{
  config,
  inputs,
  lib,
  pkgs,
  system,
  ...
}: let
  port = 8123;
  path = "/data/nginx";
  certPath = "${path}/cert.pem";
  keyPath = "${path}/key.pem";
  zwaveSerialPort = "/dev/serial/by-id/usb-Silicon_Labs_CP2105_Dual_USB_to_UART_Bridge_Controller_012B8DD3-if00-port0";
  zigbeeSerialPort = "/dev/serial/by-id/usb-Silicon_Labs_CP2105_Dual_USB_to_UART_Bridge_Controller_012B8DD3-if01-port0";
in {
  imports = [../nginx.nix ./virtualisation.nix];

  networking.firewall.allowedTCPPorts = [port 1883 8089 8091];

  # sends messages to mqtt, no direct connection with home assistant
  virtualisation.oci-containers.containers.zwave-js = {
    image = "zwavejs/zwave-js-ui@sha256:458e614feea64bbc422081e26e32d46f44edf5ce45f4eefab39a1efe46813ba3";
    volumes = ["zwave-js-ui:/usr/src/app/store"];
    extraOptions = ["--device=${zwaveSerialPort}:/dev/zwave"];
    ports = ["8091:8091"];
  };
  services = {
    mosquitto = {
      enable = true;
      package = inputs.nixpkgs-nixos-unstable.legacyPackages."${system}".mosquitto;
      dataDir = "/data/mosquitto";
      listeners = [
        {
          port = 1883;
          omitPasswordAuth = true;
          users = {};
          settings = {
            allow_anonymous = true;
          };
          acl = ["topic readwrite #"];
        }
      ];
    };
    zigbee2mqtt = {
      enable = true;
      package = inputs.nixpkgs-master.legacyPackages."${system}".zigbee2mqtt;
      settings = {
        homeassistant = true;
        permit_join = true;
        availability.active.timeout = 10;
        availability.passive.timeout = 90;
        frontend.port = 8089;
        mqtt.server = "mqtt://10.0.0.8:1883";
        serial = {
          port = zigbeeSerialPort;
          baudrate = 115200;
          adapter = "ember";
        };
      };
    };
    nginx = {
      virtualHosts = {
        "bolty.raptor-carp.ts.net" = {
          forceSSL = true;
          enableACME = false;
          locations."/" = {
            proxyPass = "http://10.0.0.244:8123";
            proxyWebsockets = true;
          };
          sslCertificateKey = keyPath;
          sslCertificate = certPath;
        };
      };
    };
  };

  systemd.services.nginx-tailscale-certs = {
    script = ''
      mkdir -p ${path}
      cp -rv /var/lib/tailscale-certs/cert.pem ${certPath}
      cp -rv /var/lib/tailscale-certs/key.pem ${keyPath}
      chown -Rv nginx:nginx ${path}
    '';
    serviceConfig = {
      Type = "oneshot";
      ReloadPropagatedFrom = "tailscale-cert.service";
    };
    before = ["nginx.service"];
    wantedBy = ["multi-user.target"];
    after = [
      "network.target"
      "network-online.target"
      "tailscaled.service"
      "tailscale-cert.service"
    ];
    wants = ["tailscale-cert.service"];
  };
}