update

Turns out, zfs is smart!
ZFS already has sane defaults, no sense in limiting the size of the cache.

configuration.nix

@@ -279,6 +279,7 @@
     openFirewall = true;
     welcometext = "meow meow meow meow meow :3 xd";
     password = builtins.readFile ./secrets/murmur_password;
+    port = service_configs.ports.murmur;
   };
 
   # services.botamusique = {

flake.lock

@@ -89,11 +89,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772420042,
-        "narHash": "sha256-naZz40TUFMa0E0CutvwWsSPhgD5JldyTUDEgP9ADpfU=",
+        "lastModified": 1773025010,
+        "narHash": "sha256-khlHllTsovXgT2GZ0WxT4+RvuMjNeR5OW0UYeEHPYQo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "5af7af10f14706e4095bd6bc0d9373eb097283c6",
+        "rev": "7b9f7f88ab3b339f8142dc246445abb3c370d3d3",
         "type": "github"
       },
       "original": {
@@ -197,11 +197,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772633058,
-        "narHash": "sha256-SO7JapRy2HPhgmqiLbfnW1kMx5rakPMKZ9z3wtRLQjI=",
+        "lastModified": 1772985280,
+        "narHash": "sha256-FdrNykOoY9VStevU4zjSUdvsL9SzJTcXt4omdEDZDLk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "080657a04188aca25f8a6c70a0fb2ea7e37f1865",
+        "rev": "8f736f007139d7f70752657dff6a401a585d6cbc",
         "type": "github"
       },
       "original": {
@@ -300,11 +300,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1771969195,
-        "narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=",
+        "lastModified": 1772972630,
+        "narHash": "sha256-mUJxsNOrBMNOUJzN0pfdVJ1r2pxeqm9gI/yIKXzVVbk=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e",
+        "rev": "3966ce987e1a9a164205ac8259a5fe8a64528f72",
         "type": "github"
       },
       "original": {
@@ -316,11 +316,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1772598333,
-        "narHash": "sha256-YaHht/C35INEX3DeJQNWjNaTcPjYmBwwjFJ2jdtr+5U=",
+        "lastModified": 1773068389,
+        "narHash": "sha256-vMrm7Pk2hjBRPnCSjhq1pH0bg350Z+pXhqZ9ICiqqCs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fabb8c9deee281e50b1065002c9828f2cf7b2239",
+        "rev": "44bae273f9f82d480273bab26f5c50de3724f52f",
         "type": "github"
       },
       "original": {
@@ -454,11 +454,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772416961,
-        "narHash": "sha256-/IiEGGjy0e8Ljo6418fFlqMJs7VLuLxU5pDR5uE+GLE=",
+        "lastModified": 1773021923,
+        "narHash": "sha256-ro+i3wNoD2p5FloGGlkCzdmzgBDeq2LJwaIpaI9Dk7Q=",
         "owner": "nix-community",
         "repo": "srvos",
-        "rev": "bcdbafece2815d32c8dfc51ef17f2858f3d4cfbc",
+        "rev": "7f92c2bcbeb42ce87770a7565f0e6f92c8134354",
         "type": "github"
       },
       "original": {
@@ -530,11 +530,11 @@
     "trackerlist": {
       "flake": false,
       "locked": {
-        "lastModified": 1772579383,
-        "narHash": "sha256-uWJcem+KJZ1xBWv3WYwpYoW/xrie67h47DVUhQl3GcI=",
+        "lastModified": 1773184165,
+        "narHash": "sha256-uGD+QgYZD1ntXl43523bKziyBUs1c3ONi+n5FeFZre0=",
         "owner": "ngosang",
         "repo": "trackerslist",
-        "rev": "6eed267b7044a39b1ccc66437cb56ec38373f288",
+        "rev": "448eba328ad00172a4ba049ec9f9f073b9cd278b",
         "type": "github"
       },
       "original": {
@@ -579,17 +579,17 @@
     "website": {
       "flake": false,
       "locked": {
-        "lastModified": 1768266466,
-        "narHash": "sha256-d4dZzEcIKuq4DhNtXczaflpRifAtcOgNr45W2Bexnps=",
+        "lastModified": 1773169503,
+        "narHash": "sha256-P+T2H18k3zmEHxu7ZIDYyTrK5G3KUcZYW1AzVMKyCMs=",
         "ref": "refs/heads/main",
-        "rev": "06011a27456b3b9f983ef1aa142b5773bcb52b6e",
-        "revCount": 23,
+        "rev": "ae7a7d8325f841c52efb6fd81c4956b84631aa06",
+        "revCount": 24,
         "type": "git",
-        "url": "https://git.gardling.com/titaniumtown/website"
+        "url": "https://git.sigkill.computer/titaniumtown/website"
       },
       "original": {
         "type": "git",
-        "url": "https://git.gardling.com/titaniumtown/website"
+        "url": "https://git.sigkill.computer/titaniumtown/website"
       }
     },
     "ytbn-graphing-software": {
@@ -605,11 +605,11 @@
         "rev": "ac6265eae734363f95909df9a3739bf6360fa721",
         "revCount": 1130,
         "type": "git",
-        "url": "https://git.gardling.com/titaniumtown/YTBN-Graphing-Software"
+        "url": "https://git.sigkill.computer/titaniumtown/YTBN-Graphing-Software"
       },
       "original": {
         "type": "git",
-        "url": "https://git.gardling.com/titaniumtown/YTBN-Graphing-Software"
+        "url": "https://git.sigkill.computer/titaniumtown/YTBN-Graphing-Software"
       }
     }
   },

