feat(searxng): always-on Quadlet for privacy-respecting metasearch

SearXNG is the search counterpart to mios-ai/ollama: a single localhost
endpoint (http://localhost:8888/) that aggregates ~250 upstream search
engines without leaking IP, user-agent, or session identifier to any of
them. AGPL-3.0, 100% local, no API key, no telemetry. Pairs with the
agent surface as a `web_search` tool target without breaking
Architectural Law 5 -- a search proxy is not a model, so no UNIFIED-
AI-REDIRECTS exception is required.

Files:
  * etc/containers/systemd/mios-searxng.container -- Quadlet pinned at
    docker.io/searxng/searxng:latest@sha256:885f1cd1bb86d759aa4724a1986
    a61c000292823ff8eeb17d34de1a8acb74477 (multi-arch index digest, so
    one pin works on amd64/arm64/armv7). PublishPort 8888:8080 so the
    host port doesn't clash with mios-ai's 8080.
  * usr/lib/sysusers.d/50-mios-services.conf -- pin mios-searxng UID/
    GID to 818 (next free in the 810-829 service range; 817 is mios-ai
    in 50-mios-ai.conf).
  * usr/lib/tmpfiles.d/mios-searxng.conf -- 0750 mios-searxng:mios-
    searxng on /etc/mios/searxng and /var/cache/mios/searxng, plus a
    `C` line that copies vendor settings.yml on first boot only.
  * usr/share/mios/searxng/settings.yml -- vendor defaults: instance
    name "MiOS Search", placeholder secret_key (regenerated at first
    container start by SearXNG's entrypoint), formats: html + json
    (json required for the agent web_search tool surface), telemetry
    off, donation/contact URLs off.
  * usr/share/mios/mios.toml -- new [search] section with endpoint and
    enable flag, sitting alongside [ai].
  * usr/share/mios/env.defaults -- MIOS_SEARXNG_{VERSION,IMAGE,PORT,
    USER,UID,GID} for shell-side consumers.
  * automation/lib/globals.{sh,ps1} -- mirror env.defaults: user/uid/
    gid + port + URL + unit name + container image ref.
  * usr/libexec/mios/mios-dashboard.sh -- show "Search" endpoint dot
    in the Self-replication-loop section and add mios-searxng to the
    Quadlet status list.
  * usr/lib/systemd/system-preset/90-mios.preset -- enable
    mios-searxng.service alongside cockpit.socket.

No new .gitignore entries needed: mios-searxng.container matches the
existing `etc/containers/systemd/mios*` whitelist, mios-searxng.conf
matches `*mios*` under tmpfiles.d, and usr/share/mios/searxng/ is
covered by the broad `!/usr/share/mios/**` whitelist.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Kabuki94

automation/lib/globals.ps1

@@ -51,6 +51,10 @@ $script:MIOS_CEPH_USER    = if ($env:MIOS_CEPH_USER)    { $env:MIOS_CEPH_USER }
 $script:MIOS_CEPH_UID     = if ($env:MIOS_CEPH_UID)     { [int]$env:MIOS_CEPH_UID }  else { 819 }
 $script:MIOS_CEPH_GID     = if ($env:MIOS_CEPH_GID)     { [int]$env:MIOS_CEPH_GID }  else { 819 }
 
+$script:MIOS_SEARXNG_USER = if ($env:MIOS_SEARXNG_USER) { $env:MIOS_SEARXNG_USER } else { 'mios-searxng' }
+$script:MIOS_SEARXNG_UID  = if ($env:MIOS_SEARXNG_UID)  { [int]$env:MIOS_SEARXNG_UID } else { 818 }
+$script:MIOS_SEARXNG_GID  = if ($env:MIOS_SEARXNG_GID)  { [int]$env:MIOS_SEARXNG_GID } else { 818 }
+
 $script:MIOS_SUBUID_START = if ($env:MIOS_SUBUID_START) { [int]$env:MIOS_SUBUID_START } else { 100000 }
 $script:MIOS_SUBUID_COUNT = if ($env:MIOS_SUBUID_COUNT) { [int]$env:MIOS_SUBUID_COUNT } else { 65536 }
 
