nginx: enable http3

config/services/akkoma/default.nix

@@ -231,7 +231,6 @@
     pkgs.postgresql15Packages.rum
   ];
   services.nginx = {
-    package = pkgs.tengine;
     clientMaxBodySize = "256m";
     commonHttpConfig = ''
       proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache

config/services/nginx.nix

@@ -1,4 +1,6 @@
-{ config, lib, ... }: with lib; {
+{ config, lib, pkgs, ... }: let 
+  inherit (lib) mkDefault;
+in {
   kyouma.deployment.tags = [ "web" ];
   security.dhparams.enable = true;
   security.dhparams.params.nginx = {};
@@ -9,9 +11,10 @@
       email = "noc@kyouma.net";
     };
   };
+  networking.firewall.allowedUDPPorts = [ 443 ];
   services.nginx = {
     enable = true;
-    #package = pkgs.nginxQuic;
+    package = mkDefault pkgs.nginxQuic;
     
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
@@ -32,6 +35,7 @@
       add_header X-XSS-Protection 		      "1; mode=block" always;
       add_header X-Frame-Options 		        "SAMEORIGIN" always;
       add_header Referrer-Policy 		        "same-origin" always;
+      add_header Alt-Svc                    'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
       #add_header Content-Security-Policy    "script-src 'self'; object-src 'none'; base-uri 'none';" always;
     '';
     eventsConfig = ''

modules/nginx/default.nix

@@ -2,6 +2,7 @@
   cfg = config.kyouma.nginx;
   extraConfig = ''
     add_header Strict-Transport-Security 	$hsts_header;
+    add_header Alt-Svc                    'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
     #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
     add_header X-Content-Type-Options 	"nosniff" always;
     add_header X-XSS-Protection 		"1; mode=block" always;
@@ -9,11 +10,11 @@
     add_header Referrer-Policy 		"same-origin" always;
   '';
   createHost = vhostName: vhostCfg: {
-    extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig;
+    extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig);
     forceSSL = true;
     #kTLS = true;
-    #http3 = true;
+    http3 = true;
-    #quic = true; 
+    quic = true; 
   } //
   lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
     enableACME = true;

pkgs/overlay.nix

@@ -6,4 +6,5 @@ final: prev: {
   librespeed-rust = final.callPackage ./librespeed-rust/default.nix {};
   librespeed-go = final.callPackage ./librespeed-go/default.nix {};
   akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {};
+  nginxQuic = prev.nginxQuic.override { withSlice = true; };
 }