diff --git a/machines/servo/default.nix b/machines/servo/default.nix
index a3a47a95..429e607b 100644
--- a/machines/servo/default.nix
+++ b/machines/servo/default.nix
@@ -8,6 +8,7 @@
     ./users.nix
     ./services/ddns-he.nix
     ./services/gitea.nix
+    ./services/ipfs.nix
     ./services/jackett.nix
     ./services/jellyfin.nix
     ./services/matrix.nix
@@ -29,6 +30,12 @@
     sopsFile = ../../secrets/servo.yaml;
   };
 
+  # both transmission and ipfs try to set different net defaults.
+  # we just use the most aggressive of the two here:
+  boot.kernel.sysctl = {
+    "net.core.rmem_max" = "4194304";  # 4MB
+  };
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
diff --git a/machines/servo/services/ipfs.nix b/machines/servo/services/ipfs.nix
new file mode 100644
index 00000000..be55e8df
--- /dev/null
+++ b/machines/servo/services/ipfs.nix
@@ -0,0 +1,23 @@
+{ ... }:
+{
+  services.ipfs.enable = true;
+  services.ipfs.localDiscovery = true;
+  services.ipfs.swarmAddress = [
+    "/dns4/ipfs.uninsane.org/tcp/4001"
+    "/ip4/0.0.0.0/tcp/4001"
+    "/dns4/ipfs.uninsane.org/udp/4001/quic"
+    "/ip4/0.0.0.0/udp/4001/quic"
+  ];
+  services.ipfs.extraConfig = {
+    Addresses = {
+      Announce = [
+        "/dns4/ipfs.uninsane.org/tcp/4001"
+        "/dns4/ipfs.uninsane.org/udp/4001/quic"
+      ];
+    };
+    Gateway = {
+      # the gateway can only be used to serve content already replicated on this host
+      NoFetch = true;
+    };
+  };
+}
diff --git a/machines/servo/services/nginx.nix b/machines/servo/services/nginx.nix
index 8bd942db..1c0d4bb5 100644
--- a/machines/servo/services/nginx.nix
+++ b/machines/servo/services/nginx.nix
@@ -210,6 +210,23 @@
     };
   };
 
+  services.nginx.virtualHosts."ipfs.uninsane.org" = {
+    # don't default to ssl upgrades, since this may be dnslink'd from a different domain.
+    # ideally we'd disable ssl entirely, but some places assume it?
+    addSSL = true;
+    enableACME = true;
+
+    default = true;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8080";
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Ipfs-Gateway-Prefix "";
+      '';
+    };
+  };
+
   # exists only to manage certs for dovecot
   services.nginx.virtualHosts."imap.uninsane.org" = {
     forceSSL = true;