@@ -69,13 +73,15 @@ $script:MIOS_PORT_FORGE_SSH     = if ($env:MIOS_PORT_FORGE_SSH)     { [int]$env:
 $script:MIOS_PORT_LOCALAI       = if ($env:MIOS_PORT_LOCALAI)       { [int]$env:MIOS_PORT_LOCALAI }       else { 8080 }
 $script:MIOS_PORT_COCKPIT       = if ($env:MIOS_PORT_COCKPIT)       { [int]$env:MIOS_PORT_COCKPIT }       else { 9090 }
 $script:MIOS_PORT_OLLAMA        = if ($env:MIOS_PORT_OLLAMA)        { [int]$env:MIOS_PORT_OLLAMA }        else { 11434 }
+$script:MIOS_PORT_SEARXNG       = if ($env:MIOS_PORT_SEARXNG)       { [int]$env:MIOS_PORT_SEARXNG }       else { 8888 }
 $script:MIOS_PORT_COCKPIT_LINK  = if ($env:MIOS_PORT_COCKPIT_LINK)  { [int]$env:MIOS_PORT_COCKPIT_LINK }  else { 19090 }
 
 # ── URLS ─────────────────────────────────────────────────────────────
 $script:MIOS_AI_ENDPOINT  = if ($env:MIOS_AI_ENDPOINT)  { $env:MIOS_AI_ENDPOINT }  else { "http://localhost:$($script:MIOS_PORT_LOCALAI)/v1" }
 $script:MIOS_FORGE_URL    = if ($env:MIOS_FORGE_URL)    { $env:MIOS_FORGE_URL }    else { "http://localhost:$($script:MIOS_PORT_FORGE_HTTP)" }
 $script:MIOS_COCKPIT_URL  = if ($env:MIOS_COCKPIT_URL)  { $env:MIOS_COCKPIT_URL }  else { "https://localhost:$($script:MIOS_PORT_COCKPIT)" }
 $script:MIOS_OLLAMA_URL   = if ($env:MIOS_OLLAMA_URL)   { $env:MIOS_OLLAMA_URL }   else { "http://localhost:$($script:MIOS_PORT_OLLAMA)" }
+$script:MIOS_SEARXNG_URL  = if ($env:MIOS_SEARXNG_URL)  { $env:MIOS_SEARXNG_URL }  else { "http://localhost:$($script:MIOS_PORT_SEARXNG)" }
 
 # ── REPOS ────────────────────────────────────────────────────────────
 $script:MIOS_REPO_URL           = if ($env:MIOS_REPO_URL)           { $env:MIOS_REPO_URL }           else { 'https://github.com/mios-dev/mios.git' }
@@ -144,6 +150,7 @@ $script:MIOS_UNIT_K3S               = 'mios-k3s.service'
 $script:MIOS_UNIT_AICHAT_BUILD      = 'mios-aichat-build.service'
 $script:MIOS_UNIT_AICHAT_IMAGE      = 'mios-aichat-image.service'
 $script:MIOS_UNIT_COCKPIT_LINK      = 'mios-cockpit-link.service'
+$script:MIOS_UNIT_SEARXNG           = 'mios-searxng.service'
 $script:MIOS_UNIT_FIRSTBOOT_TARGET  = 'mios-firstboot.target'
 $script:MIOS_UNIT_OLLAMA_FIRSTBOOT  = 'mios-ollama-firstboot.service'
 $script:MIOS_UNIT_WSL_FIRSTBOOT     = 'mios-wsl-firstboot.service'
@@ -155,6 +162,7 @@ $script:MIOS_CONTAINER_AICHAT_IMAGE     = 'localhost/mios/aichat:latest'
 $script:MIOS_CONTAINER_FORGE_IMAGE      = 'codeberg.org/forgejo/forgejo:12'
 $script:MIOS_CONTAINER_LOCALAI_IMAGE    = 'docker.io/localai/localai:latest'
 $script:MIOS_CONTAINER_OLLAMA_IMAGE     = 'docker.io/ollama/ollama:latest'
+$script:MIOS_CONTAINER_SEARXNG_IMAGE    = 'docker.io/searxng/searxng:latest'
 
