Since I managed to do this incorrectly a couple of times I figured it was worth noting here.
You already have a working site setup in Nginx that uses SSL. Now you want to make sure that any non-SSL requests to the site get redirected. Turns out to be very simple:
rewrite ^(.*) https://$server_name$1 permanent;
This sends back an
HTTP/1.1 301 Moved Permanently response for non-SSL requests for example.com.
Three short and easy to read lines, I like it.