Update deps

nifoc · Sep 4, 2023 · f5bbd84 · f5bbd84
1 parent e0d3dda
commit f5bbd84
Show file tree

Hide file tree

Showing 16 changed files with 190 additions and 32 deletions.
diff --git a/container/proxitok/default.nix b/container/proxitok/default.nix
@@ -30,7 +30,7 @@
   ];
 
   systemd.tmpfiles.rules = [
-    "d /etc/container-proxitok/cache 0755 33 33"
+    "d /etc/container-proxitok/cache 0755 nobody nogroup"
   ];
 
   services.redis.servers.proxitok = {

diff --git a/flake.lock b/flake.lock
diff --git a/hardware/hosts/argon.nix b/hardware/hosts/argon.nix
@@ -9,9 +9,10 @@
     kernel.sysctl = {
       "net.core.default_qdisc" = "fq";
       "net.ipv4.tcp_congestion_control" = "bbr";
-      "net.ipv4.tcp_syncookies" = 0;
+      "net.ipv4.tcp_syncookies" = 1;
       "net.ipv4.tcp_timestamps" = 1;
       "net.ipv4.tcp_window_scaling" = 1;
+      "net.ipv4.tcp_fastopen" = 3;
       "net.core.rmem_max" = 2500000;
       "net.core.wmem_max" = 2500000;
     };

diff --git a/hardware/hosts/mediaserver.nix b/hardware/hosts/mediaserver.nix
@@ -20,10 +20,12 @@
     kernel.sysctl = {
       "net.core.default_qdisc" = "fq";
       "net.ipv4.tcp_congestion_control" = "bbr";
-      "net.ipv4.tcp_syncookies" = 0;
+      "net.ipv4.tcp_syncookies" = 1;
       "net.ipv4.tcp_timestamps" = 1;
       "net.ipv4.tcp_window_scaling" = 1;
+      "net.ipv4.tcp_fastopen" = 3;
       "net.core.rmem_max" = 2500000;
+      "net.core.wmem_max" = 2500000;
     };
   };
 

diff --git a/hardware/hosts/tanker.nix b/hardware/hosts/tanker.nix
@@ -28,9 +28,10 @@
     kernel.sysctl = {
       "net.core.default_qdisc" = "fq";
       "net.ipv4.tcp_congestion_control" = "bbr";
-      "net.ipv4.tcp_syncookies" = 0;
+      "net.ipv4.tcp_syncookies" = 1;
       "net.ipv4.tcp_timestamps" = 1;
       "net.ipv4.tcp_window_scaling" = 1;
+      "net.ipv4.tcp_fastopen" = 3;
       "net.core.rmem_max" = 2500000;
       "vm.overcommit_memory" = 1;
     };

diff --git a/home/programs/nvim/plugins.nix b/home/programs/nvim/plugins.nix
@@ -118,12 +118,12 @@ in
   };
   nvim-treesitter = buildVimPluginFrom2Nix {
     pname = "nvim-treesitter";
-    version = "2023-09-02";
+    version = "2023-09-04";
     src = fetchFromGitHub {
       owner = "nvim-treesitter";
       repo = "nvim-treesitter";
-      rev = "17b943e7c5cc2b2db3ac7b5720fbd42e75a00d8d";
-      sha256 = "03yq7pn0vz93xjjrs6cbypqvqxncxgsadmrvgkx177c3w146w0zl";
+      rev = "30604fd7dde5abcba7ca8f5761894dfa61febe51";
+      sha256 = "0mzl92jdgdjr36gy58pvdsca91k0lxf6pzcf3cw86h01rai2lmfg";
       fetchSubmodules = false;
     };
   };
@@ -162,12 +162,12 @@ in
   };
   telescope-nvim = buildVimPluginFrom2Nix {
     pname = "telescope.nvim";
-    version = "2023-09-03";
+    version = "2023-09-04";
     src = fetchFromGitHub {
       owner = "nvim-telescope";
       repo = "telescope.nvim";
-      rev = "3fae9c1e14910e6669bb8ecbb473aba6a9e13b33";
-      sha256 = "0mh0f9wzfdh3vjv52i9h883s8i0zl4qgm3f3ykbi81ah4x25banp";
+      rev = "6b79d7a6a45adc1508a7afee5bc973173ec22f59";
+      sha256 = "15lr5b7922w6wrzky0gy5sgscmw5axvhyajkfdqgrlpl98acqfgp";
       fetchSubmodules = false;
     };
   };
@@ -521,8 +521,8 @@ in
     src = fetchFromGitHub {
       owner = "rebelot";
       repo = "heirline.nvim";
-      rev = "033b35355852daa8b0e0f55dc346a06b303281e6";
-      sha256 = "0hzaznj54lw17zzsy3w9wnqxpd8l0avxj8lwp01sf325jvmlxvkg";
+      rev = "7f1e805dfc001d5dbb7d894105063f463f6c7dcc";
+      sha256 = "1hy5a30pb0cv93dh796lh08p5k43b4b732sr4ka0pwj4n4a3q82r";
       fetchSubmodules = false;
     };
   };

diff --git a/system/hosts/argon.nix b/system/hosts/argon.nix
@@ -16,6 +16,7 @@ in
 
     ../nixos/acme-argon.nix
     ../nixos/nginx.nix
+    ../nixos/nginx-argon.nix
 
     (import ../nixos/adguardhome.nix (args // { inherit secret; }))
 

diff --git a/system/hosts/mediaserver.nix b/system/hosts/mediaserver.nix
@@ -15,6 +15,7 @@ in
 
     ../nixos/acme-mediaserver.nix
     ../nixos/nginx.nix
+    ../nixos/nginx-mediaserver.nix
     ../nixos/postgresql.nix
 
