diff --git a/container/proxitok/default.nix b/container/proxitok/default.nix index b61c8f9..11347fa 100644 --- a/container/proxitok/default.nix +++ b/container/proxitok/default.nix @@ -30,7 +30,7 @@ ]; systemd.tmpfiles.rules = [ - "d /etc/container-proxitok/cache 0755 33 33" + "d /etc/container-proxitok/cache 0755 nobody nogroup" ]; services.redis.servers.proxitok = { diff --git a/flake.lock b/flake.lock index 494926c..a43b8b5 100644 --- a/flake.lock +++ b/flake.lock @@ -137,11 +137,11 @@ ] }, "locked": { - "lastModified": 1693677537, - "narHash": "sha256-F8ozidIQV4Sp/IfTE54U+qIOuC88b9WskFWK5VrHBs4=", + "lastModified": 1693791515, + "narHash": "sha256-1HXhqNCd1nyxhUvhLuH8pb+wxBm5DNgxhRbBnERdAr8=", "owner": "nix-community", "repo": "disko", - "rev": "06481a9836c37b7c1aba784092a984c2d2ef5431", + "rev": "1c38664f59f95ac6ddef77a418df85ee662036d2", "type": "github" }, "original": { @@ -514,11 +514,11 @@ }, "locked": { "dir": "contrib", - "lastModified": 1693720845, - "narHash": "sha256-np6BdXUBSr34MATRnGWVz3refOKgGSql7W8CMCYmmFs=", + "lastModified": 1693814116, + "narHash": "sha256-9UWvn4tPo6Z7dCWzAfD9kTq31j5KyQf8MH1eogiKL9g=", "owner": "neovim", "repo": "neovim", - "rev": "820522d685e2794c638144a88ceee50d53bdc104", + "rev": "069fad6e2df25e6b079879670cf6c68ae7ddb012", "type": "github" }, "original": { @@ -539,11 +539,11 @@ "weewx-proxy-flake": "weewx-proxy-flake" }, "locked": { - "lastModified": 1693729053, - "narHash": "sha256-cN0IyXk+mDveMM7pIBhnmEltb8d6RxMjHbpIQzitDYI=", + "lastModified": 1693815598, + "narHash": "sha256-DK026bknR7R2SmcoCDStZL/NrTxWPFunJEe23TLu3Gs=", "owner": "nifoc", "repo": "nix-overlay", - "rev": "3c30431db022fc05ad40400af3af6f1ec87ae61c", + "rev": "ecab65354626cafb65dee976233250dd4d1199d9", "type": "github" }, "original": { @@ -606,11 +606,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1693654884, - "narHash": "sha256-EqKKEl+IOS8TSjkt+xn1qGpsjnx5/ag33YNQ1+c7OuM=", + "lastModified": 1693714546, + "narHash": "sha256-3EMJZeGSZT6pD1eNwI/6Yc0R4rxklNvJ2SDFcsCnjpM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e7f35e03abd06a2faef6684d0de813370e13bda8", + "rev": "d816b5ab44187a2dd84806630ce77a733724f95f", "type": "github" }, "original": { @@ -975,11 +975,11 @@ ] }, "locked": { - "lastModified": 1693689099, - "narHash": "sha256-NuilTRYMH+DDR/uBWQjDbX5mWCA05lwo2Sg9iTkkEs4=", + "lastModified": 1693817438, + "narHash": "sha256-fg3+n4Ky1gCzDtPm0MomMTFw0YkH05Y8ojy5t7bkfHg=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "e3e0f9f6d47f8fc68aff15150eda1224fb46f4d4", + "rev": "b8d3a059f5487d6767d07c3716386753e3132d9f", "type": "github" }, "original": { diff --git a/hardware/hosts/argon.nix b/hardware/hosts/argon.nix index d5543d9..5104f78 100644 --- a/hardware/hosts/argon.nix +++ b/hardware/hosts/argon.nix @@ -9,9 +9,10 @@ kernel.sysctl = { "net.core.default_qdisc" = "fq"; "net.ipv4.tcp_congestion_control" = "bbr"; - "net.ipv4.tcp_syncookies" = 0; + "net.ipv4.tcp_syncookies" = 1; "net.ipv4.tcp_timestamps" = 1; "net.ipv4.tcp_window_scaling" = 1; + "net.ipv4.tcp_fastopen" = 3; "net.core.rmem_max" = 2500000; "net.core.wmem_max" = 2500000; }; diff --git a/hardware/hosts/mediaserver.nix b/hardware/hosts/mediaserver.nix index 0048aaf..ae7e725 100644 --- a/hardware/hosts/mediaserver.nix +++ b/hardware/hosts/mediaserver.nix @@ -20,10 +20,12 @@ kernel.sysctl = { "net.core.default_qdisc" = "fq"; "net.ipv4.tcp_congestion_control" = "bbr"; - "net.ipv4.tcp_syncookies" = 0; + "net.ipv4.tcp_syncookies" = 1; "net.ipv4.tcp_timestamps" = 1; "net.ipv4.tcp_window_scaling" = 1; + "net.ipv4.tcp_fastopen" = 3; "net.core.rmem_max" = 2500000; + "net.core.wmem_max" = 2500000; }; }; diff --git