{ config, lib, pkgs, ... }:

let
  up_dir = /srv/up;
  isomorphisme_dir = /srv/isomorphis.me;
in
{
  services.nginx.enable = true;

  # nginx runs under ProtectHome=true which disallows reading anywhere
  # in /home. So we need to use a different location.
  users.users."up" = {
    isNormalUser = true;
    home = up_dir;
    # group = config.services.nginx.group;
    group = "nginx";
    # Unsure why this is broken, but couldn't make things work without
    # creating the directory by hand.
    # createHome = true;
    # homeMode = "750";
  };

  services.nginx.virtualHosts."srv.isomorphis.me" = {
    forceSSL = true;
    enableACME = true;
    root = up_dir;
    locations = {
      "/" = {
        extraConfig = "autoindex on;";
      };
      "/.ssh" = {
        return = "403";
      };
      "/i/" = {
        extraConfig = "autoindex off;";
      };
    };
  };

  services.nginx.virtualHosts."isomorphis.me" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      root = isomorphisme_dir;
    };
  };

  system.activationScripts."srv-permissions" = ''
    chown -R up:nginx /srv/up
    chown -R nginx:nginx /srv/isomorphis.me
  '';
}