{ pkgs, config, lib, ... }: let service = "zigbee2mqtt"; cfg = config.modules.services.${service}; sec = config.sops.secrets; homelab = config.modules.homelab; in { options.modules.services.${service} = { enable = lib.mkEnableOption "enables ${service}"; # set port options port = lib.mkOption { type = lib.types.int; default = 7705; description = "set port for ${service} (default: ${toString cfg.port}"; }; url = lib.mkOption { type = lib.types.str; default = "z2m.${homelab.base_domain}"; description = "set domain for ${service}"; }; data_dir = lib.mkOption { type = lib.types.str; default = "/var/lib/${service}"; description = "set data directory for ${service}"; }; ids = lib.mkOption { type = lib.types.int; default = cfg.port; description = "set uid and pid of ${service} user (matches port by default)"; }; backup = lib.mkOption { type = lib.types.bool; default = true; description = "enable backups for ${service}"; }; }; config = lib.mkIf cfg.enable { # declare ${service} group users.groups.${service} = { gid = lib.mkForce cfg.ids; }; # declare ${service} user users.users.${service} = { description = "${service} server user"; uid = lib.mkForce cfg.ids; isSystemUser = true; home = cfg.data_dir; createHome = true; group = "${service}"; extraGroups = []; }; # enable the ${service} service services.${service} = { enable = true; dataDir = cfg.data_dir; settings = { mqtt = { base_topic = "zigbee2mqtt"; client_id = "zigbee2mqtt"; server = "mqtt://localhost:1883"; user = "!/run/secrets/mosquitto_passwd.yaml user"; password = "!/run/secrets/mosquitto_passwd.yaml password"; keepalive = 20; }; serial = { port = "/dev/serial/by-id/usb-Itead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_V2_4a4e75d63653ef1198d728e0174bec31-if00-port0"; adapter = "ember"; }; advanced = { channel = 11; }; frontend = { enabled = true; port = cfg.port; }; homeassistant = { enabled = true; }; }; }; # override umask to make permissions work out systemd.services.${service}.serviceConfig = { UMask = lib.mkForce "0007"; User = "${service}"; Group = "${service}"; }; # # open firewall networking.firewall.allowedTCPPorts = [ cfg.port ]; # internal reverse proxy entry services.nginx.virtualHosts."${cfg.url}" = { forceSSL = true; sslCertificate = sec."ssl_blakedheld_crt".path; sslCertificateKey = sec."ssl_blakedheld_key".path; extraConfig = '' proxy_buffering off; ''; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; extraConfig = "proxy_set_header Host $host;" + "proxy_set_header X-Real-IP $remote_addr;" + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" ; }; locations."/api" = { proxyPass = "http://127.0.0.1:${toString cfg.port}/api"; extraConfig = "proxy_set_header Host $host;" + "proxy_http_version 1.1;" + "proxy_set_header Upgrade $http_upgrade;" + "proxy_set_header Connection upgrade;" ; }; }; # add to glance modules.services.glance.links.services = [{ title = service; url = "https://${cfg.url}"; error-url = "http://${homelab.host_ip}:${toString cfg.port}"; check-url = "http://${homelab.host_ip}:${toString cfg.port}"; icon = "di:${service}"; }]; sops.secrets = { "mosquitto_passwd.yaml" = { owner = "${service}"; group = "${service}"; }; }; # add to backups modules.system.backups.baks = { ${service} = { paths = [ cfg.data_dir ]; }; }; }; }