From 78852c6b0a90cd6517a519c8a8915b1861233bdb Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Fri, 15 May 2026 15:34:51 -0700
Subject: [PATCH] nginx: 1.30.1 security fix via overlay

nixos-unstable (the channel branch this flake tracks) does not yet
contain nginx 1.30.1. Pull the fix forward from nixpkgs master
(PR #519893, merged 2026-05-14) with a scoped nginxStable overlay
override. Remove once nixos-unstable advances past 2026-05-14.
---
 overlays/default.nix | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/overlays/default.nix b/overlays/default.nix
index 020cd56..6d6ecaf 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -32,6 +32,19 @@ in
     ];
   });
 
+  # nginx 1.30.0 -> 1.30.1: critical security fix. Pulled forward from
+  # nixpkgs master (PR #519893, merged 2026-05-14) because the
+  # nixos-unstable channel branch we track does not have it yet.
+  # Remove once nixos-unstable advances past 2026-05-14.
+  nginxStable = prev.nginxStable.overrideAttrs (old: rec {
+    version = "1.30.1";
+    src = prev.fetchurl {
+      url = "https://nginx.org/download/nginx-${version}.tar.gz";
+      hash = "sha256-mXZQANl0iWsxyliC2MJ5zj/n729cb58Kln7X/TQH+cw=";
+    };
+  });
+  nginx = final.nginxStable;
+
   # Plasma Bigscreen: TV-optimized KDE shell (not yet packaged in nixpkgs)
   plasma-bigscreen = import ./plasma-bigscreen.nix {
     inherit (prev.kdePackages)