From 359292b497f1a1add4381b87824629ec7e847941 Mon Sep 17 00:00:00 2001 From: Philip Peterson Date: Mon, 25 May 2026 18:58:08 -0800 Subject: [PATCH] fix nginx/arion/runner failures introduced by podman switch - Break systemd ordering deadlock: nginx.after mkForce removes DNS-challenge ACME services (philippeterson, webdav) from nginx's After list, which was creating a cycle through nginx-config-reload back to HTTP-webroot ACME services that need nginx Before them. - Fix arion services not finding podman socket: arion NixOS module sets backend=podman-socket but doesn't inject DOCKER_HOST; add explicit DOCKER_HOST=unix:///run/podman/podman.sock for all three arion projects. - Fix gitea-runner startup race: add After/Wants on arion-forgejo so the runner doesn't try to register before Forgejo is up. - Fix riverside image reference: pinned digest was stale after a re-push; switch to :latest. Co-Authored-By: Claude Sonnet 4.6 --- nixos/arion-riverside/arion-compose.nix | 2 +- nixos/linux.nix | 29 +++++++++++++++++++++++++ nixos/nginx.nix | 4 ++-- 3 files changed, 32 insertions(+), 3 deletions(-) diff --git a/nixos/arion-riverside/arion-compose.nix b/nixos/arion-riverside/arion-compose.nix index d281048..5a7c25f 100644 --- a/nixos/arion-riverside/arion-compose.nix +++ b/nixos/arion-riverside/arion-compose.nix @@ -7,7 +7,7 @@ services = { app = { service = { - image = "forge.quinefoundation.com/ironmagma/riverside@sha256:0d5d9927c726d67f5e587a00c95fda7b2583e6df8248e8d50f553ebc8fb37b21"; + image = "forge.quinefoundation.com/ironmagma/riverside:latest"; container_name = "riverside"; restart = "unless-stopped"; networks = [ "riverside" ]; diff --git a/nixos/linux.nix b/nixos/linux.nix index f316cb5..d028406 100644 --- a/nixos/linux.nix +++ b/nixos/linux.nix @@ -109,6 +109,13 @@ in { projects.vnc-desktop.settings = import ./arion-vnc/arion-compose.nix; }; + # The arion NixOS module sets backend = "podman-socket" but doesn't inject + # DOCKER_HOST into the service units; docker CLI falls back to /var/run/docker.sock + # (no daemon). Point it at the podman-compatible socket instead. + systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; + systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; + systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; + services.gitea-actions-runner.instances."ubuntu" = { enable = true; name = "ubuntu"; @@ -131,6 +138,8 @@ in { users.groups.gitea-runner = {}; systemd.services.gitea-runner-ubuntu = { + after = [ "arion-forgejo.service" ]; + wants = [ "arion-forgejo.service" ]; environment.PATH = lib.mkForce ( "${pkgs.podman}/bin:${pkgs.git}/bin:${pkgs.nodejs}/bin:/run/current-system/sw/bin:/run/wrappers/bin" ); @@ -302,4 +311,24 @@ in { webroot = null; }; }; + + # Break the systemd ordering cycle that deadlocks nixos-rebuild switch. + # The cycle: nginx → After → acme-{philippeterson,webdav}.com (DNS challenge) + # → Wants → nginx-config-reload → After → acme-coldairnetworks (HTTP webroot) + # → After → nginx + # DNS-challenge certs don't need nginx running to provision; nginx only needs the + # selfsigned fallback cert before real certs arrive. Remove the real ACME services + # from nginx's After so the HTTP-webroot chain doesn't complete the loop. + systemd.services.nginx.after = lib.mkForce [ + "network.target" + "acme-selfsigned-coldairnetworks.com.service" + "acme-selfsigned-fbksdigital.com.service" + "acme-selfsigned-forge.quinefoundation.com.service" + "acme-selfsigned-pdxdestiny.com.service" + "acme-selfsigned-philippeterson.com.service" + "acme-selfsigned-riverside.coldairnetworks.com.service" + "acme-selfsigned-vnc.quinefoundation.com.service" + "acme-selfsigned-webdav.philippeterson.com.service" + "acme-selfsigned-www.philippeterson.com.service" + ]; } diff --git a/nixos/nginx.nix b/nixos/nginx.nix index dbd072e..3a7bafb 100644 --- a/nixos/nginx.nix +++ b/nixos/nginx.nix @@ -61,8 +61,8 @@ }; "philippeterson.com" = { - enableACME = true; # Enable Let's Encrypt certificate for HTTPS - forceSSL = false; # Redirect HTTP to HTTPS? + enableACME = true; + forceSSL = false; addSSL = true; root = "/etc/pullomatic/com_philippeterson";