 # ── COLOR PALETTE ────────────────────────────────────────────────────
 # Hokusai + operator-neutrals palette. Vendor defaults; resolved from

automation/lib/globals.sh

@@ -70,6 +70,10 @@ export MIOS_VERSION
 : "${MIOS_CEPH_UID:=819}"
 : "${MIOS_CEPH_GID:=819}"
 
+: "${MIOS_SEARXNG_USER:=mios-searxng}"
+: "${MIOS_SEARXNG_UID:=818}"
+: "${MIOS_SEARXNG_GID:=818}"
+
 # Rootless-container subuid/subgid range. Standard Fedora useradd -m
 # allocates 100000:65536; we keep the same so /etc/subuid + /etc/subgid
 # stay consistent with stock Fedora workflows.
@@ -81,6 +85,7 @@ export MIOS_FORGE_USER MIOS_FORGE_UID MIOS_FORGE_GID
 export MIOS_AI_USER MIOS_AI_UID MIOS_AI_GID
 export MIOS_OLLAMA_USER MIOS_OLLAMA_UID MIOS_OLLAMA_GID
 export MIOS_CEPH_USER MIOS_CEPH_UID MIOS_CEPH_GID
+export MIOS_SEARXNG_USER MIOS_SEARXNG_UID MIOS_SEARXNG_GID
 export MIOS_SUBUID_START MIOS_SUBUID_COUNT
 
 # ── IMAGES ───────────────────────────────────────────────────────────
@@ -100,9 +105,11 @@ export MIOS_LOCAL_IMAGE MIOS_BASE_IMAGE MIOS_BIB_IMAGE
 : "${MIOS_PORT_LOCALAI:=8080}"
 : "${MIOS_PORT_COCKPIT:=9090}"
 : "${MIOS_PORT_OLLAMA:=11434}"
+: "${MIOS_PORT_SEARXNG:=8888}"
 : "${MIOS_PORT_COCKPIT_LINK:=19090}"   # podman-desktop discovery shim
 export MIOS_PORT_SSH MIOS_PORT_FORGE_HTTP MIOS_PORT_FORGE_SSH
-export MIOS_PORT_LOCALAI MIOS_PORT_COCKPIT MIOS_PORT_OLLAMA MIOS_PORT_COCKPIT_LINK
+export MIOS_PORT_LOCALAI MIOS_PORT_COCKPIT MIOS_PORT_OLLAMA
+export MIOS_PORT_SEARXNG MIOS_PORT_COCKPIT_LINK
 
 # ── URLS ─────────────────────────────────────────────────────────────
 # Derived from PORTS so a single port change propagates. MIOS_AI_ENDPOINT
@@ -111,7 +118,8 @@ export MIOS_PORT_LOCALAI MIOS_PORT_COCKPIT MIOS_PORT_OLLAMA MIOS_PORT_COCKPIT_LI
 : "${MIOS_FORGE_URL:=http://localhost:${MIOS_PORT_FORGE_HTTP}}"
 : "${MIOS_COCKPIT_URL:=https://localhost:${MIOS_PORT_COCKPIT}}"
 : "${MIOS_OLLAMA_URL:=http://localhost:${MIOS_PORT_OLLAMA}}"
-export MIOS_AI_ENDPOINT MIOS_FORGE_URL MIOS_COCKPIT_URL MIOS_OLLAMA_URL
+: "${MIOS_SEARXNG_URL:=http://localhost:${MIOS_PORT_SEARXNG}}"
+export MIOS_AI_ENDPOINT MIOS_FORGE_URL MIOS_COCKPIT_URL MIOS_OLLAMA_URL MIOS_SEARXNG_URL
 
