From 86bfe8598227583f8543fec215e11cac93ce7e50 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Tue, 24 Jun 2025 16:42:03 +0200
Subject: [PATCH 1/2] hosts/porter: Resolve nginx proxy upstreams via unbound

---
 hosts/gatekeeper/configuration.nix     |  1 +
 hosts/porter/configuration.nix         | 11 +++++++++++
 modules/nginx-port-forward/default.nix |  6 +++++-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/hosts/gatekeeper/configuration.nix b/hosts/gatekeeper/configuration.nix
index ed30b6d..718cda2 100644
--- a/hosts/gatekeeper/configuration.nix
+++ b/hosts/gatekeeper/configuration.nix
@@ -131,6 +131,7 @@
 
   clerie.nginx-port-forward = {
     enable = true;
+    resolver = "127.0.0.53";
     tcpPorts."443" = {
       host = "localhost";
       port = 22;
diff --git a/hosts/porter/configuration.nix b/hosts/porter/configuration.nix
index 2c873a4..fa7da12 100644
--- a/hosts/porter/configuration.nix
+++ b/hosts/porter/configuration.nix
@@ -28,8 +28,19 @@
 
   profiles.clerie.common-webserver.httpDefaultVirtualHost = false;
 
+  services.unbound = {
+    enable = true;
+    resolveLocalQueries = false;
+    settings = {
+      server = {
+        interface = [ "127.0.0.1" ];
+      };
+    };
+  };
+
   clerie.nginx-port-forward = {
     enable = true;
+    resolver = "127.0.0.1";
     tcpPorts."80" = {
       host = "baikonur.dyn.weimarnetz.de";
       port = 80;
diff --git a/modules/nginx-port-forward/default.nix b/modules/nginx-port-forward/default.nix
index 7d6e2f3..64e1464 100644
--- a/modules/nginx-port-forward/default.nix
+++ b/modules/nginx-port-forward/default.nix
@@ -9,7 +9,7 @@ let
 
   mkServerBlock = isUDP: port: forward: ''
     server {
-      resolver 127.0.0.53 ipv4=off valid=30s;
+      resolver ${cfg.resolver} ipv4=off valid=30s;
 
       listen ${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
       listen [::]:${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
@@ -54,6 +54,10 @@ in
   options = {
     clerie.nginx-port-forward = {
       enable = mkEnableOption "Nginx Port Forward";
+      resolver = mkOption {
+        type = types.str;
+        description = "IP address of the resolver to use for upstream hostnames";
+      };
       tcpPorts = mkOption {
         type = with types; attrsOf (submodule portOpts);
         default = {};

From a3a4d7303f3596c868bce29bbd0bc9087dd01534 Mon Sep 17 00:00:00 2001
From: Flake Update Bot <flake-update-bot@clerie.de>
Date: Wed, 25 Jun 2025 03:03:06 +0200
Subject: [PATCH 2/2] Update nixpkgs 2025-06-25-01-03

---
 flake.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index a198352..a220d6c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -566,11 +566,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1748190013,
-        "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
+        "lastModified": 1750506804,
+        "narHash": "sha256-VLFNc4egNjovYVxDGyBYTrvVCgDYgENp5bVi9fPTDYc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
+        "rev": "4206c4cb56751df534751b058295ea61357bbbaa",
         "type": "github"
       },
       "original": {