feat: fix systemd user and add static-web role

roles/nginx/templates/forwarder.conf.j2

@@ -3,19 +3,23 @@
 # Transparent TCP proxy (no protocol inspection)
 
 {% if config.http | default(true) %}
+upstream {{ domain | replace('.', '_') | replace('-', '_') }}_http {
+    server {{ config.forward_to }}:80;
+}
+
 server {
     listen 80;
-    # Using variable forces runtime DNS resolution (avoids startup failures)
-    set $upstream_http {{ config.forward_to }};
-    proxy_pass $upstream_http:80;
+    proxy_pass {{ domain | replace('.', '_') | replace('-', '_') }}_http;
 }
 {% endif %}
 
 {% if config.https | default(true) %}
+upstream {{ domain | replace('.', '_') | replace('-', '_') }}_https {
+    server {{ config.forward_to }}:443;
+}
+
 server {
     listen 443;
-    # Using variable forces runtime DNS resolution (avoids startup failures)
-    set $upstream_https {{ config.forward_to }};
-    proxy_pass $upstream_https:443;
+    proxy_pass {{ domain | replace('.', '_') | replace('-', '_') }}_https;
 }
 {% endif %}

roles/nginx/templates/nginx.conf.j2

@@ -57,11 +57,6 @@ http {
 {% if nginx_forwarder and nginx_forwarder | length > 0 %}
 # Stream block for TCP/UDP proxying
 stream {
-    # DNS resolver for runtime hostname resolution
-    # Using 127.0.0.1 (systemd-resolved) with 30s cache and 5s timeout
-    resolver 127.0.0.1 valid=30s ipv6=off;
-    resolver_timeout 5s;
-
     # Load stream configurations
     include {{ nginx_streams_dir }}/*.conf;
 }