From e04e623deab13e1f738f933a722e6f32658da84d Mon Sep 17 00:00:00 2001
From: fruchti <fruchti@gvfr.de>
Date: Tue, 23 Dec 2025 17:46:35 +0100
Subject: [PATCH] Emitter: Make Rupert TLS upstream IPv6-only

---
 hosts/tls_sni.nix | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/hosts/tls_sni.nix b/hosts/tls_sni.nix
index b870e92..58e2195 100644
--- a/hosts/tls_sni.nix
+++ b/hosts/tls_sni.nix
@@ -3,31 +3,28 @@
     services.nginx = {
         streamConfig = ''
             map $ssl_preread_server_name $target_backend {
-                md.gvfr.de rupert;
-                rupert.gvfr.de rupert;
-                default localserv;
+                default         rupert;
+                md.gvfr.de      rupert;
+                rupert.gvfr.de  rupert;
+                git.25120.org   localserv;
             }
 
             upstream rupert {
-                server rupert.gvfr.de:4431;
+                zone upstream_rupert 64k;
+
+                server rupert.gvfr.de:4431 resolve;
+                resolver 9.9.9.9 ipv4=off ipv6=on;
             }
 
             upstream localserv {
-                server localhost:4431;
+                server 127.0.0.1:4431;
             }
 
             server {
                 listen 443;
                 ssl_preread on;
-
-                # proxy_connect_timeout 1s;
-                # proxy_timeout 3s;
-                # resolver 1.1.1.1;
-
-                proxy_pass $target_backend;
-                proxy_next_upstream off;
-
                 proxy_protocol on;
+                proxy_pass $target_backend;
             }
         '';