fix nginx/arion/runner failures introduced by podman switch
- Break systemd ordering deadlock: nginx.after mkForce removes DNS-challenge ACME services (philippeterson, webdav) from nginx's After list, which was creating a cycle through nginx-config-reload back to HTTP-webroot ACME services that need nginx Before them. - Fix arion services not finding podman socket: arion NixOS module sets backend=podman-socket but doesn't inject DOCKER_HOST; add explicit DOCKER_HOST=unix:///run/podman/podman.sock for all three arion projects. - Fix gitea-runner startup race: add After/Wants on arion-forgejo so the runner doesn't try to register before Forgejo is up. - Fix riverside image reference: pinned digest was stale after a re-push; switch to :latest. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
3876bb177a
commit
359292b497
3 changed files with 32 additions and 3 deletions
|
|
@ -7,7 +7,7 @@
|
|||
services = {
|
||||
app = {
|
||||
service = {
|
||||
image = "forge.quinefoundation.com/ironmagma/riverside@sha256:0d5d9927c726d67f5e587a00c95fda7b2583e6df8248e8d50f553ebc8fb37b21";
|
||||
image = "forge.quinefoundation.com/ironmagma/riverside:latest";
|
||||
container_name = "riverside";
|
||||
restart = "unless-stopped";
|
||||
networks = [ "riverside" ];
|
||||
|
|
|
|||
|
|
@ -109,6 +109,13 @@ in {
|
|||
projects.vnc-desktop.settings = import ./arion-vnc/arion-compose.nix;
|
||||
};
|
||||
|
||||
# The arion NixOS module sets backend = "podman-socket" but doesn't inject
|
||||
# DOCKER_HOST into the service units; docker CLI falls back to /var/run/docker.sock
|
||||
# (no daemon). Point it at the podman-compatible socket instead.
|
||||
systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||
systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||
systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||
|
||||
services.gitea-actions-runner.instances."ubuntu" = {
|
||||
enable = true;
|
||||
name = "ubuntu";
|
||||
|
|
@ -131,6 +138,8 @@ in {
|
|||
users.groups.gitea-runner = {};
|
||||
|
||||
systemd.services.gitea-runner-ubuntu = {
|
||||
after = [ "arion-forgejo.service" ];
|
||||
wants = [ "arion-forgejo.service" ];
|
||||
environment.PATH = lib.mkForce (
|
||||
"${pkgs.podman}/bin:${pkgs.git}/bin:${pkgs.nodejs}/bin:/run/current-system/sw/bin:/run/wrappers/bin"
|
||||
);
|
||||
|
|
@ -302,4 +311,24 @@ in {
|
|||
webroot = null;
|
||||
};
|
||||
};
|
||||
|
||||
# Break the systemd ordering cycle that deadlocks nixos-rebuild switch.
|
||||
# The cycle: nginx → After → acme-{philippeterson,webdav}.com (DNS challenge)
|
||||
# → Wants → nginx-config-reload → After → acme-coldairnetworks (HTTP webroot)
|
||||
# → After → nginx
|
||||
# DNS-challenge certs don't need nginx running to provision; nginx only needs the
|
||||
# selfsigned fallback cert before real certs arrive. Remove the real ACME services
|
||||
# from nginx's After so the HTTP-webroot chain doesn't complete the loop.
|
||||
systemd.services.nginx.after = lib.mkForce [
|
||||
"network.target"
|
||||
"acme-selfsigned-coldairnetworks.com.service"
|
||||
"acme-selfsigned-fbksdigital.com.service"
|
||||
"acme-selfsigned-forge.quinefoundation.com.service"
|
||||
"acme-selfsigned-pdxdestiny.com.service"
|
||||
"acme-selfsigned-philippeterson.com.service"
|
||||
"acme-selfsigned-riverside.coldairnetworks.com.service"
|
||||
"acme-selfsigned-vnc.quinefoundation.com.service"
|
||||
"acme-selfsigned-webdav.philippeterson.com.service"
|
||||
"acme-selfsigned-www.philippeterson.com.service"
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,8 +61,8 @@
|
|||
};
|
||||
|
||||
"philippeterson.com" = {
|
||||
enableACME = true; # Enable Let's Encrypt certificate for HTTPS
|
||||
forceSSL = false; # Redirect HTTP to HTTPS?
|
||||
enableACME = true;
|
||||
forceSSL = false;
|
||||
addSSL = true;
|
||||
|
||||
root = "/etc/pullomatic/com_philippeterson";
|
||||
|
|
|
|||
Loading…
Reference in a new issue