feat: new services and fixes

roles/nginx/tasks/main.yml

@@ -51,11 +51,10 @@
 
 - name: Enable Certbot renewal timer
   ansible.builtin.systemd:
-    name: certbot-renew.timer
+    name: "{{ certbot_timer }}"
     enabled: true
     state: started
   when: acme_email is defined
-  ignore_errors: true
 
 - name: Ensure nginx conf.d directory exists
   ansible.builtin.file:

roles/nginx/templates/forwarder.conf.j2

@@ -3,23 +3,19 @@
 # Transparent TCP proxy (no protocol inspection)
 
 {% if config.http | default(true) %}
-upstream {{ domain | replace('.', '_') | replace('-', '_') }}_http {
-    server {{ config.forward_to }}:80;
-}
-
 server {
     listen 80;
-    proxy_pass {{ domain | replace('.', '_') | replace('-', '_') }}_http;
+    # Using variable forces runtime DNS resolution (avoids startup failures)
+    set $upstream_http {{ config.forward_to }};
+    proxy_pass $upstream_http:80;
 }
 {% endif %}
 
 {% if config.https | default(true) %}
-upstream {{ domain | replace('.', '_') | replace('-', '_') }}_https {
-    server {{ config.forward_to }}:443;
-}
-
 server {
     listen 443;
-    proxy_pass {{ domain | replace('.', '_') | replace('-', '_') }}_https;
+    # Using variable forces runtime DNS resolution (avoids startup failures)
+    set $upstream_https {{ config.forward_to }};
+    proxy_pass $upstream_https:443;
 }
 {% endif %}

roles/nginx/templates/nginx.conf.j2

@@ -57,6 +57,11 @@ http {
 {% if nginx_forwarder and nginx_forwarder | length > 0 %}
 # Stream block for TCP/UDP proxying
 stream {
+    # DNS resolver for runtime hostname resolution
+    # Using 127.0.0.1 (systemd-resolved) with 30s cache and 5s timeout
+    resolver 127.0.0.1 valid=30s ipv6=off;
+    resolver_timeout 5s;
+
     # Load stream configurations
     include {{ nginx_streams_dir }}/*.conf;
 }

roles/nginx/vars/archlinux.yml

@@ -1,2 +1,3 @@
 ---
 nginx_user: http
+certbot_timer: certbot-renew.timer

roles/nginx/vars/debian.yml

@@ -1,2 +1,3 @@
 ---
 nginx_user: www-data
+certbot_timer: certbot.timer