 # ── REPOS ────────────────────────────────────────────────────────────
 : "${MIOS_REPO_URL:=https://github.com/mios-dev/mios.git}"
@@ -203,6 +211,7 @@ export MIOS_AI_SYSTEM_PROMPT MIOS_MCP_REGISTRY MIOS_BUILD_ENV_FILE
 : "${MIOS_UNIT_AICHAT_BUILD:=mios-aichat-build.service}"
 : "${MIOS_UNIT_AICHAT_IMAGE:=mios-aichat-image.service}"
 : "${MIOS_UNIT_COCKPIT_LINK:=mios-cockpit-link.service}"
+: "${MIOS_UNIT_SEARXNG:=mios-searxng.service}"
 
 # Hand-written units
 : "${MIOS_UNIT_FIRSTBOOT_TARGET:=mios-firstboot.target}"
@@ -212,7 +221,7 @@ export MIOS_AI_SYSTEM_PROMPT MIOS_MCP_REGISTRY MIOS_BUILD_ENV_FILE
 
 export MIOS_UNIT_AI MIOS_UNIT_FORGE MIOS_UNIT_FORGE_RUNNER MIOS_UNIT_OLLAMA
 export MIOS_UNIT_CEPH MIOS_UNIT_K3S MIOS_UNIT_AICHAT_BUILD MIOS_UNIT_AICHAT_IMAGE
-export MIOS_UNIT_COCKPIT_LINK MIOS_UNIT_FIRSTBOOT_TARGET
+export MIOS_UNIT_COCKPIT_LINK MIOS_UNIT_SEARXNG MIOS_UNIT_FIRSTBOOT_TARGET
 export MIOS_UNIT_OLLAMA_FIRSTBOOT MIOS_UNIT_WSL_FIRSTBOOT MIOS_UNIT_USER_SESSION
 
 # ── CONTAINERS / DISTROBOX ───────────────────────────────────────────
@@ -221,10 +230,11 @@ export MIOS_UNIT_OLLAMA_FIRSTBOOT MIOS_UNIT_WSL_FIRSTBOOT MIOS_UNIT_USER_SESSION
 : "${MIOS_CONTAINER_FORGE_IMAGE:=codeberg.org/forgejo/forgejo:12}"
 : "${MIOS_CONTAINER_LOCALAI_IMAGE:=docker.io/localai/localai:latest}"
 : "${MIOS_CONTAINER_OLLAMA_IMAGE:=docker.io/ollama/ollama:latest}"
+: "${MIOS_CONTAINER_SEARXNG_IMAGE:=docker.io/searxng/searxng:latest}"
 
 export MIOS_DISTROBOX_AICHAT MIOS_CONTAINER_AICHAT_IMAGE
 export MIOS_CONTAINER_FORGE_IMAGE MIOS_CONTAINER_LOCALAI_IMAGE
-export MIOS_CONTAINER_OLLAMA_IMAGE
+export MIOS_CONTAINER_OLLAMA_IMAGE MIOS_CONTAINER_SEARXNG_IMAGE
 
