diff --git a/config/default.nix b/config/default.nix
index eb140296..8ee1fbf0 100644
--- a/config/default.nix
+++ b/config/default.nix
@@ -21,9 +21,6 @@
       # reset 60 seconds after a kernel panic
       "kernel.panic" = 60;
       "net.ipv4.tcp_congestion_control" = "bbr";
-      # enable tcp fastopen for outgoing and incoming connections
-      # used by haproxy and nginx
-      "net.ipv4.tcp_fastopen" = 3;
     };
     # recommend to turn off, only on by default for backwards compatibility
     zfs.forceImportRoot = false;
@@ -200,21 +197,6 @@
         proxy_set_header X-Real-IP       $proxy_protocol_addr;
         proxy_set_header X-Forwarded-For $proxy_protocol_addr;
       '';
-      virtualHosts."_".listen = let
-        extraParameters = [
-          "reuseport"
-
-          # net.core.somaxconn is set to 4096
-          # see https://www.nginx.com/blog/tuning-nginx/#:~:text=to%20a%20value-,greater%20than%20512,-%2C%20change%20the%20backlog
-          "backlog=1024"
-
-          "deferred"
-          "fastopen=256" # requires nginx to be compiled with -DTCP_FASTOPEN=23
-        ];
-      in lib.mkDefault [
-        { addr = "[::]"; port = 80; inherit extraParameters; }
-        { addr = "[::]"; port = 443; ssl = true; inherit extraParameters; }
-      ];
     };
 
     openssh = {
diff --git a/flake.lock b/flake.lock
index 4ecc1f05..6ebc6b13 100644
--- a/flake.lock
+++ b/flake.lock
@@ -362,11 +362,11 @@
     },
     "nixos": {
       "locked": {
-        "lastModified": 1694342461,
-        "narHash": "sha256-/0NhpfW6cSd3k39QhQoSchKt3UGG2n/o4qmg75h/8cY=",
+        "lastModified": 1694346869,
+        "narHash": "sha256-3rom5sUg5Euqiq3XdnxISy++iRafclsIT191KriTQv0=",
         "owner": "SuperSandro2000",
         "repo": "nixpkgs",
-        "rev": "607451c9283d51c259662d37d50e9a7984a08579",
+        "rev": "c6c94ddf0a33eae72051a4fe4543609c9de1eff9",
         "type": "github"
       },
       "original": {
@@ -398,11 +398,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1694293408,
-        "narHash": "sha256-5Mka4G5nYSlOALiBGv3kMTS7XWCFE6DFz8xdl+tYcrw=",
+        "lastModified": 1694347645,
+        "narHash": "sha256-4REU1NpRvtD8CO/UZ3sAP5mE7C9HmP5RjO2XFIHT2Gk=",
         "owner": "SuperSandro2000",
         "repo": "nixos-modules",
-        "rev": "0274bc775d2496ce95aec10b4cbb786ee0737dfb",
+        "rev": "7adbab67fd91b05095b46221b3772b1e8cd01d0b",
         "type": "github"
       },
       "original": {
@@ -452,11 +452,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1694252381,
-        "narHash": "sha256-TkwNC+30EMjselnwg3OCZ29gNLqqkPskeQVC8s9Khaw=",
+        "lastModified": 1694342626,
+        "narHash": "sha256-wbNZq57MUGVXBVyPD0+JFGAIW7a0NUYMCM6dOHCWG50=",
         "owner": "astro",
         "repo": "nix-openwrt-imagebuilder",
-        "rev": "2239e2b0b4d4af0bec3edc379449ed8aec1f32fc",
+        "rev": "cceaa22c6e7f027569ec29c466e63d7fbb7b3356",
         "type": "github"
       },
       "original": {
diff --git a/modules/stats.nix b/modules/stats.nix
index b6b23ffb..b2b349dd 100644
--- a/modules/stats.nix
+++ b/modules/stats.nix
@@ -1,11 +1,10 @@
-{ config, lib, libC, pkgs, ... }:
+{ config, lib, libC, ... }:
 
 let
   cfg = config.c3d2.hq.statistics;
 
-  isMetal =
-    !config.boot.isContainer &&
-    !(config ? microvm);
+  isMetal = !config.boot.isContainer && !(config ? microvm);
+  supportsNodeExporter = config.nixpkgs.system != "riscv64-linux";
 
   nginxStatusPort = 9100;
 in
@@ -57,9 +56,24 @@ in
         };
       };
 
-      nginx = lib.mkMerge [
-        (lib.mkIf config.services.nginx.enable {
-          virtualHosts.localhost = {
+      nginx = {
+        # nginx only needs to be explicitly enabled when proxing node_exporter
+        enable = lib.mkIf supportsNodeExporter true;
+
+        virtualHosts = {
+          # only required when proxying node_exporter
+          "_" = lib.mkIf supportsNodeExporter {
+            listen = [
+              { addr = "0.0.0.0"; port = nginxStatusPort; }
+              { addr = "[::]"; port = nginxStatusPort; }
+            ];
+            locations."/metrics" = {
+              proxyPass = "http://127.0.0.1:${toString config.services.prometheus.exporters.node.port}/metrics";
+              extraConfig = libC.hqNetworkOnly;
+            };
+          };
+
+          localhost = lib.mkIf cfg.enable {
             listen = [
               { addr = "127.0.0.1"; port = nginxStatusPort; }
               { addr = "[::1]"; port = nginxStatusPort; }
@@ -73,24 +87,10 @@ in
               deny all;
             '';
           };
-        })
+        };
+      };
 
-        (lib.mkIf (pkgs.system != "riscv64-linux") {
-          enable = true;
-          virtualHosts."_" = {
-            listen = [
-              { addr = "0.0.0.0"; port = nginxStatusPort; }
-              { addr = "[::]"; port = nginxStatusPort; }
-            ];
-            locations."/metrics" = {
-              proxyPass = "http://127.0.0.1:${toString config.services.prometheus.exporters.node.port}/metrics";
-              extraConfig = libC.hqNetworkOnly;
-            };
-          };
-        })
-      ];
-
-      prometheus.exporters.node = lib.mkIf (pkgs.system != "riscv64-linux") {
+      prometheus.exporters.node = lib.mkIf supportsNodeExporter {
         enable = true;
         enabledCollectors = [ "ethtool" "systemd" ];
         listenAddress = "127.0.0.1";
diff --git a/overlays/default.nix b/overlays/default.nix
index 7cc5befb..db13087f 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -92,10 +92,6 @@ with final; {
 
   mlat-client = python3Packages.callPackage ./mlat-client.nix { };
 
-  nginx = prev.nginx.override {
-    configureFlags = [ "-DTCP_FASTOPEN=23" ];
-  };
-
   nixVersions = prev.nixVersions // {
     stable = prev.nixVersions.stable.overrideAttrs (oldAttrs: {
       patches = oldAttrs.patches or [ ] ++ [