flake.nix

@@ -56,7 +56,7 @@
     };
 
     website = {
-      url = "git+https://git.gardling.com/titaniumtown/website";
+      url = "git+https://git.sigkill.computer/titaniumtown/website";
       flake = false;
     };
 
@@ -66,7 +66,7 @@
     };
 
     ytbn-graphing-software = {
-      url = "git+https://git.gardling.com/titaniumtown/YTBN-Graphing-Software";
+      url = "git+https://git.sigkill.computer/titaniumtown/YTBN-Graphing-Software";
     };
 
     arr-init = {

modules/age-secrets.nix

@@ -13,11 +13,13 @@
   # Configure all agenix secrets
   age.secrets = {
     # ZFS encryption key
+    # path is set to /etc/zfs-key to match the ZFS dataset keylocation property
     zfs-key = {
       file = ../secrets/zfs-key.age;
       mode = "0400";
       owner = "root";
       group = "root";
+      path = "/etc/zfs-key";
     };
 
     # Secureboot keys archive
@@ -53,9 +55,9 @@
 
     slskd_env = {
       file = ../secrets/slskd_env.age;
-      mode = "0400";
-      owner = "root";
-      group = "root";
+      mode = "0500";
+      owner = config.services.slskd.user;
+      group = config.services.slskd.group;
     };
 
     # Network configuration

modules/zfs.nix

@@ -4,46 +4,13 @@
   pkgs,
   ...
 }:
-let
-  # DO NOT CHANGE
-  # path is set via a zfs property
-  zfs-key = "/etc/zfs-key";
-in
 {
-  system.activationScripts = {
-    # Copy decrypted ZFS key from agenix to expected location
-    # /etc is on tmpfs due to impermanence, so no persistent storage risk
-    "zfs-key".text = ''
-      #!/bin/sh
-      rm -f ${zfs-key} || true
-      cp ${config.age.secrets.zfs-key.path} ${zfs-key}
-      chmod 0400 ${zfs-key}
-      chown root:root ${zfs-key}
-    '';
-  };
-
   boot.zfs.package = pkgs.zfs;
   boot.initrd.kernelModules = [ "zfs" ];
 
-  boot.kernelParams =
-    let
-      arc_gb = 32;
-      arc_mb = arc_gb * 1000;
-      arc_kb = arc_mb * 1000;
-      arc_b = arc_kb * 1000;
-
-      dirty_gb = 8; # Default value is 4GB, helps smooth writes
-      dirty_mb = dirty_gb * 1000;
-      dirty_kb = dirty_mb * 1000;
-      dirty_b = dirty_kb * 1000;
-    in
-    [
-      "zfs.zfs_arc_max=${builtins.toString arc_b}"
-      "zfs.zfs_txg_timeout=120" # longer TXG open time = larger sequential writes
-      "zfs.zfs_dirty_data_max=${builtins.toString dirty_b}"
-      "zfs.zfs_delay_min_dirty_percent=80" # delay write throttling until 80% dirty (default 60%)
-      "zfs.zfs_vdev_async_write_max_active=30" # more concurrent async writes to vdevs (default 10)
-    ];
+  boot.kernelParams = [
+    "zfs.zfs_txg_timeout=120" # longer TXG open time = larger sequential writes
+  ];
 