 # ── COLOR PALETTE ────────────────────────────────────────────────────
 # Hokusai + operator-neutrals palette. Resolved from mios.toml [colors]

etc/containers/systemd/mios-searxng.container

@@ -0,0 +1,81 @@
+# /etc/containers/systemd/mios-searxng.container
+# 'MiOS' privacy-respecting metasearch (SearXNG upstream).
+#
+# SearXNG is the search counterpart to mios-ai/ollama: it gives the
+# operator (and the LLM, via Tools) a single localhost endpoint that
+# aggregates results from ~250 upstream search engines without leaking
+# any IP, user-agent, or session identifier to those engines. It is
+# AGPL-3.0 and 100% local -- no external account, no API key, no
+# telemetry. Pairs naturally with the agent surface as a `web_search`
+# tool target without breaking Architectural Law 5 (no vendor cloud
+# AI URL): SearXNG is a *search proxy*, not a model.
+#
+# Defaults policy: enabled by default. ConditionPathIsDirectory guards
+# the config dir; if /etc/mios/searxng/ doesn't exist (incomplete
+# bootstrap) the unit no-ops at pre-boot rather than crash-looping.
+
+[Unit]
+Description='MiOS' SearXNG metasearch (privacy-respecting search proxy)
+After=network-online.target
+Wants=network-online.target
+ConditionPathIsDirectory=/etc/mios/searxng
+
+[Container]
+# Multi-arch index pin -- the @sha256 covers amd64, arm64, and armv7
+# manifests via the OCI image index, so a single digest works across
+# every host shape MiOS targets.
+Image=docker.io/searxng/searxng:latest@sha256:885f1cd1bb86d759aa4724a1986a61c000292823ff8eeb17d34de1a8acb74477
+ContainerName=mios-searxng
+Network=mios.network
+# 8888 host -> 8080 container. 8080 is taken by mios-ai (LocalAI's
+# OpenAI-compatible endpoint), so SearXNG goes on the next conventional
+# search-proxy port. Sibling Quadlets on mios.network reach it as
+# http://mios-searxng:8080/ without going through host loopback.
+PublishPort=8888:8080
+
+# Persistent state: settings.yml + uwsgi.ini live under /etc/searxng;
+# the container expects them at /etc/searxng inside. We bind-mount the
+# host's /etc/mios/searxng read-write so the operator (and SearXNG's
+# own first-run secret_key generator) can persist edits across image
+# rebuilds. /var/cache/mios/searxng holds the on-disk results cache so
+# a restart doesn't repeat queries that the upstream engines have
+# already answered.
+Volume=/etc/mios/searxng:/etc/searxng:Z
+Volume=/var/cache/mios/searxng:/var/cache/searxng:Z
+
+# Identity. UID 818 is pinned in usr/lib/sysusers.d/50-mios-services.conf
+# so /etc/mios/searxng and /var/cache/mios/searxng ownership stays
+# stable across image rebuilds. The upstream SearXNG image's `searxng`
+# user inside the container is uid 977; we're overriding it so the
+# host-side bind-mounts are owned by mios-searxng (818) and the
+# container process can still read+write because the volumes are
+# chowned 818:818 by usr/lib/tmpfiles.d/mios-searxng.conf at boot.
+User=818
+Group=818
+
+# Public-facing URL. SearXNG uses this as the canonical base for
+# generated absolute links (RSS feeds, opensearch.xml, etc.). Operators
+# fronting SearXNG behind a reverse proxy override this in
+# /etc/mios/searxng/settings.yml -> server.base_url.
+Environment=SEARXNG_BASE_URL=http://localhost:8888/
+Environment=SEARXNG_BIND_ADDRESS=0.0.0.0:8080
+
+# Limit log volume; SearXNG is chatty per-query.
+Environment=SEARXNG_LOG_LEVEL=WARNING
+
+# OCI image labels for Podman Desktop. Values MUST NOT contain
+# whitespace -- Quadlet's Label= parser word-splits on spaces and
+# emits each word as a separate --label arg, breaking the run line.
+Label=org.opencontainers.image.title=mios-searxng
+Label=org.opencontainers.image.url=http://localhost:8888/
+Label=org.opencontainers.image.documentation=https://docs.searxng.org/
+Label=io.podman_desktop.openInBrowser=http://localhost:8888/
+
+[Service]
+Restart=on-failure
+RestartSec=10s
+TimeoutStartSec=300s
+Delegate=yes
+
+[Install]
+WantedBy=multi-user.target default.target

