diff --git a/deploy-zigbee.yml b/deploy-zigbee.yml
new file mode 100644
index 0000000..6861047
--- /dev/null
+++ b/deploy-zigbee.yml
@@ -0,0 +1,4 @@
+- name: configure trust to internal zigbee on all hosts
+  hosts: zigbee
+  roles:
+    - zigbee
diff --git a/inventory b/inventory
index d429abe..8b0da38 100644
--- a/inventory
+++ b/inventory
@@ -92,7 +92,12 @@ ryo ansible_user=root ansible_connection=ssh
 
 [something]
 ryo ansible_user=root ansible_connection=ssh
+
 [whois]
 ryo ansible_user=root ansible_connection=ssh
+
 [phoneassistant]
-johan ansible_user=root ansible_connection=ssh
\ No newline at end of file
+johan ansible_user=root ansible_connection=ssh
+
+[zigbee]
+raspberrypi ansible_user=root ansible_connection=ssh
diff --git a/roles/vpn/files/config/acl.json b/roles/vpn/files/config/acl.json
index 50382f4..9aaf5eb 100644
--- a/roles/vpn/files/config/acl.json
+++ b/roles/vpn/files/config/acl.json
@@ -3,8 +3,6 @@
     "group:admin": ["elizabeth"],
     "group:roomates": ["riley", "lucina", "elizabeth"],
     "group:friends": ["riley", "rain", "lucina"],
-    "group:lucina": ["lucina"],
-    "group:rain": ["rain"],
     "group:sys": ["sys"]
   },
   "tagOwners": {
@@ -26,12 +24,12 @@
     {
       "action": "accept",
       "src": ["group:sys"],
-      "dst": ["group:sys:*", "10.128.0.0/9:*", "group:rain:*"]
+      "dst": ["group:sys:*", "10.128.0.0/9:*"]
     },
     {
       "action": "accept",
       "src": ["group:admin"],
-      "dst": ["group:admin:*", "10.128.0.0/9:*"]
+      "dst": ["group:admin:*"]
     },
     {
       "action": "accept",
@@ -42,16 +40,6 @@
       "action": "accept",
       "src": ["group:friends"],
       "dst": ["group:sys:*"]
-    },
-    {
-      "action": "accept",
-      "src": ["group:rain"],
-      "dst": ["group:rain:*"]
-    },
-    {
-      "action": "accept",
-      "src": ["group:lucina"],
-      "dst": ["group:lucina:*"]
     }
   ]
 }
diff --git a/roles/vpn/templates/config.yml.j2 b/roles/vpn/templates/config.yml.j2
index 6450d3e..24a54c8 100644
--- a/roles/vpn/templates/config.yml.j2
+++ b/roles/vpn/templates/config.yml.j2
@@ -209,11 +209,11 @@ dns_config:
     mistymountainstherapy.com:
       - {{ nameserver_ip }}
     lucina.cloud:
-      - {{ nameserver_ip }}
+      - 192.168.1.1
     ezri.dev:
       - {{ nameserver_ip }}
 
-  domains: ['simponic.xyz', 'internal.simponic.xyz']
+  domains: [simponic.xyz', 'internal.simponic.xyz', 'lucina.cloud']
 
