This is one of the NixOS boxes. Its primary service is running Home Assistant. It currently has dongles for Z-Wave, Zigbee (ZBT-1) and OpenThread (ZBT-2) plugged in. All these dongles have custom /dev/tty-* names based on custom udev rules.

The box operates Home Assistant and other dependency services as a bunch of containers mixed with some NixOS services. Here's a (possibly non-exhaustive) list of them:

• podman-homeassistant: the primary HA container, running with privileged=true. It has access to all the exposed dongles.
• podman-thread_border_router: runs the OpenThread Border Router (OTBR) container that talks to the ZBT-2 dongle for Thread support. This container is required for the ZBT-2 dongle (in Thread mode) to operate at all.
• matter-server: the Matter server that HA talks to.
• mpd: HA uses this to play music and TTS over the system audio outputs (e.g. Bluetooth, 3.5mm audio)
• pulseaudio: audio server, run as a system-wide service
• zwave-js: the Z-Wave.js server that HA talks to

This box is a special box, in that it has access to almost all of our VLANs!

• vlan10 (management)
• vlan100 (services, primary, over eno1)
• vlan110 (user)
• vlan130 (iot)

It primarily talks to vlan130 (Matter, Home Assistant).

The box does network ingress using cloudflared + caddy, since we don't have stable public IPs yet.

All cloudflared traffic routed to the box (requires DNS queries set to the tunnel's) are automatically forwarded to Caddy's :80, which is then routed to each host according to services.caddy.virtualHosts rules. Only listen to http:// pages; HTTPS is NOT used for routing and is terminated at cloudflared already.