{ config, lib, pkgs, ... }:

{
  services.nginx.enable = true;

  # nginx runs under ProtectHome=true which disallows reading anywhere
  # in /home. So we need to use a different location.
  users.users."up" = {
    isNormalUser = true;
    home = /srv/up;
    group = config.services.nginx.group;
    createHome = true;
    homeMode = "750";
  };

  services.nginx.virtualHosts."srv.isomorphis.me" = {
    forceSSL = true;
    enableACME = true;
    root = config.users.users."up".home;
    locations."/" = {
      extraConfig = ''
        autoindex on;
      '';
    };
    locations."/i/" = {
      extraConfig = ''
        autoindex off;
      '';
    };
  };
}