From c37901e4d03c5e9b53ddfa87135ce56f8da262ca Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Wed, 20 Mar 2024 17:01:59 -0700
Subject: [PATCH] chore(z2m): local access

---
 nixos/access/zigbee2mqtt.nix | 40 +++++++++++++++---------------------
 systems/hakurei/nixos.nix    | 20 ++++++++++++++++--
 tf/cloudflare_records.tf     |  2 +-
 3 files changed, 35 insertions(+), 27 deletions(-)

diff --git a/nixos/access/zigbee2mqtt.nix b/nixos/access/zigbee2mqtt.nix
index 0d73c8f3..2b242704 100644
--- a/nixos/access/zigbee2mqtt.nix
+++ b/nixos/access/zigbee2mqtt.nix
@@ -3,38 +3,30 @@
   lib,
   ...
 }: let
-  inherit (lib.options) mkOption;
-  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
-  cfg = config.services.zigbee2mqtt;
-  access = config.services.nginx.access.zigbee2mqtt;
-  locations."/" = {
-    proxy.websocket.enable = true;
-    proxyPass = mkDefault "http://${access.host}:${toString access.port}";
-  };
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (config.services) nginx zigbee2mqtt;
   name.shortServer = mkDefault "z2m";
 in {
-  options.services.nginx.access.zigbee2mqtt = with lib.types; {
-    host = mkOption {
-      type = str;
-    };
-    port = mkOption {
-      type = port;
-    };
-  };
   config.services.nginx = {
-    access.zigbee2mqtt = mkIf cfg.enable {
-      host = mkOptionDefault "localhost";
-      port = mkIf (cfg.settings ? frontend.port) (
-        mkOptionDefault cfg.settings.frontend.port
-      );
-    };
     virtualHosts = {
       zigbee2mqtt = {
-        inherit name locations;
+        locations."/" = {
+          proxy.websocket.enable = true;
+          proxyPass = mkIf zigbee2mqtt.enable (
+            mkDefault "http://localhost:${toString zigbee2mqtt.settings.frontend.port}"
+          );
+        };
+        inherit name;
         vouch.enable = true;
       };
       zigbee2mqtt'local = {
-        inherit name locations;
+        inherit name;
+        locations."/" = {
+          proxy.websocket.enable = true;
+          proxyPass = mkDefault (
+            nginx.virtualHosts.zigbee2mqtt.locations."/".proxyPass
+          );
+        };
         local.enable = true;
       };
     };
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 97f4db0f..79eed6a4 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -11,7 +11,7 @@
   tei = access.nixosFor "tei";
   inherit (mediabox.services) plex;
   inherit (keycloak.services) vouch-proxy;
-  inherit (tei.services) home-assistant;
+  inherit (tei.services) home-assistant zigbee2mqtt;
   inherit (config.services) nginx tailscale;
 in {
   imports = let
@@ -39,6 +39,7 @@ in {
     nixos.access.unifi
     nixos.access.kitchencam
     nixos.access.home-assistant
+    nixos.access.zigbee2mqtt
     nixos.access.grocy
     nixos.access.proxmox
     nixos.access.plex
@@ -83,6 +84,14 @@ in {
         virtualHosts.home-assistant'local.allServerNames
       ];
     };
+    zigbee2mqtt = {
+      inherit (nginx) group;
+      domain = virtualHosts.zigbee2mqtt.serverName;
+      extraDomainNames = mkMerge [
+        virtualHosts.zigbee2mqtt.serverAliases
+        virtualHosts.zigbee2mqtt'local.allServerNames
+      ];
+    };
     grocy = {
       inherit (nginx) group;
       domain = virtualHosts.grocy.serverName;
@@ -215,13 +224,20 @@ in {
       vouch'tail = mkIf tailscale.enable {
         ssl.cert.name = "vouch";
       };
-      home-assistant = {
+      home-assistant = assert  home-assistant.enable; {
         # not the real hass record-holder, so don't respond globally..
         local.denyGlobal = true;
         ssl.cert.name = "home-assistant";
         locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString home-assistant.config.http.server_port}";
       };
       home-assistant'local.ssl.cert.name = "home-assistant";
+      zigbee2mqtt = assert zigbee2mqtt.enable; {
+        # not the real z2m record-holder, so don't respond globally..
+        local.denyGlobal = true;
+        ssl.cert.name = "zigbee2mqtt";
+        locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString zigbee2mqtt.settings.frontend.port}";
+      };
+      zigbee2mqtt'local.ssl.cert.name = "zigbee2mqtt";
       grocy = {
         # not the real grocy record-holder, so don't respond globally..
         local.denyGlobal = true;
diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf
index 5878de58..8ebc91ff 100644
--- a/tf/cloudflare_records.tf
+++ b/tf/cloudflare_records.tf
@@ -27,6 +27,7 @@ module "hakurei_system_records" {
     "smb",
     "kitchen",
     "home",
+    "z2m",
     "grocy",
     "yt",
   ]
@@ -89,7 +90,6 @@ module "tewi_system_records" {
   local_v6     = "fd0a::be24:11ff:fecc:6657"
   local_subdomains = [
     "mqtt",
-    "z2m",
     "postgresql",
   ]
 }