Use http3 everywhere

hosts/cube/grafana.nix

@@ -67,10 +67,7 @@ in serverSystemConfiguration {
     };
   };
 
-  services.nginx.virtualHosts.${fqdn} = {
-    forceSSL    = true;
-    useACMEHost = domain;
-
+  services.nginx.virtualHosts.${fqdn} = (sslTemplate domain) // {
     locations."/" = {
       proxyPass       = "http://[::]:${toString config.services.grafana.settings.server.http_port}";
       proxyWebsockets = true;

hosts/cube/matrix-synapse.nix

@@ -16,8 +16,8 @@ let
   clientConfig."org.matrix.msc3575.proxy".url = "https://${syncDomain}";
   serverConfig."m.server" = "${chatDomain}:443";
 
-  synapsePort     = 8001;
-  syncPort = 8002;
+  synapsePort = 8001;
+  syncPort    = 8002;
 in serverSystemConfiguration {
   age.secrets."cube/password.secret.matrix-synapse".owner = "matrix-synapse";
   age.secrets."cube/password.sync.matrix-synapse".owner   = "matrix-synapse";
@@ -91,13 +91,7 @@ in serverSystemConfiguration {
     "= /.well-known/matrix/server".extraConfig = wellKnownResponse serverConfig;
   };
 
-  services.nginx.virtualHosts.${chatDomain} = {
-    forceSSL    = true;
-    useACMEHost = domain;
-
-    locations."/".proxyPass       = "http://[::]:${toString config.services.site.port}/404";
-    locations."/assets".proxyPass = "http://[::]:${toString config.services.site.port}/assets";
-
+  services.nginx.virtualHosts.${chatDomain} = (sslTemplate domain) // {
     locations."= /.well-known/matrix/client".extraConfig = wellKnownResponse clientConfig;
     locations."= /.well-known/matrix/server".extraConfig = wellKnownResponse serverConfig;
 
@@ -106,21 +100,15 @@ in serverSystemConfiguration {
   };
 
   services.matrix-sliding-sync = enabled {
-    settings = {
+    environmentFile = config.age.secrets."cube/password.sync.matrix-synapse".path;
+    settings        = {
       SYNCV3_SERVER   = "https://${chatDomain}";
       SYNCV3_DB       = "postgresql:///matrix-sliding-sync?host=/run/postgresql";
       SYNCV3_BINDADDR = "[::]:${toString syncPort}";
     };
-    environmentFile = config.age.secrets."cube/password.sync.matrix-synapse".path;
   };
 
-  services.nginx.virtualHosts.${syncDomain} = {
-    forceSSL    = true;
-    useACMEHost = domain;
-
-    locations."/".proxyPass       = "http://[::]:${toString config.services.site.port}/404";
-    locations."/assets".proxyPass = "http://[::]:${toString config.services.site.port}/assets";
-
+  services.nginx.virtualHosts.${syncDomain} = (sslTemplate domain) // {
     locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)"
       .proxyPass = "http://[::]:${toString synapsePort}";
 

hosts/cube/nextcloud/default.nix

@@ -84,9 +84,5 @@ in serverSystemConfiguration {
     nginx.recommendedHttpHeaders = true;
   };
 
-  services.nginx.virtualHosts.${fqdn} = {
-    forceSSL    = true;
-    quic        = true;
-    useACMEHost = domain;
-  };
+  services.nginx.virtualHosts.${fqdn} = sslTemplate domain;
 }

hosts/cube/site.nix

@@ -1,8 +1,26 @@
 { config, ulib, ... }: with ulib;
 
-serverSystemConfiguration {
+let
+  inherit (config.networking) domain;
+
+  port = 8003;
+in serverSystemConfiguration {
   services.site = enabled {
-    url            = config.networking.domain;
-    configureNginx = true;
+    inherit port;
+  };
+
+  services.nginx.virtualHosts.${domain} = (sslTemplate domain) // {
+    locations."/".proxyPass = "http://[::]:${toString port}";
+  };
+
+  services.nginx.virtualHosts."www.${domain}" = (sslTemplate domain) // {
+    locations."/".extraConfig = ''
+      return 301 https://${domain}$request_uri;
+    '';
+  };
+
+  services.nginx.virtualHosts._ = (sslTemplate domain) // {
+    locations."/".proxyPass       = "http://[::]:${toString port}/404/";
+    locations."/assets".proxyPass = "http://[::]:${toString port}/assets";
   };
 }