fix nginx/arion/runner failures introduced by podman switch

- Break systemd ordering deadlock: nginx.after mkForce removes
  DNS-challenge ACME services (philippeterson, webdav) from nginx's
  After list, which was creating a cycle through nginx-config-reload
  back to HTTP-webroot ACME services that need nginx Before them.

- Fix arion services not finding podman socket: arion NixOS module
  sets backend=podman-socket but doesn't inject DOCKER_HOST; add
  explicit DOCKER_HOST=unix:///run/podman/podman.sock for all three
  arion projects.

- Fix gitea-runner startup race: add After/Wants on arion-forgejo so
  the runner doesn't try to register before Forgejo is up.

- Fix riverside image reference: pinned digest was stale after a
  re-push; switch to :latest.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Philip Peterson 2026-05-25 18:58:08 -08:00
parent 3876bb177a
commit 359292b497
3 changed files with 32 additions and 3 deletions

View file

@ -7,7 +7,7 @@
services = { services = {
app = { app = {
service = { service = {
image = "forge.quinefoundation.com/ironmagma/riverside@sha256:0d5d9927c726d67f5e587a00c95fda7b2583e6df8248e8d50f553ebc8fb37b21"; image = "forge.quinefoundation.com/ironmagma/riverside:latest";
container_name = "riverside"; container_name = "riverside";
restart = "unless-stopped"; restart = "unless-stopped";
networks = [ "riverside" ]; networks = [ "riverside" ];

View file

@ -109,6 +109,13 @@ in {
projects.vnc-desktop.settings = import ./arion-vnc/arion-compose.nix; projects.vnc-desktop.settings = import ./arion-vnc/arion-compose.nix;
}; };
# The arion NixOS module sets backend = "podman-socket" but doesn't inject
# DOCKER_HOST into the service units; docker CLI falls back to /var/run/docker.sock
# (no daemon). Point it at the podman-compatible socket instead.
systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
services.gitea-actions-runner.instances."ubuntu" = { services.gitea-actions-runner.instances."ubuntu" = {
enable = true; enable = true;
name = "ubuntu"; name = "ubuntu";
@ -131,6 +138,8 @@ in {
users.groups.gitea-runner = {}; users.groups.gitea-runner = {};
systemd.services.gitea-runner-ubuntu = { systemd.services.gitea-runner-ubuntu = {
after = [ "arion-forgejo.service" ];
wants = [ "arion-forgejo.service" ];
environment.PATH = lib.mkForce ( environment.PATH = lib.mkForce (
"${pkgs.podman}/bin:${pkgs.git}/bin:${pkgs.nodejs}/bin:/run/current-system/sw/bin:/run/wrappers/bin" "${pkgs.podman}/bin:${pkgs.git}/bin:${pkgs.nodejs}/bin:/run/current-system/sw/bin:/run/wrappers/bin"
); );
@ -302,4 +311,24 @@ in {
webroot = null; webroot = null;
}; };
}; };
# Break the systemd ordering cycle that deadlocks nixos-rebuild switch.
# The cycle: nginx → After → acme-{philippeterson,webdav}.com (DNS challenge)
# → Wants → nginx-config-reload → After → acme-coldairnetworks (HTTP webroot)
# → After → nginx
# DNS-challenge certs don't need nginx running to provision; nginx only needs the
# selfsigned fallback cert before real certs arrive. Remove the real ACME services
# from nginx's After so the HTTP-webroot chain doesn't complete the loop.
systemd.services.nginx.after = lib.mkForce [
"network.target"
"acme-selfsigned-coldairnetworks.com.service"
"acme-selfsigned-fbksdigital.com.service"
"acme-selfsigned-forge.quinefoundation.com.service"
"acme-selfsigned-pdxdestiny.com.service"
"acme-selfsigned-philippeterson.com.service"
"acme-selfsigned-riverside.coldairnetworks.com.service"
"acme-selfsigned-vnc.quinefoundation.com.service"
"acme-selfsigned-webdav.philippeterson.com.service"
"acme-selfsigned-www.philippeterson.com.service"
];
} }

View file

@ -61,8 +61,8 @@
}; };
"philippeterson.com" = { "philippeterson.com" = {
enableACME = true; # Enable Let's Encrypt certificate for HTTPS enableACME = true;
forceSSL = false; # Redirect HTTP to HTTPS? forceSSL = false;
addSSL = true; addSSL = true;
root = "/etc/pullomatic/com_philippeterson"; root = "/etc/pullomatic/com_philippeterson";