server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name home.tyil.nl;

	ssl_certificate /etc/letsencrypt/live/home.tyil.nl/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/home.tyil.nl/privkey.pem;

	include /etc/nginx/snippets.d/certbot.conf;
	include /etc/nginx/snippets.d/headers.conf;
	include /etc/nginx/snippets.d/ssl.conf;

	location / {
		return 301 https://www.tyil.nl$request_uri;
	}

	location ~ ^/~(.+?)(/.*)?$ {
		alias /home/$1/www$2;
		autoindex on;
	}

	location /git {
		rewrite ^/git/(.*)$ https://git.tyil.nl/$1 redirect;
	}

	location /media {
		alias /var/media;

		satisfy any;

		allow 127.0.0.1;
		allow 10.57.0.0/16;
		allow 192.168.178.0/24;
		deny all;

		auth_basic "pls no hack";
		auth_basic_user_file "/var/media/.htpasswd";

		autoindex on;
	}

	location /media/backups { deny all; }
	location /media/nextcloud { deny all; }
	location /media/pictures { deny all; }
	location /media/recordings { deny all; }

	location /packages {
		alias /var/portage/packages;
		autoindex on;
	}
}