diff --git a/container/webserver/config.nix b/container/webserver/config.nix
index 8c6184e..8a6773b 100644
--- a/container/webserver/config.nix
+++ b/container/webserver/config.nix
@@ -27,69 +27,6 @@
     mode = "0644";
   };
 
-  # traefik
-
-  environment.etc."container-webserver/traefik/traefik.toml" = {
-    text = ''
-      [providers]
-        [providers.file]
-          directory = "/custom_config"
-          watch = true
-
-        [providers.docker]
-          exposedByDefault = false
-
-      [entryPoints]
-        [entryPoints.web]
-          address = ":80"
-
-        [entryPoints.websecure]
-          address = ":443"
-
-      [certificatesResolvers.cfresolver.acme]
-        email = "${secret.container.webserver.traefik.config.acme.email}"
-        storage = "/acme.json"
-        keyType = "EC384"
-
-        [certificatesResolvers.cfresolver.acme.dnsChallenge]
-          provider = "cloudflare"
-
-      [api]
-        dashboard = true
-    '';
-
-    mode = "0644";
-  };
-
-  environment.etc."container-webserver/traefik/custom/middlewares.toml" = {
-    text = ''
-      [http.middlewares]
-        [http.middlewares.non-www-redirect.redirectRegex]
-          regex = "^https://www.(.*)"
-          replacement = "https://''${1}"
-          permanent = true
-
-        [http.middlewares.https-redirect.redirectScheme]
-          scheme = "https"
-          permanent = true
-
-        [http.middlewares.content-compression.compress]
-
-        [http.middlewares.very-low-request-rate.rateLimit]
-          average = 3
-          period = "1m"
-
-        [http.middlewares.security-headers.headers]
-          frameDeny = true
-          browserXssFilter = true
-          contentTypeNosniff = true
-          referrerPolicy = "no-referrer"
-          contentSecurityPolicy = "default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; font-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'self'"
-    '';
-
-    mode = "0644";
-  };
-
   # weewx
 
   environment.etc."container-webserver/weewx/weewx.conf" = {
diff --git a/container/webserver/default.nix b/container/webserver/default.nix
index 945f557..f4a339c 100644
--- a/container/webserver/default.nix
+++ b/container/webserver/default.nix
@@ -43,29 +43,6 @@ in
         };
       };
 
-      traefik = {
-        service = {
-          image = "traefik:v2.8";
-          container_name = "traefik";
-          restart = "unless-stopped";
-          depends_on = [ "ipv6nat" ];
-          networks = [ "webserver" ];
-          ports = [
-            "80:80"
-            "443:443"
-          ];
-          command = [ "--configFile=/traefik.toml" ];
-          environment = secret.container.webserver.traefik.environment;
-          volumes = [
-            "/var/run/docker.sock:/var/run/docker.sock:ro"
-            "/etc/container-webserver/traefik/traefik.toml:/traefik.toml:ro"
-            "/etc/container-webserver/traefik/acme.json:/acme.json"
-            "/etc/container-webserver/traefik/custom:/custom_config:ro"
-          ];
-          labels = secret.container.webserver.traefik.labels;
-        };
-      };
-
       cloudflared = {
         service = {
           image = "cloudflare/cloudflared:latest";
@@ -79,49 +56,14 @@ in
         };
       };
 