   boot.supportedFilesystems = [ "zfs" ];
   boot.zfs.extraPools = [

service-configs.nix

@@ -21,6 +21,7 @@ rec {
     livekit = 7880; # TCP
     soulseek_listen = 50300; # TCP
     monero = 18080; # TCP
+    murmur = 64738; # TCP + UDP
 
     # private
     jellyfin = 8096; # TCP - no services.jellyfin option for this
@@ -44,7 +45,8 @@ rec {
 
   https = {
     certs = services_dir + "/http_certs";
-    domain = "gardling.com";
+    domain = "sigkill.computer";
+    old_domain = "gardling.com"; # Redirect traffic from old domain
   };
 
   gitea = {

services/caddy.nix

@@ -41,6 +41,9 @@ let
       hugo --minify -d $out;
     '';
   };
+
+  newDomain = service_configs.https.domain;
+  oldDomain = service_configs.https.old_domain;
 in
 {
   imports = [
@@ -52,14 +55,53 @@ in
   services.caddy = {
     enable = true;
     email = "titaniumtown@proton.me";
+
+    # Enable on-demand TLS for old domain redirects
+    # Certs are issued dynamically when subdomains are accessed
+    globalConfig = ''
+      on_demand_tls {
+        ask http://localhost:9123/check
+      }
+    '';
+
+    # Internal endpoint to validate on-demand TLS requests
+    # Only allows certs for *.${oldDomain}
+    extraConfig = ''
+      http://localhost:9123 {
+        @allowed expression {query.domain}.endsWith(".${oldDomain}") || {query.domain} == "${oldDomain}" || {query.domain} == "www.${oldDomain}"
+        respond @allowed 200
+        respond 403
+      }
+    '';
+
     virtualHosts = {
-      ${service_configs.https.domain} = {
+      ${newDomain} = {
         extraConfig = ''
           root * ${hugoWebsite}
           file_server browse
         '';
 
-        serverAliases = [ "www.${service_configs.https.domain}" ];
+        serverAliases = [ "www.${newDomain}" ];
+      };
+
+      # Redirect old domain (bare + www) to new domain
+      ${oldDomain} = {
+        extraConfig = ''
+          redir https://${newDomain}{uri} permanent
+        '';
+        serverAliases = [ "www.${oldDomain}" ];
+      };
+
+      # Wildcard redirect for all old domain subdomains
+      # Uses on-demand TLS - certs issued automatically on first request
+      "*.${oldDomain}" = {
+        extraConfig = ''
+          tls {
+            on_demand
+          }
+          # {labels.2} extracts subdomain from *.gardling.com
+          redir https://{labels.2}.${newDomain}{uri} permanent
+        '';
       };
     };
   };

services/jellyfin.nix

@@ -19,8 +19,6 @@
 
   services.jellyfin = {
     enable = true;
-    # used for local streaming
-    openFirewall = true;
     package = pkgs.jellyfin.override { jellyfin-ffmpeg = (lib.optimizePackage pkgs.jellyfin-ffmpeg); };
 
     inherit (service_configs.jellyfin) dataDir cacheDir;

services/matrix.nix

@@ -1,34 +1,9 @@
 {
   config,
-  pkgs,
   service_configs,
   lib,
   ...
 }:
-let
-  package =
-    let
-      src = pkgs.fetchFromGitea {
-        domain = "forgejo.ellis.link";
-        owner = "continuwuation";
-        repo = "continuwuity";
-        rev = "052c4dfa2165fdc4839fed95b71446120273cf23";
-        hash = "sha256-kQV4glRrKczoJpn9QIMgB5ac+saZQjSZPel+9K9Ykcs=";
-      };
-    in
-    pkgs.matrix-continuwuity.overrideAttrs (old: {
-      inherit src;
-      cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
-        inherit src;
-        name = "${old.pname}-vendor";
-        hash = "sha256-vlOXQL8wwEGFX+w0G/eIeHW3J1UDzhJ501kYhAghDV8=";
-      };
-
-      patches = (old.patches or [ ]) ++ [
-
-      ];
-    });
-in
 {
   imports = [
     (lib.serviceMountWithZpool "continuwuity" service_configs.zpool_ssds [
@@ -41,7 +16,6 @@ in
 
