{ config, lib, pkgs, ... }:

let
  deertopiaRoot = {
    directory = "/persist/deertopia.net/";
    group = "nginx";
    user = "nginx";
  };
in
{
  services.nginx.enable = true;

  networking.firewall.allowedTCPPorts = [
    80  # HTTP
    443 # HTTPS
  ];

  # With this section, virtual hosts declared through the Nginx NixOS module
  # will automatically request ACME SSL certificates and configure systemd
  # timers to renew the certificate if required.  See the article on the NixOS
  # wiki, from which I've nabbed the following snippet:
  # https://nixos.wiki/wiki/Nginx#Let.27s_Encrypt_certificates
  security.acme = {
    acceptTerms = true;
    defaults.email = "lomiskiam@gmail.com";
  };

  services.nginx.virtualHosts."deertopia.net" = {
    root = "${deertopiaRoot.directory}/www";

    # addSSL = true;
    forceSSL = true;
    enableACME = true;

    locations."/" = {
      index = "index.html";
    };
  };

  system.activationScripts.initialiseDeertopiaRoot.text = ''
    mkdir -p "${deertopiaRoot.directory}"
    chown -R "${deertopiaRoot.user}:${deertopiaRoot.user}" \
      "${deertopiaRoot.directory}"
    chmod -R 775 "${deertopiaRoot.directory}"
  '';
}