ouranos/ansible/searxng/deploy.yml

---
- name: Deploy SearXNG with Docker Compose
  hosts: ubuntu
  become: true
  tasks:
  - name: Check if host has searxng service
    ansible.builtin.set_fact:
      has_searxng_service: "{{'searxng' in services}}"

  - name: Skip hosts without searxng service
    ansible.builtin.meta: end_host
    when: not has_searxng_service

  - name: Create searxng group
    ansible.builtin.group:
      name: "{{searxng_group}}"

  - name: Create searxng user
    ansible.builtin.user:
      name: "{{searxng_user}}"
      comment: "{{searxng_user}}"
      group: "{{searxng_group}}"
      system: true

  - name: Add group searxng to keeper_user
    ansible.builtin.user:
      name: "{{keeper_user}}"
      groups: "{{searxng_group}}"
      append: true

  - name: Create searxng directory
    ansible.builtin.file:
      path: "{{searxng_directory}}"
      owner: "{{searxng_user}}"
      group: "{{searxng_group}}"
      state: directory
      mode: '750'

  - name: Template configuration files
    ansible.builtin.template:
      src: "{{item.src}}"
      dest: "{{searxng_directory}}/{{item.dest}}"
      owner: "{{searxng_user}}"
      group: "{{searxng_group}}"
      mode: '550'
    loop:
      - src: "docker-compose.yml.j2"
        dest: "docker-compose.yml"
      - src: "searxng-settings.yml.j2"
        dest: "searxng-settings.yml"

  - name: Reset SSH connection to apply group changes
    meta: reset_connection

  - name: Start SearXNG service
    community.docker.docker_compose_v2:
      project_src: "{{searxng_directory}}"
      state: present
      pull: always

  # ===========================================================================
  # OAuth2-Proxy Sidecar
  # Note: Each host supports at most one OAuth2-Proxy sidecar instance
  # (binary shared at /usr/local/bin/oauth2-proxy, unique systemd unit per service)
  # ===========================================================================
  - name: Create oauth2-proxy directory
    ansible.builtin.file:
      path: "{{ searxng_oauth2_proxy_dir }}"
      owner: root
      group: root
      state: directory
      mode: '0755'

  - name: Download oauth2-proxy binary
    ansible.builtin.get_url:
      url: "https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v{{ searxng_oauth2_proxy_version }}/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.linux-amd64.tar.gz"
      dest: "/tmp/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.tar.gz"
      mode: '0644'

  - name: Extract oauth2-proxy binary
    ansible.builtin.unarchive:
      src: "/tmp/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.tar.gz"
      dest: /tmp
      remote_src: true
      creates: "/tmp/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.linux-amd64/oauth2-proxy"

  - name: Install oauth2-proxy binary
    ansible.builtin.copy:
      src: "/tmp/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.linux-amd64/oauth2-proxy"
      dest: /usr/local/bin/oauth2-proxy
      owner: root
      group: root
      mode: '0755'
      remote_src: true

  - name: Template oauth2-proxy configuration
    ansible.builtin.template:
      src: oauth2-proxy-searxng.cfg.j2
      dest: "{{ searxng_oauth2_proxy_dir }}/oauth2-proxy.cfg"
      owner: root
      group: root
      mode: '0600'
    notify: restart oauth2-proxy-searxng

  - name: Template oauth2-proxy systemd service
    ansible.builtin.template:
      src: oauth2-proxy-searxng.service.j2
      dest: /etc/systemd/system/oauth2-proxy-searxng.service
      owner: root
      group: root
      mode: '0644'
    notify:
      - reload systemd
      - restart oauth2-proxy-searxng

  # ===========================================================================
  # Service Management
  # ===========================================================================
  - name: Enable and start OAuth2-Proxy service
    ansible.builtin.systemd:
      name: oauth2-proxy-searxng
      enabled: true
      state: started
      daemon_reload: true

  handlers:
  - name: reload systemd
    ansible.builtin.systemd:
      daemon_reload: true

  - name: restart oauth2-proxy-searxng
    ansible.builtin.systemd:
      name: oauth2-proxy-searxng
      state: restarted