From 04bea73b6a61fd42a2588cd45476b366930d7d92 Mon Sep 17 00:00:00 2001
From: TheGeneralist <180094941+thegeneralist01@users.noreply.github.com>
Date: Fri, 27 Jun 2025 21:19:22 +0200
Subject: [PATCH] site: add and force SSL

---
 .../acme/acmeEnvironment.age                  | Bin 0 -> 417 bytes
 hosts/thegeneralist-central/acme/default.nix  |  24 ++++++++
 hosts/thegeneralist-central/site.nix          |  57 +++++++++++++++---
 secrets.nix                                   |   1 +
 4 files changed, 75 insertions(+), 7 deletions(-)
 create mode 100644 hosts/thegeneralist-central/acme/acmeEnvironment.age
 create mode 100644 hosts/thegeneralist-central/acme/default.nix

diff --git a/hosts/thegeneralist-central/acme/acmeEnvironment.age b/hosts/thegeneralist-central/acme/acmeEnvironment.age
new file mode 100644
index 0000000000000000000000000000000000000000..c76f8f5a6271992d861986ddee5df1ad7ee4112e
GIT binary patch
literal 417
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHD6lL{2~;RG^^J&3
ziZV3!cZ~FnDE08qF*eUFu5`|JEOJYZD0lJpEJ{rct1K{g4COK{(@x1V^35~Lhzbd<
z%B}Fp&&_bO$Sun*Hcbi$G)i>KE~+vPOLH|ewcyg#)m3nF@iYl3$u`pu$#C~KG)^h=
z$nee%$qUK#3`sOJiOdi1v(yfZsEBkePUd>AmusxLl$}-JLB8{YPo2>V>~HV}MJ)07
z{d-^D`INZV(?lIQc0AuNVSFOKJ@dKvrjnH@t?YN3r}nx$_0)|$+3OMdjG6!8bdLL#
zPHB$qA6Ra?wOV*{RP?_*l_qe#*J#sjwxEq^Z>FA~HmzIir?K6l*I&B2ic^~B#w`t*
zwbYS4alOjZq~^&t%eL}6A76Bdsa$x?!IDMp0URckUqv5enJ@A9ZDw7!VAU3X%m2qX
zJ64x*G_Q|#WtiR66y?l&&}T+~t-R;=q|9R})3Xg#rPklIlKx>d-$Ca~+=K_0zh7Bx
T5*O-H=)?G{bA6fa!Q?pr`7f*I

literal 0
HcmV?d00001

diff --git a/hosts/thegeneralist-central/acme/default.nix b/hosts/thegeneralist-central/acme/default.nix
new file mode 100644
index 0000000..9db64c5
--- /dev/null
+++ b/hosts/thegeneralist-central/acme/default.nix
@@ -0,0 +1,24 @@
+{ config, ... }: let
+  domain = "thegeneralist01.com";
+in {
+  age.secrets.acmeEnvironment.file = ./acmeEnvironment.age;
+
+  security.acme = {
+    defaults = {
+      # Options: https://go-acme.github.io/lego/dns/
+      environmentFile = config.age.secrets.acmeEnvironment.path;
+      email = "thegeneralist01@proton.me";
+      dnsResolver = "1.1.1.1";
+      dnsProvider = "cloudflare";
+    };
+
+    certs.${domain} = {
+      extraDomainNames = [ "*.${domain}" ];
+      group = "acme";
+    };
+
+    acceptTerms = true;
+  };
+
+  users.groups.acme.members = [ "nginx" ];
+}
diff --git a/hosts/thegeneralist-central/site.nix b/hosts/thegeneralist-central/site.nix
index 89d16d1..3fd0c4c 100644
--- a/hosts/thegeneralist-central/site.nix
+++ b/hosts/thegeneralist-central/site.nix
@@ -1,31 +1,74 @@
 { config, pkgs, ... }: let
   domain = "thegeneralist01.com";
+
+  ssl = {
+    quic        = true;
+    useACMEHost = domain;
+  };
 in {
-  environment.systemPackages = [ pkgs.cloudflared ];
+  imports = [ ./acme ];
 
+  # Nginx
   services.nginx = {
-    enable = true;
+    enable                        = true;
+    package                       = pkgs.nginxQuic;
+    enableQuicBPF                 = true;
 
-    virtualHosts = {
-      "${domain}" = {
-        root = "/var/www/${domain}";
-        locations."/".tryFiles = "$uri $uri/ $uri/index.html";
-      };
+    recommendedZstdSettings       = true;
+    recommendedUwsgiSettings      = true;
+    recommendedTlsSettings        = true;
+    recommendedProxySettings      = true;
+    recommendedOptimisation       = true;
+    recommendedGzipSettings       = true;
+    recommendedBrotliSettings     = true;
+
+    statusPage                    = true;
+    validateConfigFile            = true;
+
+    virtualHosts."${domain}"      = ssl // {
+      root = "/var/www/${domain}";
+      locations."/".tryFiles = "$uri $uri.html $uri/ $uri/index.html =404";
+
+      extraConfig = ''
+        if ($http_x_forwarded_proto = "http") {
+          return 301 https://${domain}$request_uri;
+        }
+
+        location ~* \.(html|css|js|jpg|jpeg|png|gif|svg|ico|woff2?)$ {
+          expires 1d;
+          add_header Cache-Control "public";
+        }
+
+        error_page 404 /404.html;
+      '';
+    };
+
+    virtualHosts."www.${domain}"  = ssl // {
+      locations."/".return = "306 https://${domain}$request_uri";
+    };
+
+    virtualHosts._ = ssl // {
+      locations."/".return = "307 https://${domain}/404";
     };
   };
 
+  # Cloudflare
+  environment.systemPackages = [ pkgs.cloudflared ];
+
   age.secrets.cftcert.file = ./cert.pem.age;
   age.secrets.cftcredentials.file = ./credentials.age;
 
   services.cloudflared = {
     enable = true;
     certificateFile = config.age.secrets.cftcert.path;
+
     tunnels."site" = {
       ingress = {
         "thegeneralist01.com" = "http://localhost:80";
         "www.thegeneralist01.com" = "http://localhost:80";
       };
       default = "http_status:404";
+
       credentialsFile = config.age.secrets.cftcredentials.path;
       certificateFile = config.age.secrets.cftcert.path;
     };
diff --git a/secrets.nix b/secrets.nix
index 3bd4512..fb85e81 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -4,6 +4,7 @@ in {
   "hosts/thegeneralist/hostkey.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/hostkey.age".publicKeys = [ thegeneralist ];
 
+  "hosts/thegeneralist-central/acme/acmeEnvironment.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/cert.pem.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/credentials.age".publicKeys = [ thegeneralist ];