-      ifconfig-sexy = {
-        service = {
-          image = "ghcr.io/nifoc/ifconfig.sexy-caddy:master";
-          restart = "unless-stopped";
-          depends_on = [
-            "ipv6nat"
-            "traefik"
-          ];
-          networks = [ "webserver" ];
-          labels = {
-            "traefik.enable" = "true";
-            "traefik.http.routers.ifconfig-sexy-http.rule" = "Host(`ifconfig.sexy`, `www.ifconfig.sexy`, `4.ifconfig.sexy`, `6.ifconfig.sexy`)";
-            "traefik.http.routers.ifconfig-sexy-http.entrypoints" = "web";
-            "traefik.http.routers.ifconfig-sexy-http.middlewares" = "https-redirect@file";
-            "traefik.http.routers.ifconfig-sexy.rule" = "Host(`ifconfig.sexy`, `www.ifconfig.sexy`, `4.ifconfig.sexy`, `6.ifconfig.sexy`)";
-            "traefik.http.routers.ifconfig-sexy.entrypoints" = "websecure";
-            "traefik.http.routers.ifconfig-sexy.tls" = "true";
-            "traefik.http.routers.ifconfig-sexy.tls.certresolver" = "cfresolver";
-            "traefik.http.routers.ifconfig-sexy.middlewares" = "non-www-redirect@file, content-compression@file";
-            "com.centurylinklabs.watchtower.enable" = "true";
-          };
-        };
-      };
-
       nifoc-pw-docs = {
         service = {
           image = "ghcr.io/nifoc/nifoc.pw-docs:master";
           container_name = "nifoc-pw-docs";
           restart = "unless-stopped";
-          depends_on = [
-            "ipv6nat"
-            "traefik"
-          ];
+          depends_on = [ "ipv6nat" ];
           networks = [ "webserver" ];
           labels = {
-            "traefik.enable" = "true";
-            "traefik.http.routers.nifoc-pw-docs.rule" = "HostRegexp(`{subdomain:[a-z_]+}.nifoc.pw`)";
-            "traefik.http.routers.nifoc-pw-docs.entrypoints" = "websecure";
-            "traefik.http.routers.nifoc-pw-docs.tls" = "true";
-            "traefik.http.routers.nifoc-pw-docs.tls.certresolver" = "cfresolver";
-            "traefik.http.routers.nifoc-pw-docs.tls.domains[0].main" = "nifoc.pw";
-            "traefik.http.routers.nifoc-pw-docs.tls.domains[0].sans" = "*.nifoc.pw";
-            "traefik.http.routers.nifoc-pw-docs.middlewares" = "content-compression@file";
             "com.centurylinklabs.watchtower.enable" = "true";
           };
         };
@@ -135,7 +77,6 @@ in
           depends_on = [
             "ipv6nat"
             "mosquitto"
-            "traefik"
           ];
           networks = [ "webserver" ];
           environment = {
@@ -155,10 +96,7 @@ in
           image = "matrixdotorg/synapse:latest";
           container_name = "synapse";
           restart = "unless-stopped";
-          depends_on = [
-            "ipv6nat"
-            "traefik"
-          ];
+          depends_on = [ "ipv6nat" ];
           networks = [ "webserver" ];
           volumes = [
             "/etc/container-matrix/synapse:/data"
@@ -167,15 +105,6 @@ in
             "/etc/container-matrix/whatsapp:/bridge-data/whatsapp:ro"
           ];
           labels = {
-            "traefik.enable" = "true";
-            "traefik.http.routers.matrix.rule" = "Host(`matrix.kempkens.io`)";
-            "traefik.http.routers.matrix.entrypoints" = "websecure";
-            "traefik.http.routers.matrix.service" = "matrix-web";
-            "traefik.http.routers.matrix.tls.certresolver" = "cfresolver";
-            "traefik.http.routers.matrix.tls.domains[0].main" = "kempkens.io";
-            "traefik.http.routers.matrix.tls.domains[0].sans" = "*.kempkens.io";
-            "traefik.http.routers.matrix.middlewares" = "content-compression@file";
-            "traefik.http.services.matrix-web.loadbalancer.server.port" = "8008";
             "com.centurylinklabs.watchtower.enable" = "true";
           };
         };
diff --git a/hardware/hosts/sail.nix b/hardware/hosts/sail.nix
index 640e354..41ee01f 100644
--- a/hardware/hosts/sail.nix
+++ b/hardware/hosts/sail.nix
@@ -16,6 +16,7 @@
     kernel.sysctl = {
       "net.core.default_qdisc" = "fq";
       "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.rmem_max" = "2500000";
     };
   };
 
diff --git a/secret/container/webserver/default.nix b/secret/container/webserver/default.nix
index 5c56d3b..40258a8 100644
Binary files a/secret/container/webserver/default.nix and b/secret/container/webserver/default.nix differ