defiant/homeassistant: add zigbee dongle

hosts/defiant/configuration.nix

@@ -29,6 +29,7 @@
       # ./services/minecraft.nix
       ./services/monitoring
       ./services/rtl-tcp.nix
+      ./services/searx.nix
       ./services/vaultwarden.nix
   ];
 

hosts/defiant/services/home-assistant.nix

@@ -11,6 +11,7 @@ in {
       image = "ghcr.io/home-assistant/home-assistant:2024.1";
       extraOptions = [
         "--network=host"
+        "--device=/dev/ttyUSB0" # Sonoff Zigbee 3.0 USB
       ];
       volumes = [
         "/tank/services/homeassistant/config:/config"

hosts/defiant/services/keycloak.nix

@@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }:
 let
   cfg = config.services.keycloak.settings;
+  hostname = "iam.feal.no";
 in {
   sops.secrets."keycloak/postgres" = { };
 
@@ -16,7 +17,7 @@ in {
 
     settings = {
       cache = "local";
-      hostname = "https://iam.feal.no";
+      hostname = "https://${hostname}";
       hostname-backchannel-dynamic = false;
       http-enabled = true;
       http-host = "127.0.1.2";
@@ -26,7 +27,7 @@ in {
   };
 
   # The main reverse proxy is defined in ./nginx.nix
-  services.nginx.virtualHosts.${cfg.hostname} = {
+  services.nginx.virtualHosts.${hostname} = {
     locations."= /".return = "302 ${cfg.hostname}/realms/feal.no/account";
   };
 }

hosts/defiant/services/searx.nix

@@ -0,0 +1,39 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.searx;
+  domain = "search.home.feal.no";
+in {
+  services.searx = {
+    enable = true;
+    environmentFile = config.sops.secrets."searx/envfile".path;
+    settings = {
+      server = {
+        secret_key = "@SEARX_SECRET_KEY@";
+        base_url = "http://${domain}";
+      };
+    };
+
+    runInUwsgi = true;
+    uwsgiConfig = {
+      socket = "/run/searx/searx.sock";
+      chmod-socket = "660";
+    };
+
+    redisCreateLocally = true;
+  };
+
+  sops.secrets."searx/envfile" = {
+    owner = "searx";
+    group = "searx";
+  };
+
+  users.groups."searx".members = [ "nginx" ];
+
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/".extraConfig = ''
+      include ${config.services.nginx.package}/conf/uwsgi_params;
+      uwsgi_pass unix:${cfg.uwsgiConfig.socket};
+    '';
+  };
+}
+

secrets/defiant/defiant.yaml

@@ -20,6 +20,8 @@ keycloak:
     postgres: ENC[AES256_GCM,data:OYvpSyBAQfAJg4/syz1r,iv:Ge6m63YPl+gJPepIRmBz747bXqUo65MHQaRn1S/8m2I=,tag:18bFwYtmcslXlgflfYqM8w==,type:str]
 koillection:
     envfile: ENC[AES256_GCM,data:3wq6xiULzELDxtDsBfPbKrnEsAEoG9oQREyaEoe0AVpJziVMrhEQruLCl1F/,iv:IscSmKD8nwQ2HmNnC+54rZrWMimdYPLCArmt/ToTdNM=,tag:J3QYTUtJhpn+R8hpqkA9zg==,type:str]
+searx:
+    envfile: ENC[AES256_GCM,data:BlLVb7C2z/kFxULQnNsGucFZg/R57i0GGMZ6PUhkG1fmYGdY0q31948Z1NoMMaEcwQEdOX6Z8+m96o/RjRTt7K3V+n5+cI1OX9pfoTBwDcJ7/w==,iv:MM+t38IZFdzCXM4jG7jH0uZZP8Zs8kyH8Xe3bPiVmUM=,tag:0ezofl1dDXm1o974f2wRrw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -53,8 +55,8 @@ sops:
             VVpkM0dwMnRwMlZhbGRWaE1tRVZLbWMKhDnvP1GLD6LqXJ4PnQFF8TsVzVAeAvQ7
             W2QzaoZGysaO06NMqJg1039RVJ7Tm7ZdEfqZLavYxk/tS4Wt3EGr4A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-01T10:13:16Z"
+    lastmodified: "2024-12-31T11:50:02Z"
-    mac: ENC[AES256_GCM,data:SFZz05/9Wb5o9X0ieNxrk4LJkCniliQ7ykWR+ocLw+At9Ye620JQTYFHfpzT/h+aRdborgkRtldw0c5+UOzx9+F3HtoWsrK04uQ1qso8YjO87qEqlVenVPuOVUuvyVtPQOWyLrHOOPkLSrj0a1NQdPSsfxcC04DhSkiW4RTNWXw=,iv:zp6HP14YZYt8BNj7jPPM+cb5cBZThijfcaqDZ6rH5Hg=,tag:W+/XKoj61yUXL+PC5YXQlg==,type:str]
+    mac: ENC[AES256_GCM,data:skTdbNg8f9c0YiSzv8v9j5duCqcd2sR/tmomeZz8iWM9FQHHs9EO/SMjGQBWIlYjIJS5Pv9g6/yI5WT8L3D/vK+Ajih32397X6noqSjTFv7yfJCaQh8NxNOC6Q8RRyPT5mNjB76HQb6IxHnQYg74zi5CUjMLXwsCAIOBJvcFyiE=,iv:wZtw3DN+g/2zjDpLGkwHLFnsZQ4zQY3oifOFWhsPTE4=,tag:aDeTeCxl7I132jhRrtpVMg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.2