a/hardware/hosts/tanker.nix b/hardware/hosts/tanker.nix index 2e86bf6..0cce008 100644 --- a/hardware/hosts/tanker.nix +++ b/hardware/hosts/tanker.nix @@ -28,9 +28,10 @@ kernel.sysctl = { "net.core.default_qdisc" = "fq"; "net.ipv4.tcp_congestion_control" = "bbr"; - "net.ipv4.tcp_syncookies" = 0; + "net.ipv4.tcp_syncookies" = 1; "net.ipv4.tcp_timestamps" = 1; "net.ipv4.tcp_window_scaling" = 1; + "net.ipv4.tcp_fastopen" = 3; "net.core.rmem_max" = 2500000; "vm.overcommit_memory" = 1; }; diff --git a/home/programs/nvim/plugins.nix b/home/programs/nvim/plugins.nix index 1d9010a..7d2114c 100644 --- a/home/programs/nvim/plugins.nix +++ b/home/programs/nvim/plugins.nix @@ -118,12 +118,12 @@ in }; nvim-treesitter = buildVimPluginFrom2Nix { pname = "nvim-treesitter"; - version = "2023-09-02"; + version = "2023-09-04"; src = fetchFromGitHub { owner = "nvim-treesitter"; repo = "nvim-treesitter"; - rev = "17b943e7c5cc2b2db3ac7b5720fbd42e75a00d8d"; - sha256 = "03yq7pn0vz93xjjrs6cbypqvqxncxgsadmrvgkx177c3w146w0zl"; + rev = "30604fd7dde5abcba7ca8f5761894dfa61febe51"; + sha256 = "0mzl92jdgdjr36gy58pvdsca91k0lxf6pzcf3cw86h01rai2lmfg"; fetchSubmodules = false; }; }; @@ -162,12 +162,12 @@ in }; telescope-nvim = buildVimPluginFrom2Nix { pname = "telescope.nvim"; - version = "2023-09-03"; + version = "2023-09-04"; src = fetchFromGitHub { owner = "nvim-telescope"; repo = "telescope.nvim"; - rev = "3fae9c1e14910e6669bb8ecbb473aba6a9e13b33"; - sha256 = "0mh0f9wzfdh3vjv52i9h883s8i0zl4qgm3f3ykbi81ah4x25banp"; + rev = "6b79d7a6a45adc1508a7afee5bc973173ec22f59"; + sha256 = "15lr5b7922w6wrzky0gy5sgscmw5axvhyajkfdqgrlpl98acqfgp"; fetchSubmodules = false; }; }; @@ -521,8 +521,8 @@ in src = fetchFromGitHub { owner = "rebelot"; repo = "heirline.nvim"; - rev = "033b35355852daa8b0e0f55dc346a06b303281e6"; - sha256 = "0hzaznj54lw17zzsy3w9wnqxpd8l0avxj8lwp01sf325jvmlxvkg"; + rev = "7f1e805dfc001d5dbb7d894105063f463f6c7dcc"; + sha256 = "1hy5a30pb0cv93dh796lh08p5k43b4b732sr4ka0pwj4n4a3q82r"; fetchSubmodules = false; }; }; diff --git a/system/hosts/argon.nix b/system/hosts/argon.nix index 19f2176..873ed32 100644 --- a/system/hosts/argon.nix +++ b/system/hosts/argon.nix @@ -16,6 +16,7 @@ in ../nixos/acme-argon.nix ../nixos/nginx.nix + ../nixos/nginx-argon.nix (import ../nixos/adguardhome.nix (args // { inherit secret; })) diff --git a/system/hosts/mediaserver.nix b/system/hosts/mediaserver.nix index 56ec992..3975625 100644 --- a/system/hosts/mediaserver.nix +++ b/system/hosts/mediaserver.nix @@ -15,6 +15,7 @@ in ../nixos/acme-mediaserver.nix ../nixos/nginx.nix + ../nixos/nginx-mediaserver.nix ../nixos/postgresql.nix (import ../nixos/adguardhome.nix (args // { inherit secret; })) diff --git a/system/hosts/tanker.nix b/system/hosts/tanker.nix index e9bb165..6d61ef3 100644 --- a/system/hosts/tanker.nix +++ b/system/hosts/tanker.nix @@ -18,6 +18,7 @@ in ../nixos/acme-tanker.nix ../nixos/nginx.nix + ../nixos/nginx-tanker.nix ../nixos/postgresql.nix ../nixos/elasticsearch.nix ../nixos/mosquitto.nix diff --git a/system/nixos/adguardhome.nix b/system/nixos/adguardhome.nix index 66e4364..afbfb9e 100644 --- a/system/nixos/adguardhome.nix +++ b/system/nixos/adguardhome.nix @@ -80,17 +80,26 @@ addr = "0.0.0.0"; port = 9053; ssl = true; + extraParameters = [ + "fastopen=63" + "backlog=1023" + "deferred" + ]; } { addr = "[::0]"; port = 9053; ssl = true; + extraParameters = [ + "fastopen=63" + "backlog=1023" + "deferred" + ]; } ]; - quic = true; - http3 = true; + quic = false; onlySSL = true; useACMEHost = "internal.kempkens.network"; diff --git a/system/nixos/home-proxy.nix b/system/nixos/home-proxy.nix index 4a9edc2..ffdfb10 100644 --- a/system/nixos/home-proxy.nix +++ b/system/nixos/home-proxy.nix @@ -9,8 +9,8 @@ } server { - listen *:${builtins.toString secret.nginx.upstream.video.externalPort}; - listen [::]:${builtins.toString secret.nginx.upstream.video.externalPort}; + listen *:${builtins.toString secret.nginx.upstream.video.externalPort} fastopen=63 backlog=1023; + listen [::]:${builtins.toString secret.nginx.upstream.video.externalPort} fastopen=63 backlog=1023; proxy_protocol on; proxy_pass video; diff --git a/system/nixos/jellyfin.nix b/system/nixos/jellyfin.nix index 6698dab..a159e67 100644 --- a/system/nixos/jellyfin.nix +++ b/system/nixos/jellyfin.nix @@ -63,10 +63,17 @@ addr = "0.0.0.0"; port = 9921; ssl = true; - extraParameters = [ "proxy_protocol" ]; + extraParameters = [ + "proxy_protocol" + "fastopen=63" + "backlog=1023" + "deferred" + ]; } ]; + quic = false; + onlySSL = true; useACMEHost = "internal.kempkens.network"; diff --git a/system/nixos/libreddit.nix b/system/nixos/libreddit.nix index 57e210e..16fb0b9 100644 --- a/system/nixos/libreddit.nix +++ b/system/nixos/libreddit.nix @@ -9,7 +9,31 @@ }; services.nginx.virtualHosts."${secret.nginx.hostnames.libreddit}" = { + # listen = [ + # { + # addr = "100.108.165.26"; + # port = 443; + # ssl = true; + # extraParameters = [ + # "fastopen=63" + # "backlog=1023" + # "deferred" + # ]; + # } + # + # { + # addr = "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]"; + # port = 443; + # ssl = true; + # extraParameters = [ + # "fastopen=63" + # "backlog=1023" + # ]; + # } + # ]; + listenAddresses = [ "100.108.165.26" "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]" ]; + quic = true; http3 = true; diff --git a/system/nixos/nginx-argon.nix b/system/nixos/nginx-argon.nix new file mode 100644 index 0000000..e5c12ea --- /dev/null +++ b/system/nixos/nginx-argon.nix @@ -0,0 +1,37 @@ +{ + services.nginx.virtualHosts."default.internal.kempkens.network" = { + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + extraParameters = [ + "fastopen=63" + "backlog=1023" + "deferred" + ]; + } + + { + addr = "[::0]"; + port = 443; + ssl = true; + extraParameters = [ + "fastopen=63" + "backlog=1023" + "deferred" + ]; + } + ]; + + default = true; + quic = false; + + onlySSL = true; + useACMEHost = "internal.kempkens.network"; + + locations."/" = { + return = "418"; + }; + }; +} diff --git a/system/nixos/nginx-mediaserver.nix b/system/nixos/nginx-mediaserver.nix new file mode 100644 index 0000000..e5c12ea --- /dev/null +++ b/system/nixos/nginx-mediaserver.nix @@ -0,0 +1,37 @@ +{ + services.nginx.virtualHosts."default.internal.kempkens.network" = { + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + extraParameters = [ + "fastopen=63" + "backlog=1023" + "deferred" + ]; + } + + { + addr = "[::0]"; + port = 443; + ssl = true; + extraParameters = [ + "fastopen=63" + "backlog=1023" + "deferred" + ]; + } + ]; + + default = true; + quic = false; + + onlySSL = true; + useACMEHost = "internal.kempkens.network"; + + locations."/" = { + return = "418"; + }; + }; +} diff --git a/system/nixos/nginx-tanker.nix b/system/nixos/nginx-tanker.nix new file mode 100644 index 0000000..84ef5dc --- /dev/null +++ b/system/nixos/nginx-tanker.nix @@ -0,0 +1,37 @@ +{ + services.nginx.virtualHosts."default.kempkens.io" = { + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + extraParameters = [ + "fastopen=63" + "backlog=1023" + "deferred" + ]; + } + + { + addr = "[::0]"; + port = 443; + ssl = true; + extraParameters = [ + "fastopen=63" + "backlog=1023" + "deferred" + ]; + } + ]; + + default = true; + quic = false; + + onlySSL = true; + useACMEHost = "kempkens.io"; + + locations."/" = { + return = "418"; + }; + }; +}