1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
{
machineConfig,
sopsSecrets,
resources,
config,
lib,
pkgs,
...
}:
{
options.zpha.websites."hass.zaphyra.eu".enable = lib.mkEnableOption "";
config = lib.mkIf config.zpha.websites."hass.zaphyra.eu".enable {
dns.zones = {
"zaphyra.eu".subdomains."hass".AAAA = lib.singleton machineConfig.networking.dn42.ip6Address;
"zaphyra.dn42".subdomains."hass".AAAA = lib.singleton machineConfig.networking.dn42.ip6Address;
"fc9f.de".subdomains."floractl".A = lib.singleton machineConfig.networking.ip4Address;
};
sops.secrets."floractl/config.json" = {
sopsFile = sopsSecrets.zaphyra.floractl;
key = "config";
owner = "nginx";
group = "nginx";
};
security.acme.certs."hass.zaphyra.dn42" = {
server = "https://acme.burble.dn42/v1/dn42/acme/directory";
validMinDays = 20;
keyType = "ec384";
dnsProvider = null;
};
services.nginx.virtualHosts =
let
vHost = {
forceSSL = true;
kTLS = true;
locations."/".extraConfig = ''
allow fd6b:6174:6a61::/48;
allow fd42:ccc:da::/48;
deny all;
proxy_pass http://192.168.2.147:8123;
proxy_http_version 1.1;
proxy_set_header Host 192.168.2.147;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
in
{
"hass.zaphyra.dn42" = vHost // {
enableACME = true;
};
"hass.zaphyra.eu" = vHost // {
useACMEHost = config.networking.fqdn;
};
"floractl.fc9f.de" = {
forceSSL = true;
useACMEHost = config.networking.fqdn;
kTLS = true;
root = pkgs.zpha.mqtt-webui.override {
patches = [
resources.patches.mqttwebui-florapatches-owo
];
};
locations = {
"= /config.json".alias = config.sops.secrets."floractl/config.json".path;
"/mqtt" = {
proxyPass = "http://192.168.2.147:1884/";
proxyWebsockets = true;
};
};
};
};
};
}