site: add and force SSL

2026-03-07 10:59:55 +01:00 · 2025-06-27 21:19:22 +02:00 · 2025-06-27 21:19:22 +02:00 · 04bea73b6a
commit 04bea73b6a
parent eae1c39468
4 changed files with 75 additions and 7 deletions
--- a/hosts/thegeneralist-central/acme/acmeEnvironment.age
+++ b/hosts/thegeneralist-central/acme/acmeEnvironment.age
--- a/hosts/thegeneralist-central/acme/default.nix
+++ b/hosts/thegeneralist-central/acme/default.nix
@ -0,0 +1,24 @@
+{ config, ... }: let
+  domain = "thegeneralist01.com";
+in {
+  age.secrets.acmeEnvironment.file = ./acmeEnvironment.age;
+
+  security.acme = {
+    defaults = {
+      # Options: https://go-acme.github.io/lego/dns/
+      environmentFile = config.age.secrets.acmeEnvironment.path;
+      email = "thegeneralist01@proton.me";
+      dnsResolver = "1.1.1.1";
+      dnsProvider = "cloudflare";
+    };
+
+    certs.${domain} = {
+      extraDomainNames = [ "*.${domain}" ];
+      group = "acme";
+    };
+
+    acceptTerms = true;
+  };
+
+  users.groups.acme.members = [ "nginx" ];
+}
--- a/hosts/thegeneralist-central/site.nix
+++ b/hosts/thegeneralist-central/site.nix
@ -1,31 +1,74 @@
 { config, pkgs, ... }: let
  domain = "thegeneralist01.com";
+
+  ssl = {
+    quic        = true;
+    useACMEHost = domain;
+  };
 in {
-  environment.systemPackages = [ pkgs.cloudflared ];
+  imports = [ ./acme ];

+  # Nginx
  services.nginx = {
-    enable = true;
+    enable                        = true;
+    package                       = pkgs.nginxQuic;
+    enableQuicBPF                 = true;

-    virtualHosts = {
-      "${domain}" = {
-        root = "/var/www/${domain}";
-        locations."/".tryFiles = "$uri $uri/ $uri/index.html";
-      };
+    recommendedZstdSettings       = true;
+    recommendedUwsgiSettings      = true;
+    recommendedTlsSettings        = true;
+    recommendedProxySettings      = true;
+    recommendedOptimisation       = true;
+    recommendedGzipSettings       = true;
+    recommendedBrotliSettings     = true;
+
+    statusPage                    = true;
+    validateConfigFile            = true;
+
+    virtualHosts."${domain}"      = ssl // {
+      root = "/var/www/${domain}";
+      locations."/".tryFiles = "$uri $uri.html $uri/ $uri/index.html =404";
+
+      extraConfig = ''
+        if ($http_x_forwarded_proto = "http") {
+          return 301 https://${domain}$request_uri;
+        }
+
+        location ~* \.(html|css|js|jpg|jpeg|png|gif|svg|ico|woff2?)$ {
+          expires 1d;
+          add_header Cache-Control "public";
+        }
+
+        error_page 404 /404.html;
+      '';
+    };
+
+    virtualHosts."www.${domain}"  = ssl // {
+      locations."/".return = "306 https://${domain}$request_uri";
+    };
+
+    virtualHosts._ = ssl // {
+      locations."/".return = "307 https://${domain}/404";
    };
  };

+  # Cloudflare
+  environment.systemPackages = [ pkgs.cloudflared ];
+
  age.secrets.cftcert.file = ./cert.pem.age;
  age.secrets.cftcredentials.file = ./credentials.age;

  services.cloudflared = {
    enable = true;
    certificateFile = config.age.secrets.cftcert.path;
+
    tunnels."site" = {
      ingress = {
        "thegeneralist01.com" = "http://localhost:80";
        "www.thegeneralist01.com" = "http://localhost:80";
      };
      default = "http_status:404";
+
      credentialsFile = config.age.secrets.cftcredentials.path;
      certificateFile = config.age.secrets.cftcert.path;
    };