ulysses: remove bundled searxng — conflicts with standalone instance at :8888
Some checks are pending
CI / Focused test guidance (report-only) (push) Waiting to run
CI / Python syntax (compileall) (push) Waiting to run
CI / JS syntax (node --check) (push) Waiting to run
CI / Python tests (pytest) (push) Waiting to run
Container scan / hadolint (Dockerfile lint) (push) Waiting to run
Container scan (Trivy) / Trivy (image scan, advisory) (push) Waiting to run
Container scan (Trivy) / Trivy (image scan + SARIF upload) (push) Waiting to run
Dependency review / dependency-review (PR gate) (push) Waiting to run
Dependency review / pip-audit (advisory) (push) Waiting to run
ci / docker publish / build (amd64) (push) Waiting to run
ci / docker publish / build (arm64) (push) Waiting to run
ci / docker publish / merge manifest + tag (push) Blocked by required conditions
Secret scan / gitleaks (push) Waiting to run
Workflow security / actionlint (push) Waiting to run
Workflow security / zizmor (Actions SAST) (push) Waiting to run

This commit is contained in:
Lukas Parsons 2026-07-06 21:26:20 -04:00
parent ea201ab4b0
commit 4b98744495

View file

@ -71,8 +71,8 @@ services:
- PUID=${PUID:-1000} - PUID=${PUID:-1000}
- PGID=${PGID:-1000} - PGID=${PGID:-1000}
depends_on: depends_on:
searxng: # searxng:
condition: service_healthy # condition: service_healthy
chromadb: chromadb:
condition: service_started condition: service_started
restart: unless-stopped restart: unless-stopped
@ -87,55 +87,55 @@ services:
- ANONYMIZED_TELEMETRY=FALSE - ANONYMIZED_TELEMETRY=FALSE
restart: unless-stopped restart: unless-stopped
searxng: # searxng:
# Pinned, not :latest — odysseus waits on searxng's healthcheck # Pinned, not :latest — odysseus waits on searxng's healthcheck
# (depends_on: condition: service_healthy), so a broken upstream `latest` # (depends_on: condition: service_healthy), so a broken upstream `latest`
# tag blocks the whole app from starting. 2026.6.2 crashes on boot with # tag blocks the whole app from starting. 2026.6.2 crashes on boot with
# `KeyError: 'default_doi_resolver'`, failing the healthcheck (issue #1414). # `KeyError: 'default_doi_resolver'`, failing the healthcheck (issue #1414).
# Bump this deliberately after verifying a newer tag boots clean. # Bump this deliberately after verifying a newer tag boots clean.
image: docker.io/searxng/searxng:2026.5.31-7159b8aed # image: docker.io/searxng/searxng:2026.5.31-7159b8aed
entrypoint: # entrypoint:
- /bin/sh # - /bin/sh
- -c # - -c
- | # - |
set -eu # set -eu
if [ ! -s /etc/searxng/settings.yml ] || grep -q 'odysseus-local-searxng-json-2026-05-30\|__SEARXNG_SECRET__' /etc/searxng/settings.yml; then # if [ ! -s /etc/searxng/settings.yml ] || grep -q 'odysseus-local-searxng-json-2026-05-30\|__SEARXNG_SECRET__' /etc/searxng/settings.yml; then
secret="$${SEARXNG_SECRET:-}" # secret="$${SEARXNG_SECRET:-}"
if [ -z "$$secret" ]; then # if [ -z "$$secret" ]; then
secret="$$(python -c 'import secrets; print(secrets.token_urlsafe(48))')" # secret="$$(python -c 'import secrets; print(secrets.token_urlsafe(48))')"
fi # fi
sed "s|__SEARXNG_SECRET__|$$secret|g" /tmp/searxng-settings.yml.template > /etc/searxng/settings.yml # sed "s|__SEARXNG_SECRET__|$$secret|g" /tmp/searxng-settings.yml.template > /etc/searxng/settings.yml
fi # fi
exec /usr/local/searxng/entrypoint.sh # exec /usr/local/searxng/entrypoint.sh
ports: # ports:
- "127.0.0.1:8080:8080" # - "127.0.0.1:8080:8080"
volumes: # volumes:
- searxng-data:/etc/searxng # - searxng-data:/etc/searxng
- ./config/searxng/settings.yml:/tmp/searxng-settings.yml.template:ro,z # - ./config/searxng/settings.yml:/tmp/searxng-settings.yml.template:ro,z
environment: # environment:
- SEARXNG_BASE_URL=http://localhost:8080/ # - SEARXNG_BASE_URL=http://localhost:8080/
- SEARXNG_SECRET=${SEARXNG_SECRET:-} # restart: unless-stopped
# The official searxng image runs as the non-root `searxng` user, but its # # The official searxng image runs as the non-root `searxng` user, but its
# entrypoint still needs to chown /etc/searxng on first boot, drop privs via # # entrypoint still needs to chown /etc/searxng on first boot, drop privs via
# su-exec, and (with our wrapper above) write settings.yml into the named # # su-exec, and (with our wrapper above) write settings.yml into the named
# volume. Without these capabilities the wrapper aborts at the redirection # # volume. Without these capabilities the wrapper aborts at the redirection
# with EACCES and the container fails its healthcheck with permission # # with EACCES and the container fails its healthcheck with permission
# errors during setup. Mirrors the cap set recommended by the upstream # # errors during setup. Mirrors the cap set recommended by the upstream
# searxng-docker compose file. See issue #721. # # searxng-docker compose file. See issue #721.
cap_drop: # cap_drop:
- ALL # - ALL
cap_add: # cap_add:
- CHOWN # - CHOWN
- SETGID # - SETGID
- SETUID # - SETUID
- DAC_OVERRIDE # - DAC_OVERRIDE
healthcheck: # healthcheck:
test: ["CMD-SHELL", "python -c \"import urllib.request; urllib.request.urlopen('http://localhost:8080/', timeout=5).read(1)\""] # test: ["CMD-SHELL", "python -c \"import urllib.request; urllib.request.urlopen('http://localhost:8080/', timeout=5).read(1)\""]
interval: 5s # interval: 5s
timeout: 6s # timeout: 6s
retries: 20 # retries: 20
start_period: 10s # start_period: 10s
restart: unless-stopped # restart: unless-stopped
ntfy: ntfy:
image: docker.io/binwiederhier/ntfy image: docker.io/binwiederhier/ntfy
@ -149,6 +149,6 @@ services:
restart: unless-stopped restart: unless-stopped
volumes: volumes:
searxng-data: # searxng-data:
chromadb-data: chromadb-data:
ntfy-cache: ntfy-cache: