{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (lib.options) mkEnableOption;
  inherit (lib.modules) mkIf;
  inherit (builtins) toString;
  cfg = config.modules.services.searxng;
  port = 4021;
in {
  options.modules.services.searxng.enable = mkEnableOption "SearXNG, a private search engine";

  config = mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [port];

    services = {
      nginx.enable = true;
      searx = {
        enable = true;
        package = pkgs.searxng;
        environmentFile = "/srv/data/searxng/super_secret_file";
        settings = {
          general = {
            name = "Copesearch";
            privacypolicy_url = false;
            debug = false;
            enable_metrics = false;
          };

          search = {
            safe_search = 1;

            formats = ["html" "json" "rss"];
            autocomplete = "google"; # "dbpedia", "duckduckgo", "google", "startpage", "swisscows", "qwant", "wikipedia" - leave blank to turn it off by default
            default_lang = "en";
          };

          ui = {
            query_in_title = true;
            theme_args.simple_style = "dark"; # auto, dark, light
            results_on_new_tab = false;
          };

          server = {
            inherit port;
            limiter = false;
            image_proxy = false;

            # taken from https://github.com/searx/searx/issues/715
            default_http_headers = {
              X-Content-Type-Options = "nosniff";
              X-XSS-Protection = "1; mode=block";
              X-Download-Options = "noopen";
              X-Robots-Tag = "noindex, nofollow";
              Referrer-Policy = "no-referrer";
            };
          };

          # shamelessly stolen from NotAShelf
          engines = [
            {
              name = "wikipedia";
              engine = "wikipedia";
              shortcut = "w";
              base_url = "https://wikipedia.org/";
            }
            {
              name = "duckduckgo";
              engine = "duckduckgo";
              shortcut = "ddg";
            }
            {
              name = "google";
              engine = "google";
              shortcut = "g";
              use_mobile_ui = false;
            }
            {
              name = "archwiki";
              engine = "archlinux";
              shortcut = "aw";
            }
            {
              name = "github";
              engine = "github";
              categories = "it";
              shortcut = "gh";
            }
            {
              name = "nixpkgs";
              shortcut = "nx";
              engine = "elasticsearch";
              categories = "dev,nix";
              base_url = "https://nixos-search-5886075189.us-east-1.bonsaisearch.net:443";
              index = "latest-31-nixos-unstable";
              query_type = "match";
            }
          ];
        };
      };
      nginx.virtualHosts."search.copeberg.org" = {
        locations."/".proxyPass = "http://127.0.0.1:${toString port}";
        extraConfig = ''
          access_log /dev/null;
          error_log /dev/null;
          proxy_connect_timeout 60s;
          proxy_send_timeout 60s;
          proxy_read_timeout 60s;
        '';

        quic = true;
        forceSSL = true;
        enableACME = true;
      };
    };
  };
}