{
  inputs,
  povSelf,
  pkgs,
  lib,
  config,
  hostConfig,
  ...
}:
let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  option = {
    type = types.bool;
    default = false;
  };

  config = lib.mkIf cfg {
    dns.zones."zaphyra.eu".subdomains."smart.home.infra".AAAA = [ hostConfig.networking.ip6Address ];

    services.nginx = {
      enable = true;
      virtualHosts."smart.${config.networking.domain}" = {
        useACMEHost = config.networking.fqdn;
        forceSSL = true;
        kTLS = true;
        extraConfig = ''
          ssl_client_certificate ${inputs.self.resources.zaphyra.rootCA};
          ssl_verify_client optional;
        '';
        locations = {
          "/" = {
            root = "${
              pkgs.buildEnv {
                name = "mqtt-webui-env";
                paths = [
                  pkgs.mqtt-webui
                  (pkgs.writeTextDir "extra.css" (builtins.toJSON inputs.self.resources.zaphyra.mqttWebUI.extra-css))
                  (pkgs.writeTextDir "config.json" (
                    builtins.toJSON (import inputs.self.resources.zaphyra.mqttWebUI.config)
                  ))
                ];
              }
            }/";
            extraConfig = ''
              location ~ ^/(?!(favicon-512x512\.png|manifest\.json)) {
                if ($ssl_client_verify != SUCCESS) {
                    return 403;
                }
              }
            '';
          };
          "/mqtt" = {
            proxyPass = "http://[::1]:9005";
            proxyWebsockets = true;
            extraConfig = ''
              if ($ssl_client_verify != SUCCESS) {
                  return 403;
              }
            '';
          };
        };
      };
    };
  };

}