{
  project.name = "smarthome";

  networks.dmz = {
    name = "dmz";
    external = true;
  };

  services = {
    homeassistant.service = {
      image = "ghcr.io/home-assistant/home-assistant:2024.12.5";
      container_name = "homeassistant";
      privileged = true;
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.homeassistant.entrypoints" = "websecure";
        "traefik.http.routers.homeassistant.rule" = "Host(`home.ghoscht.com`)";
        "traefik.http.routers.homeassistant.tls" = "true";
        "traefik.http.routers.homeassistant.tls.certresolver" = "letsencrypt";
        "traefik.http.services.homeassistant.loadbalancer.server.port" = "8123";
        # "traefik.http.routers.homeassistant.middlewares" = "authentik@file";
      };
      volumes = [
        "/home/ghoscht/.docker/smarthome/homeassistant_data:/config"
        "/etc/localtime:/etc/localtime:ro"
        "/run/dbus:/run/dbus:ro"
      ];
      restart = "always";
      networks = [
        "dmz"
      ];
    };
    mosquitto.service = {
      image = "eclipse-mosquitto:2.0.20";
      volumes = [
        "/home/ghoscht/.docker/smarthome/mosquitto_config:/mosquitto/config"
        "/home/ghoscht/.docker/smarthome/mosquitto_data:/mosquitto/data"
      ];
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.mqtt.entrypoints" = "websecure";
        "traefik.http.routers.mqtt.rule" = "Host(`mqtt.ghoscht.com`)";
        "traefik.http.routers.mqtt.tls" = "true";
        "traefik.http.routers.mqtt.tls.certresolver" = "letsencrypt";
        "traefik.http.services.mqtt.loadbalancer.server.port" = "1883";
      };
      restart = "always";
      command = "mosquitto -c /mosquitto-no-auth.conf";
      networks = [
        "dmz"
      ];
    };
    zigbee2mqtt.service = {
      image = "koenkk/zigbee2mqtt:1.42.0";
      volumes = [
        "/home/ghoscht/.docker/smarthome/zigbee2mqtt_data:/app/data"
        "/run/udev:/run/udev:ro"
      ];
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.zigbee2mqtt.entrypoints" = "websecure";
        "traefik.http.routers.zigbee2mqtt.rule" = "Host(`zigbee2mqtt.ghoscht.com`)";
        "traefik.http.routers.zigbee2mqtt.tls" = "true";
        "traefik.http.routers.zigbee2mqtt.tls.certresolver" = "letsencrypt";
        "traefik.http.services.zigbee2mqtt.loadbalancer.server.port" = "8080";
      };
      devices = [
        "/dev/ttyUSB0:/dev/ttyUSB0"
      ];
      restart = "always";
      networks = [
        "dmz"
      ];
    };
  };
}