diff --git a/content/blog/nix-unprivileged-deployments.md b/content/blog/nix-unprivileged-deployments.md
index 154ed2e..a613ecb 100644
--- a/content/blog/nix-unprivileged-deployments.md
+++ b/content/blog/nix-unprivileged-deployments.md
@@ -123,7 +123,72 @@ module that will set this up:
 
 
 ```nix
-# TODO: write this
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.my.static-site;
+  sitesDir = "/var/lib/static-site";
+
+  user = config.users.users.static-site.name;
+  group = config.users.groups.static-site.name;
+
+in
+{
+  options = with lib; {
+    my.static-site = {
+      enable = mkEnableOption "Enable static site deployments";
+      keys = mkOption {
+        description = "list of ssh keys to give push access";
+        type = with types; listOf str;
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    users.users.static-site = {
+      inherit group;
+      isSystemUser = true;
+      # need shell access for deploys
+      useDefaultShell = true;
+      home = sitesDir;
+      openssh.authorizedKeys.keys = cfg.keys;
+    };
+
+    # make this user trusted (spooky)
+    nix.settings.trusted-users = [ user ];
+
+
+    users.groups.static-site = { };
+    services.nginx.virtualHosts = {
+      "saji.dev" = {
+        root = "${sitesDir}/public";
+        forceSSL = true;
+        useACMEHost = "saji.dev";
+        locations."/" = {
+          tryFiles = "$uri $uri/ =404";
+        };
+      };
+    };
+    # create the base static site directory, owned by the static-site user
+    systemd.tmpfiles.settings."static-site" = {
+      "${sitesDir}".d = {
+        user = user;
+        group = group;
+        mode = "0755";
+      };
+      # Create a dummy symlink to /dev/null
+      # this will not override an existing symlink, but it will
+      # make sure that the nginx configuration is valid
+      "${sitesDir}/public".L = {
+        argument = "/dev/null";
+      };
+
+
+    };
+  };
+}
 ```
 
 
@@ -215,4 +280,31 @@ called `LOCAL_KEY` which is a file that contains the signing key.
 
 Regardless of the outcome you choose, when you re-deploy, it should work properly.
 
-Let's follow the symlink.
+Let's see what happened on the server:
+
+```bash
+$ ls /var/lib/static-site/ -lah
+total 20K
+drwxr-xr-x  4 static-site static-site 4.0K Apr 19 23:32 .
+drwxr-xr-x 17 root        root        4.0K Apr 21 03:00 ..
+drwxr-xr-x  3 static-site static-site 4.0K Apr 17 19:57 .local
+drwxr-xr-x  2 static-site static-site 4.0K Apr 17 19:57 .nix-defexpr
+lrwxrwxrwx  1 static-site static-site   60 Apr 19 23:32 public -> /var/lib/static-site/.local/state/nix/profiles/mysite/public
+
+$ ls /var/lib/static-site/.local/state/nix/profiles/ -lah
+total 40K
+drwxr-xr-x 2 static-site static-site 4.0K Apr 19 23:32 .
+drwxr-xr-x 3 static-site static-site 4.0K Apr 17 19:57 ..
+lrwxrwxrwx 1 static-site static-site   13 Apr 19 23:32 mysite -> mysite-8-link
+lrwxrwxrwx 1 static-site static-site   62 Apr 17 19:57 mysite-1-link -> /nix/store/kbw9mna3934zqj0saz1snw1pbmxi95aq-activatable-myblog
+lrwxrwxrwx 1 static-site static-site   62 Apr 17 19:59 mysite-2-link -> /nix/store/aa0ai7vwv59alfmhrk29frcbipr6iv9f-activatable-myblog
+...
+lrwxrwxrwx 1 static-site static-site   62 Apr 17 21:33 mysite-8-link -> /nix/store/f1qsglj5zm6v0vzlllci3jqsay476d5l-activatable-myblog
+```
+
+We can get an idea of how this works:
+
+1. `/var/lib/static-site/public` points to the public folder in the `myblog` profile
+2. The profile is itself a link to `mysite-8-link`.
+3. `mysite-8-link` is also a link to a derivation in the nix store.
+