{ config, options, depot, lib, pkgs, ... }:

  inherit (depot.ops) secrets;
  sock = "/run/fup.sock";
  pkg = depot.web.fup;

  format = pkgs.formats.yaml {};
  fupConfig = format.generate "fup.yaml" secrets.fup.config;
  options = with lib; {
    my.fup.listen = lib.mkOption {
      type = with types; listOf str;
      default = [ "" "[::1]" ];

  config = let
    nginxListen = (map (addr: {
      inherit addr;
      port = 80;
      ssl = false;
    }) config.my.fup.listen) ++ (map (addr: {
      inherit addr;
      port = 443;
      ssl = true;
    }) config.my.fup.listen);
  in {
    security.acme.certs."p.lukegb.com" = {
      group = config.services.nginx.group;
    services.nginx = {
      enable = lib.mkDefault true;
      virtualHosts."p.lukegb.com" = {
        listen = nginxListen;
        useACMEHost = "p.lukegb.com";
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://unix:${sock}";
          extraConfig = ''
            proxy_redirect off;
            client_max_body_size 0;
            proxy_buffering off;

    systemd.sockets.fup = {
      listenStreams = [ sock ];
      wantedBy = [ "sockets.target" ];
      socketConfig = {
        SocketUser = config.services.nginx.user;
        SocketGroup = config.services.nginx.group;
        SocketMode = "0700";

    systemd.services.fup = {
      wantedBy = [ "multi-user.target" ];
      requires = [ "network.target" ];
      after = [ "network.target" "multi-user.target" ];

      serviceConfig = {
        Type = "simple";
        Restart = "always";
        EnvironmentFile = secrets.fup.environment;
        ExecStart = "${pkg}/bin/fup serve --config=${fupConfig}";
        DynamicUser = true;