   # Extra DNS records
   # so far only A-records are supported (on the tailscale side)
diff --git a/roles/webservers/files/ryo/https.whois.simponic.xyz.conf b/roles/webservers/files/ryo/https.whois.simponic.xyz.conf
index 9f9a3c1..dfcea26 100644
--- a/roles/webservers/files/ryo/https.whois.simponic.xyz.conf
+++ b/roles/webservers/files/ryo/https.whois.simponic.xyz.conf
@@ -29,4 +29,17 @@ server {
     proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
     add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
   }
+
+  location /api/ {
+    proxy_pass http://127.0.0.1:8467/;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $server_name;
+    proxy_buffering off;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+  }
 }
diff --git a/roles/whois/templates/docker-compose.yml.j2 b/roles/whois/templates/docker-compose.yml.j2
index 4832672..7a15155 100644
--- a/roles/whois/templates/docker-compose.yml.j2
+++ b/roles/whois/templates/docker-compose.yml.j2
@@ -5,7 +5,7 @@ services:
     restart: always
     image: git.simponic.xyz/simponic/whois
     healthcheck:
-      test: ["CMD", "wget", "--spider", "http://localhost:8080/api/health"]
+      test: ["CMD", "wget", "--spider", "http://localhost:8080/health"]
       interval: 5s
       timeout: 10s
       retries: 5
@@ -13,4 +13,14 @@ services:
     volumes:
       - ./db:/app/db
     ports:
-      - "127.0.0.1:8466:8080"
+      - "127.0.0.1:8467:8080"
+  frontend:
+    restart: always
+    image: git.simponic.xyz/simponic/penguin-new-tab
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "http://localhost:3000"]
+      interval: 5s
+      timeout: 10s
+      retries: 5
+    ports:
+      - "127.0.0.1:8466:3000"
diff --git a/roles/zigbee/files/configuration.yaml b/roles/zigbee/files/configuration.yaml
new file mode 100644
index 0000000..497d633
--- /dev/null
+++ b/roles/zigbee/files/configuration.yaml
@@ -0,0 +1,16 @@
+version: 4
+mqtt:
+    base_topic: zigbee2mqtt
+    server: mqtt://mqtt
+serial:
+    port: /dev/ttyUSB0
+    adapter: zstack
+advanced:
+    channel: 11
+    network_key: GENERATE
+    pan_id: GENERATE
+    ext_pan_id: GENERATE
+frontend:
+    enabled: true
+homeassistant:
+    enabled: true
diff --git a/roles/zigbee/tasks/main.yml b/roles/zigbee/tasks/main.yml
new file mode 100644
index 0000000..0c2e3cb
--- /dev/null
+++ b/roles/zigbee/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+- name: ensure zigbee docker/compose exist
+  file:
+    path: /etc/docker/compose/zigbee
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: create zigbee docker/compose/data/zigbee with set uid/gid
+  file:
+    path: /etc/docker/compose/zigbee/data
+    state: directory
+    owner: 1000
+    group: 1000
+    mode: 0700
+
+- name: create zigbee docker/compose/zigbee/-data with set uid/gid
+  file:
+    path: /etc/docker/compose/zigbee/zigbee2mqtt-data
+    state: directory
+    owner: 1000
+    group: 1000
+    mode: 0700
+
+- name: copy zigbee config.yml
+  copy:
+    src: ../files/configuration.yaml
+    dest: /etc/docker/compose/zigbee/zigbee2mqtt-data/configuration.yaml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: build zigbee docker-compose.yml.j2
+  template:
+    src: ../templates/docker-compose.yml.j2
+    dest: /etc/docker/compose/zigbee/docker-compose.yml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: daemon-reload and enable zigbee
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@zigbee
diff --git a/roles/zigbee/templates/docker-compose.yml.j2 b/roles/zigbee/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..ea166d9
--- /dev/null
+++ b/roles/zigbee/templates/docker-compose.yml.j2
@@ -0,0 +1,25 @@
+version: '3.8'
+services:
+    mqtt:
+        image: eclipse-mosquitto:2.0
+        restart: unless-stopped
+        volumes:
+            - './data:/mosquitto'
+        ports:
+            - '1883:1883'
+            - '9001:9001'
+        command: 'mosquitto -c /mosquitto-no-auth.conf'
+
+    zigbee2mqtt:
+        container_name: zigbee2mqtt
+        restart: unless-stopped
+        image: koenkk/zigbee2mqtt
+        volumes:
+            - ./zigbee2mqtt-data:/app/data
+            - /run/udev:/run/udev:ro
+        ports:
+            - 8080:8080
+        environment:
+            - TZ=America/Los_Angeles
+        devices:
+            - /dev/ttyUSB0:/dev/ttyUSB0
diff --git a/template/docker-compose.yml b/template/docker-compose.yml
index 244783b..2848c09 100644
--- a/template/docker-compose.yml
+++ b/template/docker-compose.yml
@@ -5,7 +5,7 @@ services:
     restart: always
     image: {{ service_repo }}
     healthcheck:
-      test: ["CMD", "wget", "--spider", "http://localhost:8080/api/health"]
+      test: ["CMD", "wget", "--spider", "http://localhost:8080/health"]
       interval: 5s
       timeout: 10s
       retries: 5