nixos/searx: use envsubst instead of sed for reading environment variables

- use envsubst instead of sed for reading in environment variables - update usage examples - add release notes
2025-07-06 00:22:23 -04:00 · 2025-07-06 00:22:23 -04:00 · ca88da9ce3
commit ca88da9ce3
parent f6e9250bf0
3 changed files with 10 additions and 12 deletions
--- a/doc/release-notes/rl-2511.section.md
+++ b/doc/release-notes/rl-2511.section.md
@ -60,6 +60,9 @@

 - `meta.mainProgram`: Changing this `meta` entry can lead to a package rebuild due to being used to determine the `NIX_MAIN_PROGRAM` environment variable.

+- `searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.
+  If your previous configuration included a secret reference like `server.secret_key = "@SEARX_SECRET_KEY@"`, you must migrate to the new envsubst syntax: `server.secret_key = "$SEARX_SECRET_KEY"`.
+
 - `versionCheckHook`: Packages that previously relied solely on `pname` to locate the program used to version check, but have a differing `meta.mainProgram` entry, might now fail.


--- a/nixos/modules/services/networking/searx.nix
+++ b/nixos/modules/services/networking/searx.nix
@ -24,13 +24,8 @@ let
    # write NixOS settings as JSON
    (
      umask 077
-      cp --no-preserve=mode ${settingsFile} settings.yml
+      ${pkgs.envsubst}/bin/envsubst < ${settingsFile} > settings.yml
    )
-
-    # substitute environment variables
-    env -0 | while IFS='=' read -r -d ''' n v; do
-      sed "s#@$n@#$v#g" -i settings.yml
-    done
  '';

  settingType =
@ -95,20 +90,20 @@ in
          {
            server.port = 8080;
            server.bind_address = "0.0.0.0";
-            server.secret_key = "@SEARX_SECRET_KEY@";
+            server.secret_key = "$SEARX_SECRET_KEY";

-            engines = lib.singleton {
+            engines = [ {
              name = "wolframalpha";
              shortcut = "wa";
-              api_key = "@WOLFRAM_API_KEY@";
+              api_key = "$WOLFRAM_API_KEY";
              engine = "wolframalpha_api";
-            };
+            } ];
          }
        '';
        description = ''
          Searx settings.
          These will be merged with (taking precedence over) the default configuration.
-          It's also possible to refer to environment variables (defined in [](#opt-services.searx.environmentFile)) using the syntax `@VARIABLE_NAME@`.
+          It's also possible to refer to environment variables (defined in [](#opt-services.searx.environmentFile)) using the syntax `$VARIABLE_NAME`.

          ::: {.note}
          For available settings, see the Searx [docs](https://docs.searxng.org/admin/settings/index.html).
--- a/nixos/tests/searx.nix
+++ b/nixos/tests/searx.nix
@ -28,7 +28,7 @@
        server = {
          port = "8080";
          bind_address = "0.0.0.0";
-          secret_key = "@SEARX_SECRET_KEY@";
+          secret_key = "$SEARX_SECRET_KEY";
        };
      };
    };