     (import ../nixos/adguardhome.nix (args // { inherit secret; }))

diff --git a/system/hosts/tanker.nix b/system/hosts/tanker.nix
@@ -18,6 +18,7 @@ in
 
     ../nixos/acme-tanker.nix
     ../nixos/nginx.nix
+    ../nixos/nginx-tanker.nix
     ../nixos/postgresql.nix
     ../nixos/elasticsearch.nix
     ../nixos/mosquitto.nix

diff --git a/system/nixos/adguardhome.nix b/system/nixos/adguardhome.nix
@@ -80,17 +80,26 @@
         addr = "0.0.0.0";
         port = 9053;
         ssl = true;
+        extraParameters = [
+          "fastopen=63"
+          "backlog=1023"
+          "deferred"
+        ];
       }
 
       {
         addr = "[::0]";
         port = 9053;
         ssl = true;
+        extraParameters = [
+          "fastopen=63"
+          "backlog=1023"
+          "deferred"
+        ];
       }
     ];
 
-    quic = true;
-    http3 = true;
+    quic = false;
 
     onlySSL = true;
     useACMEHost = "internal.kempkens.network";

diff --git a/system/nixos/home-proxy.nix b/system/nixos/home-proxy.nix
@@ -9,8 +9,8 @@
     }
 
     server {
-      listen *:${builtins.toString secret.nginx.upstream.video.externalPort};
-      listen [::]:${builtins.toString secret.nginx.upstream.video.externalPort};
+      listen *:${builtins.toString secret.nginx.upstream.video.externalPort} fastopen=63 backlog=1023;
+      listen [::]:${builtins.toString secret.nginx.upstream.video.externalPort} fastopen=63 backlog=1023;
 
       proxy_protocol on;
       proxy_pass video;

diff --git a/system/nixos/jellyfin.nix b/system/nixos/jellyfin.nix
@@ -63,10 +63,17 @@
         addr = "0.0.0.0";
         port = 9921;
         ssl = true;
-        extraParameters = [ "proxy_protocol" ];
+        extraParameters = [
+          "proxy_protocol"
+          "fastopen=63"
+          "backlog=1023"
+          "deferred"
+        ];
       }
     ];
 
+    quic = false;
+
     onlySSL = true;
     useACMEHost = "internal.kempkens.network";
 

diff --git a/system/nixos/libreddit.nix b/system/nixos/libreddit.nix
@@ -9,7 +9,31 @@
   };
 
   services.nginx.virtualHosts."${secret.nginx.hostnames.libreddit}" = {
+    # listen = [
+    #   {
+    #     addr = "100.108.165.26";
+    #     port = 443;
+    #     ssl = true;
+    #     extraParameters = [
+    #       "fastopen=63"
+    #       "backlog=1023"
+    #       "deferred"
+    #     ];
+    #   }
+    #
+    #   {
+    #     addr = "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]";
+    #     port = 443;
+    #     ssl = true;
+    #     extraParameters = [
+    #       "fastopen=63"
+    #       "backlog=1023"
+    #     ];
+    #   }
+    # ];
+
     listenAddresses = [ "100.108.165.26" "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]" ];
+
     quic = true;
     http3 = true;
 

diff --git a/system/nixos/nginx-argon.nix b/system/nixos/nginx-argon.nix
@@ -0,0 +1,37 @@
+{
+  services.nginx.virtualHosts."default.internal.kempkens.network" = {
+    listen = [
+      {
+        addr = "0.0.0.0";
+        port = 443;
+        ssl = true;
+        extraParameters = [
+          "fastopen=63"
+          "backlog=1023"
+          "deferred"
+        ];
+      }
+
+      {
+        addr = "[::0]";
+        port = 443;
+        ssl = true;
+        extraParameters = [
+          "fastopen=63"
+          "backlog=1023"
+          "deferred"
+        ];
+      }
+    ];
+
+    default = true;
+    quic = false;
+
+    onlySSL = true;
+    useACMEHost = "internal.kempkens.network";
+
+    locations."/" = {
+      return = "418";
+    };
+  };
+}
diff --git a/system/nixos/nginx-mediaserver.nix b/system/nixos/nginx-mediaserver.nix
@@ -0,0 +1,37 @@
+{
+  services.nginx.virtualHosts."default.internal.kempkens.network" = {
+    listen = [
+      {
+        addr = "0.0.0.0";
+        port = 443;
+        ssl = true;
+        extraParameters = [
+          "fastopen=63"
+          "backlog=1023"
+          "deferred"
+        ];
+      }
+
+      {
+        addr = "[::0]";
+        port = 443;
+        ssl = true;
+        extraParameters = [
+          "fastopen=63"
+          "backlog=1023"
+          "deferred"
+        ];
+      }
+    ];
+
+    default = true;
+    quic = false;
+
+    onlySSL = true;
+    useACMEHost = "internal.kempkens.network";
+
+    locations."/" = {
+      return = "418";
+    };
+  };
+}
diff --git a/system/nixos/nginx-tanker.nix b/system/nixos/nginx-tanker.nix
@@ -0,0 +1,37 @@
+{
+  services.nginx.virtualHosts."default.kempkens.io" = {
+    listen = [
+      {
+        addr = "0.0.0.0";
+        port = 443;
+        ssl = true;
+        extraParameters = [
+          "fastopen=63"
+          "backlog=1023"
+          "deferred"
+        ];
+      }
+
+      {
+        addr = "[::0]";
+        port = 443;
+        ssl = true;
+        extraParameters = [
+          "fastopen=63"
+          "backlog=1023"
+          "deferred"
+        ];
+      }
+    ];
+
+    default = true;
+    quic = false;
+
+    onlySSL = true;
+    useACMEHost = "kempkens.io";
+
+    locations."/" = {
+      return = "418";
+    };
+  };
+}