diff --git a/site.conf b/site.conf
new file mode 100644
index 0000000..a519445
--- /dev/null
+++ b/site.conf
@@ -0,0 +1,66 @@
+# https://palmure.fr/blog.html#default-https-but-only-for-recent-browsers
+
+#<VirtualHost *:80>
+#  <Location />
+#    Require all denied
+#  </Location>
+#</VirtualHost>
+
+#<VirtualHost *:443>
+#  SSLEngine on
+#  Include /etc/letsencrypt/options-ssl-apache.conf
+#  SSLCertificateFile /etc/letsencrypt/live/klay.gay/fullchain.pem
+#  SSLCertificateKeyFile /etc/letsencrypt/live/klay.gay/privkey.pem
+#  <Location />
+#    Require all denied
+#  </Location>
+#</VirtualHost>
+
+<VirtualHost *:80 *:443>
+  ServerName nycki.net
+  SSLEngine on
+  Include /etc/letsencrypt/options-ssl-apache.conf
+
+  Header always add Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload;"
+  <If "%{HTTPS} == 'off'">
+    <If "%{HTTP:Upgrade-Insecure-Requests} == 1">
+      Header always add Vary: Upgrade-Insecure-Requests
+      Redirect / https://nycki.net 
+    </If>
+  </If>
+
+      DocumentRoot /data/nycki.net/site
+ErrorDocument 404 404.html
+
+  <Directory />
+    Options FollowSymLinks MultiViews
+    Require all granted
+  </Directory>
+  SSLCertificateFile /etc/letsencrypt/live/klay.gay/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/klay.gay/privkey.pem
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName rss.nycki.net
+  SSLEngine on
+  Include /etc/letsencrypt/options-ssl-apache.conf
+  <Location />
+    ProxyPass http://localhost:8400/
+  </Location>
+    SSLCertificateFile /etc/letsencrypt/live/klay.gay/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/klay.gay/privkey.pem
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName git.nycki.net
+  SSLEngine on
+  Include /etc/letsencrypt/options-ssl-apache.conf
+
+  # https://stackoverflow.com/a/9933890/3821202
+  AllowEncodedSlashes NoDecode
+  <Location />
+    ProxyPass http://localhost:8500/ nocanon
+  </Location>
+    SSLCertificateFile /etc/letsencrypt/live/klay.gay/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/klay.gay/privkey.pem
+</VirtualHost>