECRET` | generated on first Docker boot | Optional SearXNG cookie/CSRF secret. Leave blank unless you need to pin it. |
 | `AUTH_ENABLED` | `true` | Enable/disable login |
 | `LOCALHOST_BYPASS` | `false` | Development-only auth bypass for loopback requests. Keep false for shared/network deployments. |
 | `DATABASE_URL` | `sqlite:///./data/app.db` | Database connection string |
--- a/config/searxng/settings.yml
+++ b/config/searxng/settings.yml
@@ -1,7 +1,7 @@
 use_default_settings: true

 server:
-  secret_key: "odysseus-local-searxng-json-2026-05-30"
+  secret_key: "__SEARXNG_SECRET__"

 search:
  formats:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -51,13 +51,27 @@ services:

  searxng:
    image: searxng/searxng:latest
+    entrypoint:
+      - /bin/sh
+      - -c
+      - |
+        set -eu
+        if [ ! -s /etc/searxng/settings.yml ] || grep -q 'odysseus-local-searxng-json-2026-05-30\|__SEARXNG_SECRET__' /etc/searxng/settings.yml; then
+          secret="$${SEARXNG_SECRET:-}"
+          if [ -z "$$secret" ]; then
+            secret="$$(python -c 'import secrets; print(secrets.token_urlsafe(48))')"
+          fi
+          sed "s|__SEARXNG_SECRET__|$$secret|g" /tmp/searxng-settings.yml.template > /etc/searxng/settings.yml
+        fi
+        exec /usr/local/searxng/entrypoint.sh
    ports:
      - "127.0.0.1:8080:8080"
    volumes:
      - searxng-data:/etc/searxng
-      - ./config/searxng/settings.yml:/etc/searxng/settings.yml
+      - ./config/searxng/settings.yml:/tmp/searxng-settings.yml.template:ro
    environment:
      - SEARXNG_BASE_URL=http://localhost:8080/
+      - SEARXNG_SECRET=${SEARXNG_SECRET:-}
    healthcheck:
      test: ["CMD-SHELL", "python -c \"import urllib.request; urllib.request.urlopen('http://localhost:8080/', timeout=5).read(1)\""]
      interval: 5s