site: add and force SSL

hosts/thegeneralist-central/acme/default.nix

@@ -0,0 +1,24 @@
+{ config, ... }: let
+  domain = "thegeneralist01.com";
+in {
+  age.secrets.acmeEnvironment.file = ./acmeEnvironment.age;
+
+  security.acme = {
+    defaults = {
+      # Options: https://go-acme.github.io/lego/dns/
+      environmentFile = config.age.secrets.acmeEnvironment.path;
+      email = "thegeneralist01@proton.me";
+      dnsResolver = "1.1.1.1";
+      dnsProvider = "cloudflare";
+    };
+
+    certs.${domain} = {
+      extraDomainNames = [ "*.${domain}" ];
+      group = "acme";
+    };
+
+    acceptTerms = true;
+  };
+
+  users.groups.acme.members = [ "nginx" ];
+}

hosts/thegeneralist-central/site.nix

@@ -1,31 +1,74 @@
 { config, pkgs, ... }: let
   domain = "thegeneralist01.com";
+
+  ssl = {
+    quic        = true;
+    useACMEHost = domain;
+  };
 in {
-  environment.systemPackages = [ pkgs.cloudflared ];
+  imports = [ ./acme ];
 
+  # Nginx
   services.nginx = {
-    enable = true;
+    enable                        = true;
+    package                       = pkgs.nginxQuic;
+    enableQuicBPF                 = true;
 
-    virtualHosts = {
+    recommendedZstdSettings       = true;
-      "${domain}" = {
+    recommendedUwsgiSettings      = true;
-        root = "/var/www/${domain}";
+    recommendedTlsSettings        = true;
-        locations."/".tryFiles = "$uri $uri/ $uri/index.html";
+    recommendedProxySettings      = true;
-      };
+    recommendedOptimisation       = true;
+    recommendedGzipSettings       = true;
+    recommendedBrotliSettings     = true;
+
+    statusPage                    = true;
+    validateConfigFile            = true;
+
+    virtualHosts."${domain}"      = ssl // {
+      root = "/var/www/${domain}";
+      locations."/".tryFiles = "$uri $uri.html $uri/ $uri/index.html =404";
+
+      extraConfig = ''
+        if ($http_x_forwarded_proto = "http") {
+          return 301 https://${domain}$request_uri;
+        }
+
+        location ~* \.(html|css|js|jpg|jpeg|png|gif|svg|ico|woff2?)$ {
+          expires 1d;
+          add_header Cache-Control "public";
+        }
+
+        error_page 404 /404.html;
+      '';
+    };
+
+    virtualHosts."www.${domain}"  = ssl // {
+      locations."/".return = "306 https://${domain}$request_uri";
+    };
+
+    virtualHosts._ = ssl // {
+      locations."/".return = "307 https://${domain}/404";
     };
   };
 
+  # Cloudflare
+  environment.systemPackages = [ pkgs.cloudflared ];
+
   age.secrets.cftcert.file = ./cert.pem.age;
   age.secrets.cftcredentials.file = ./credentials.age;
 
   services.cloudflared = {
     enable = true;
     certificateFile = config.age.secrets.cftcert.path;
+
     tunnels."site" = {
       ingress = {
         "thegeneralist01.com" = "http://localhost:80";
         "www.thegeneralist01.com" = "http://localhost:80";
       };
       default = "http_status:404";
+
       credentialsFile = config.age.secrets.cftcredentials.path;
       certificateFile = config.age.secrets.cftcert.path;
     };

secrets.nix

@@ -4,6 +4,7 @@ in {
   "hosts/thegeneralist/hostkey.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/hostkey.age".publicKeys = [ thegeneralist ];
 
+  "hosts/thegeneralist-central/acme/acmeEnvironment.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/cert.pem.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/credentials.age".publicKeys = [ thegeneralist ];