4 files changed, 88 insertions, 39 deletions

diff --git a/sys/nspawn/dmz.nix b/sys/nspawn/dmz.nix
index 080b32d..af91f82 100644
--- a/sys/nspawn/dmz.nix
+++ b/sys/nspawn/dmz.nix
@@ -2,6 +2,9 @@
 with lib; let
   cfg = config.local.nspawn.dmz;
   inherit (config.local) mailHost;
+
+  hassPort = config.services.home-assistant.config.http.server_port;
+  hassEnable = config.local.home-assistant.enable;
 in
 {
   options.local.nspawn.dmz = with types; {
@@ -44,52 +47,51 @@ in
 
   config = mkIf cfg.enable {
     local = {
-      mailHost = {
-        mdaListen = cfg.hostAddr;
-        saslPort = 11000;
-        lmtpPort = 11001;
-      };
+      mailHost.mdaListen = cfg.hostAddr;
+
+      nspawn.dmz.system =
+        let
+          containerModule = { ... }: {
+            #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables
+            config = {
+              local = {
+                preset.dmz = {
+                  enable = true;
+                  container = true;
+                };
 
-      nspawn.dmz = {
-        system =
-          let
-            containerModule = { ... }: {
-              #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables
-              config = {
-                local = {
-                  preset.dmz = {
-                    enable = true;
-                    container = true;
-                  };
-
-                  mta = {
-                    mdaAddr = mailHost.mdaListen;
-                    inherit (mailHost) saslPort lmtpPort;
-                  };
+                mta = {
+                  mdaAddr = mailHost.mdaListen;
+                  inherit (mailHost) saslPort lmtpPort;
                 };
 
-                nixpkgs = {
-                  pkgs = mkDefault pkgs;
-                  localSystem = mkDefault pkgs.stdenv.hostPlatform;
+                web.sites.home = {
+                  enable = hassEnable;
+                  proxyUrl = "http://${cfg.hostAddr}:${toString hassPort}";
                 };
               };
+
+              nixpkgs = {
+                pkgs = mkDefault pkgs;
+                localSystem = mkDefault pkgs.stdenv.hostPlatform;
+              };
             };
-          in
-          # Tomado de la definición de pkgs.nixos junto con definición de nixpkgs.{pkgs,localSystem} arriba
-          import "${flakes.nixpkgs}/nixos/lib/eval-config.nix" {
-            modules = [
-              ../.
-              containerModule
-            ];
-
-            system = null;
-            specialArgs = { inherit flakes; };
           };
+        in
+        # Tomado de la definición de pkgs.nixos junto con definición de nixpkgs.{pkgs,localSystem} arriba
+        import "${flakes.nixpkgs}/nixos/lib/eval-config.nix" {
+          modules = [
+            ../.
+            containerModule
+          ];
+
+          system = null;
+          specialArgs = { inherit flakes; };
+        };
+    };
 
-        net = "10.34.3.0";
-        netBits = 28;
-        hostAddr = "10.34.3.1";
-      };
+    services = {
+      home-assistant.config.http.server_host = singleton cfg.hostAddr;
     };
 
     systemd = {
@@ -152,7 +154,7 @@ in
       allowedTCPPorts = [ 25 80 443 ];
 
       interfaces.ve-dmz = {
-        allowedTCPPorts = [ mailHost.saslPort mailHost.lmtpPort ];
+        allowedTCPPorts = [ mailHost.saslPort mailHost.lmtpPort ] ++ optional hassEnable hassPort;
         allowedUDPPorts = [ 67 ]; # DHCP
       };
     };
diff --git a/sys/pki/ca.nix b/sys/pki/ca.nix
index 4e8f841..1c7dad1 100644
--- a/sys/pki/ca.nix
+++ b/sys/pki/ca.nix
@@ -36,6 +36,12 @@ in
   };
 
   config.local.pki.ca = {
+    home = {
+      crl = ./public/home-crl.pem;
+      cert = ./public/home-ca.pem;
+      issuer = "root";
+    };
+
     mail = {
       crl = ./public/mail-crl.pem;
       cert = ./public/mail-ca.pem;
diff --git a/sys/web/sites/default.nix b/sys/web/sites/default.nix
index b453d24..a131aaf 100644
--- a/sys/web/sites/default.nix
+++ b/sys/web/sites/default.nix
@@ -1,5 +1,6 @@
 {
   imports = [
+    ./home.nix
     ./portal.nix
   ];
 }
diff --git a/sys/web/sites/home.nix b/sys/web/sites/home.nix
new file mode 100644
index 0000000..74f698c
--- /dev/null
+++ b/sys/web/sites/home.nix
@@ -0,0 +1,40 @@
+{ config, lib, ... }:
+with lib; let
+  cfg = config.local.web.sites.home;
+  inherit (config.local) domains;
+in
+{
+  options.local.web.sites.home = {
+    enable = mkEnableOption "home site";
+
+    proxyUrl = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    local.web = {
+      enable = mkDefault true;
+      ownedCerts = [ "home" ];
+    };
+
+    services.nginx.virtualHosts.${domains.home.main} = {
+      forceSSL = true;
+      useACMEHost = domains.home.main;
+
+      extraConfig = ''
+        ssl_verify_depth 2;
+        ssl_verify_client on;
+        ssl_client_certificate ${config.local.pki.ca.home.fullchain};
+
+        if ($ssl_client_verify != "SUCCESS") {
+          return 403;
+        }
+      '';
+
+      locations."/".extraConfig = ''
+        proxy_pass ${cfg.proxyUrl};
+      '';
+    };
+  };
+}