usr/lib/systemd/system-preset/90-mios.preset

@@ -46,6 +46,7 @@ enable greenboot-rpm-ostree-grub2-check-fallback.service
 enable greenboot-status.service
 enable redboot-auto-reboot.service
 enable cockpit.socket
+enable mios-searxng.service
 # user@1000.service starts the per-user systemd manager + user D-Bus
 # session bus for the 'mios' user (uid 1000, pinned in
 # /usr/lib/sysusers.d/10-mios.conf). Normally systemd-logind reads

usr/lib/sysusers.d/50-mios-services.conf

@@ -15,3 +15,7 @@ g mios-ollama 815
 u mios-ollama 815:mios-ollama "'MiOS' Ollama" /var/empty /usr/sbin/nologin
 g mios-forge 816
 u mios-forge 816:mios-forge "'MiOS' Forge (Forgejo)" /var/empty /usr/sbin/nologin
+# 817 is allocated to mios-ai in 50-mios-ai.conf (separate file because
+# the AI subsystem ships its own sysusers/tmpfiles unit pair).
+g mios-searxng 818
+u mios-searxng 818:mios-searxng "'MiOS' SearXNG metasearch" /var/empty /usr/sbin/nologin

usr/lib/tmpfiles.d/mios-searxng.conf

@@ -0,0 +1,19 @@
+# /usr/lib/tmpfiles.d/mios-searxng.conf
+# 'MiOS' SearXNG metasearch -- runtime directories.
+#
+# /etc/mios/searxng    config dir (settings.yml, uwsgi.ini)
+# /var/cache/searxng   on-disk result cache (per-user TTL)
+#
+# UID 818 is pinned in /usr/lib/sysusers.d/50-mios-services.conf and
+# referenced by etc/containers/systemd/mios-searxng.container's
+# User=818/Group=818 directives. Both directories must already be
+# chowned 818:818 before the Quadlet starts, otherwise the container's
+# uwsgi worker can't write its socket / cache files and exits with EACCES.
+
+d /etc/mios/searxng        0750 mios-searxng mios-searxng -
+d /var/cache/mios/searxng  0750 mios-searxng mios-searxng -
+# Vendor settings.yml is shipped at /usr/share/mios/searxng/settings.yml
+# and copied into /etc/mios/searxng/ on first boot if no operator copy
+# exists. C= is "create-if-absent and copy from source" -- it never
+# overwrites an existing file, so a hand-edited settings.yml survives.
+C /etc/mios/searxng/settings.yml 0640 mios-searxng mios-searxng - /usr/share/mios/searxng/settings.yml

usr/libexec/mios/mios-dashboard.sh

@@ -242,13 +242,15 @@ print_endpoints() {
         "$C_GRY" "${MIOS_LINUX_USER:-mios}" "${MIOS_DEV_DEFAULT_PASSWORD:-mios}" "$C_R"
     printf '    %s  Ollama      %shttp://localhost:11434%s\n' \
         "$(ep_dot http://localhost:11434/)" "$C_D" "$C_R"
+    printf '    %s  Search      %shttp://localhost:8888/%s\n' \
+        "$(ep_dot http://localhost:8888/)" "$C_D" "$C_R"
 }
 
 print_quadlets() {
     section_header "Quadlet services"
     local svc info name dot color
     for svc in mios-ai mios-forge mios-forgejo-runner mios-cockpit-link \
-               mios-ceph mios-k3s ollama crowdsec-dashboard \
+               mios-ceph mios-k3s ollama mios-searxng crowdsec-dashboard \
                mios-guacamole guacd guacamole-postgres; do
         info="$(service_status "${svc}.service")"
         IFS='|' read -r name dot color <<< "$info"

