{ machineConfig, sopsSecrets, resources, config, lib, pkgs, ... }: { options.zpha.websites."hass.zaphyra.eu".enable = lib.mkEnableOption ""; config = lib.mkIf config.zpha.websites."hass.zaphyra.eu".enable { dns.zones = { "zaphyra.eu".subdomains."hass".AAAA = lib.singleton machineConfig.networking.dn42.ip6Address; "zaphyra.dn42".subdomains."hass".AAAA = lib.singleton machineConfig.networking.dn42.ip6Address; "fc9f.de".subdomains."floractl".A = lib.singleton machineConfig.networking.ip4Address; }; sops.secrets."floractl/config.json" = { sopsFile = sopsSecrets.zaphyra.floractl; key = "config"; owner = "nginx"; group = "nginx"; }; security.acme.certs."hass.zaphyra.dn42" = { server = "https://acme.burble.dn42/v1/dn42/acme/directory"; validMinDays = 20; keyType = "ec384"; dnsProvider = null; }; services.nginx.virtualHosts = let vHost = { forceSSL = true; kTLS = true; locations."/".extraConfig = '' allow fd6b:6174:6a61::/48; allow fd42:ccc:da::/48; deny all; proxy_pass http://192.168.2.147:8123; proxy_http_version 1.1; proxy_set_header Host 192.168.2.147; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; ''; }; in { "hass.zaphyra.dn42" = vHost // { enableACME = true; }; "hass.zaphyra.eu" = vHost // { useACMEHost = config.networking.fqdn; }; "floractl.fc9f.de" = { forceSSL = true; useACMEHost = config.networking.fqdn; kTLS = true; root = pkgs.zpha.mqtt-webui.override { patches = [ resources.patches.mqttwebui-florapatches-owo ]; }; locations = { "= /config.json".alias = config.sops.secrets."floractl/config.json".path; "/mqtt" = { proxyPass = "http://192.168.2.147:1884/"; proxyWebsockets = true; }; }; }; }; }; }