From 23442bb6eaf74ba18078ae253b29ce74bd651d88 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Mon, 20 Apr 2026 12:30:44 +0200
Subject: [PATCH] feat: web-arm add fueltide deep link vhost

---
 hosts/web-arm/sites/fueltide.io.nix | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/hosts/web-arm/sites/fueltide.io.nix b/hosts/web-arm/sites/fueltide.io.nix
index 9239883..2186673 100644
--- a/hosts/web-arm/sites/fueltide.io.nix
+++ b/hosts/web-arm/sites/fueltide.io.nix
@@ -1,4 +1,19 @@
 { pkgs, lib, config, ... }:
+let
+  # Universal Links / Associated Domains for the iOS workout app
+  appleAppSiteAssociation = {
+    applinks = {
+      details = [
+        {
+          appIDs = [ "XWJ4DC7TBH.io.fueltide.workout" ];
+          components = [
+            { "/" = "/auth/*"; }
+          ];
+        }
+      ];
+    };
+  };
+in
 {
   # SOPS secret for fueltide.io DNS credentials (separate Hetzner API token)
   sops.secrets.fueltide-lego-credentials = { };
@@ -17,6 +32,10 @@
     credentialsFile = config.sops.secrets.fueltide-lego-credentials.path;
   };
 
+  security.acme.certs."link.fueltide.io" = {
+    credentialsFile = config.sops.secrets.fueltide-lego-credentials.path;
+  };
+
   security.acme.certs."stage.fueltide.io" = {
     credentialsFile = config.sops.secrets.fueltide-lego-credentials.path;
   };
@@ -25,6 +44,16 @@
     credentialsFile = config.sops.secrets.fueltide-lego-credentials.path;
   };
 
+  services.nginx.virtualHosts."link.fueltide.io" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."= /.well-known/apple-app-site-association".extraConfig = ''
+      default_type application/json;
+      return 200 '${builtins.toJSON appleAppSiteAssociation}';
+    '';
+  };
+
   services.webstack.instances."stage.fueltide.io" = {
     enablePhp = false;
     enableDefaultLocations = false;