diff --git a/nixos/arion-riverside/arion-compose.nix b/nixos/arion-riverside/arion-compose.nix index d281048..5a7c25f 100644 --- a/nixos/arion-riverside/arion-compose.nix +++ b/nixos/arion-riverside/arion-compose.nix @@ -7,7 +7,7 @@ services = { app = { service = { - image = "forge.quinefoundation.com/ironmagma/riverside@sha256:0d5d9927c726d67f5e587a00c95fda7b2583e6df8248e8d50f553ebc8fb37b21"; + image = "forge.quinefoundation.com/ironmagma/riverside:latest"; container_name = "riverside"; restart = "unless-stopped"; networks = [ "riverside" ]; diff --git a/nixos/linux.nix b/nixos/linux.nix index f316cb5..d028406 100644 --- a/nixos/linux.nix +++ b/nixos/linux.nix @@ -109,6 +109,13 @@ in { projects.vnc-desktop.settings = import ./arion-vnc/arion-compose.nix; }; + # The arion NixOS module sets backend = "podman-socket" but doesn't inject + # DOCKER_HOST into the service units; docker CLI falls back to /var/run/docker.sock + # (no daemon). Point it at the podman-compatible socket instead. + systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; + systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; + systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; + services.gitea-actions-runner.instances."ubuntu" = { enable = true; name = "ubuntu"; @@ -131,6 +138,8 @@ in { users.groups.gitea-runner = {}; systemd.services.gitea-runner-ubuntu = { + after = [ "arion-forgejo.service" ]; + wants = [ "arion-forgejo.service" ]; environment.PATH = lib.mkForce ( "${pkgs.podman}/bin:${pkgs.git}/bin:${pkgs.nodejs}/bin:/run/current-system/sw/bin:/run/wrappers/bin" ); @@ -302,4 +311,24 @@ in { webroot = null; }; }; + + # Break the systemd ordering cycle that deadlocks nixos-rebuild switch. + # The cycle: nginx → After → acme-{philippeterson,webdav}.com (DNS challenge) + # → Wants → nginx-config-reload → After → acme-coldairnetworks (HTTP webroot) + # → After → nginx + # DNS-challenge certs don't need nginx running to provision; nginx only needs the + # selfsigned fallback cert before real certs arrive. Remove the real ACME services + # from nginx's After so the HTTP-webroot chain doesn't complete the loop. + systemd.services.nginx.after = lib.mkForce [ + "network.target" + "acme-selfsigned-coldairnetworks.com.service" + "acme-selfsigned-fbksdigital.com.service" + "acme-selfsigned-forge.quinefoundation.com.service" + "acme-selfsigned-pdxdestiny.com.service" + "acme-selfsigned-philippeterson.com.service" + "acme-selfsigned-riverside.coldairnetworks.com.service" + "acme-selfsigned-vnc.quinefoundation.com.service" + "acme-selfsigned-webdav.philippeterson.com.service" + "acme-selfsigned-www.philippeterson.com.service" + ]; } diff --git a/nixos/nginx.nix b/nixos/nginx.nix index dbd072e..3a7bafb 100644 --- a/nixos/nginx.nix +++ b/nixos/nginx.nix @@ -61,8 +61,8 @@ }; "philippeterson.com" = { - enableACME = true; # Enable Let's Encrypt certificate for HTTPS - forceSSL = false; # Redirect HTTP to HTTPS? + enableACME = true; + forceSSL = false; addSSL = true; root = "/etc/pullomatic/com_philippeterson";