   services.matrix-continuwuity = {
     enable = true;
-    inherit package;
 
     settings.global = {
       port = [ service_configs.ports.matrix ];

services/minecraft.nix

@@ -18,6 +18,9 @@
     (lib.serviceFilePerms "minecraft-server-${service_configs.minecraft.server_name}" [
       "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 700 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
       "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web 750 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
+      # Allow caddy (in minecraft group) to traverse to squaremap/web for map.gardling.com
+      "z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
+      "z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
     ])
   ];
 
@@ -190,9 +193,4 @@
     ];
   };
 
-  systemd.tmpfiles.rules = [
-    # Allow caddy (in minecraft group) to traverse to squaremap/web for map.gardling.com
-    "z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
-    "z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
-  ];
 }

services/monero.nix

@@ -17,15 +17,20 @@
     enable = true;
     dataDir = service_configs.monero.dataDir;
     rpc = {
+      address = "0.0.0.0";
       port = service_configs.ports.monero_rpc;
       restricted = true;
     };
     extraConfig = ''
       p2p-bind-port=${builtins.toString service_configs.ports.monero}
+      db-sync-mode=fast:async:1000000000bytes
+      public-node=1
+      confirm-external-bind=1
     '';
   };
 
   networking.firewall.allowedTCPPorts = [
     service_configs.ports.monero
+    service_configs.ports.monero_rpc
   ];
 }

services/qbittorrent.nix

@@ -102,7 +102,6 @@
         ChokingAlgorithm = "RateBased";
         PieceExtentAffinity = true;
         SuggestMode = true;
-        CoalesceReadWrite = true;
 
         # max_queued_disk_bytes: the max bytes waiting in the disk I/O queue.
         # When this limit is reached, peer connections stop reading from their
@@ -112,6 +111,12 @@
         # where ZFS txg commits cause periodic I/O stalls.
         DiskQueueSize = 67108864; # 64MB
 
+        # POSIX-compliant disk I/O: uses pread/pwrite instead of mmap.
+        # On ZFS, mmap forces data into BOTH ARC and Linux page cache (double-caching),
+        # wasting RAM. pread/pwrite goes only through ARC, maximizing its effectiveness.
+        # Saved 26 gb of memory!!
+        DiskIOType = "Posix";
+
         # === Network buffer tuning (from libtorrent high_performance_seed preset) ===
         # "always stuff at least 1 MiB down each peer pipe, to quickly ramp up send rates"
         SendBufferLowWatermark = 1024; # 1MB (KiB) -- matches high_performance_seed

services/soulseek.nix

@@ -6,9 +6,6 @@
   username,
   ...
 }:
-let
-  slskd_env = "/etc/slskd_env";
-in
 {
   imports = [
     (lib.serviceMountWithZpool "slskd" "" [
@@ -26,20 +23,10 @@ in
 
   users.groups."music" = { };
 
-  system.activationScripts = {
-    "skskd_env".text = ''
-      #!/bin/sh
-      rm -fr ${slskd_env} || true
-      cp ${config.age.secrets.slskd_env.path} ${slskd_env}
-      chmod 0500 ${slskd_env}
-      chown ${config.services.slskd.user}:${config.services.slskd.group} ${slskd_env}
-    '';
-  };
-
   services.slskd = {
     enable = true;
     domain = null; # null so we don't use nginx reverse proxy
-    environmentFile = slskd_env;
+    environmentFile = config.age.secrets.slskd_env.path;
 
     settings = {
       web = {

tests/fail2ban-jellyfin.nix

@@ -55,6 +55,9 @@ pkgs.testers.runNixOSTest {
           jellyfinModule
         ];
 
+        # needed for testing
+        services.jellyfin.openFirewall = true;
+
         # Create the media group
         users.groups.media = { };