usr/share/mios/env.defaults

@@ -46,6 +46,12 @@ MIOS_FORGE_VERSION="12"
 MIOS_FORGE_IMAGE="codeberg.org/forgejo/forgejo:12"
 MIOS_FORGE_HTTP_PORT="3000"
 MIOS_FORGE_SSH_PORT="2222"
+MIOS_SEARXNG_VERSION="latest"
+MIOS_SEARXNG_IMAGE="docker.io/searxng/searxng:latest"
+MIOS_SEARXNG_PORT="8888"
+MIOS_SEARXNG_USER="mios-searxng"
+MIOS_SEARXNG_UID="818"
+MIOS_SEARXNG_GID="818"
 
 # ── AI inference (LAW 5: localhost OpenAI-compatible only) ────────────────────
 # Default model set researched for the 12 GB system-RAM workstation

usr/share/mios/mios.toml

@@ -134,6 +134,16 @@ format         = "toml"
 spec_url       = "https://toml.io/en/v1.0.0"
 editor_url     = "/usr/share/mios/configurator/index.html"
 
+[search]
+# Local privacy-respecting metasearch (SearXNG). Always-on Quadlet at
+# etc/containers/systemd/mios-searxng.container; the agent surface
+# (usr/share/mios/ai/v1/tools.json) can plug into this as a localhost
+# `web_search` tool target without breaking Architectural Law 5 -- a
+# search proxy is not a model, so no UNIFIED-AI-REDIRECTS exception
+# is required.
+endpoint = "http://localhost:8888/"
+enable   = true
+
 [ai]
 endpoint            = "http://localhost:8080/v1"
 model               = "qwen2.5-coder:7b"

usr/share/mios/searxng/settings.yml

@@ -0,0 +1,58 @@
+# /usr/share/mios/searxng/settings.yml
+# 'MiOS' SearXNG vendor defaults.
+#
+# This file is copied into /etc/mios/searxng/settings.yml on first boot
+# by usr/lib/tmpfiles.d/mios-searxng.conf (C= line: copy-if-absent).
+# Once present in /etc, operator edits survive every subsequent boot.
+# To restore vendor defaults: rm /etc/mios/searxng/settings.yml +
+# `systemctl restart systemd-tmpfiles-setup.service`.
+#
+# secret_key is left as the placeholder PLACEHOLDER_SECRET_KEY_REGENERATE_ON_FIRST_BOOT;
+# the SearXNG entrypoint detects this sentinel and overwrites it with a
+# fresh 64-char value on container startup, then never touches it again.
+
+use_default_settings: true
+
+general:
+  instance_name: "MiOS Search"
+  privacypolicy_url: false
+  donation_url: false
+  contact_url: false
+  enable_metrics: false
+
+server:
+  base_url: "http://localhost:8888/"
+  port: 8080
+  bind_address: "0.0.0.0"
+  # Filled in at first-boot by SearXNG's entrypoint.
+  secret_key: "PLACEHOLDER_SECRET_KEY_REGENERATE_ON_FIRST_BOOT"
+  limiter: false
+  image_proxy: true
+  http_protocol_version: "1.0"
+  method: "GET"
+  default_http_headers:
+    X-Content-Type-Options: nosniff
+    X-Download-Options: noopen
+    X-Robots-Tag: noindex, nofollow
+    Referrer-Policy: no-referrer
+
+ui:
+  static_use_hash: true
+  default_locale: "en"
+  query_in_title: false
+  infinite_scroll: false
+  center_alignment: false
+  theme_args:
+    simple_style: dark
+
+search:
+  safe_search: 0
+  autocomplete: "duckduckgo"
+  default_lang: "en"
+  formats:
+    - html
+    - json    # required for the agent web_search tool surface
+
+# Engines: keep upstream defaults; operators tune on a per-instance
+# basis under /etc/mios/searxng/settings.yml. Comment block here so
+# the vendor copy is short and the diff against upstream is auditable.