fix nginx/arion/runner failures introduced by podman switch
- Break systemd ordering deadlock: nginx.after mkForce removes DNS-challenge ACME services (philippeterson, webdav) from nginx's After list, which was creating a cycle through nginx-config-reload back to HTTP-webroot ACME services that need nginx Before them. - Fix arion services not finding podman socket: arion NixOS module sets backend=podman-socket but doesn't inject DOCKER_HOST; add explicit DOCKER_HOST=unix:///run/podman/podman.sock for all three arion projects. - Fix gitea-runner startup race: add After/Wants on arion-forgejo so the runner doesn't try to register before Forgejo is up. - Fix riverside image reference: pinned digest was stale after a re-push; switch to :latest. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
3876bb177a
commit
359292b497
3 changed files with 32 additions and 3 deletions
|
|
@ -7,7 +7,7 @@
|
||||||
services = {
|
services = {
|
||||||
app = {
|
app = {
|
||||||
service = {
|
service = {
|
||||||
image = "forge.quinefoundation.com/ironmagma/riverside@sha256:0d5d9927c726d67f5e587a00c95fda7b2583e6df8248e8d50f553ebc8fb37b21";
|
image = "forge.quinefoundation.com/ironmagma/riverside:latest";
|
||||||
container_name = "riverside";
|
container_name = "riverside";
|
||||||
restart = "unless-stopped";
|
restart = "unless-stopped";
|
||||||
networks = [ "riverside" ];
|
networks = [ "riverside" ];
|
||||||
|
|
|
||||||
|
|
@ -109,6 +109,13 @@ in {
|
||||||
projects.vnc-desktop.settings = import ./arion-vnc/arion-compose.nix;
|
projects.vnc-desktop.settings = import ./arion-vnc/arion-compose.nix;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# The arion NixOS module sets backend = "podman-socket" but doesn't inject
|
||||||
|
# DOCKER_HOST into the service units; docker CLI falls back to /var/run/docker.sock
|
||||||
|
# (no daemon). Point it at the podman-compatible socket instead.
|
||||||
|
systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||||
|
systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||||
|
systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||||
|
|
||||||
services.gitea-actions-runner.instances."ubuntu" = {
|
services.gitea-actions-runner.instances."ubuntu" = {
|
||||||
enable = true;
|
enable = true;
|
||||||
name = "ubuntu";
|
name = "ubuntu";
|
||||||
|
|
@ -131,6 +138,8 @@ in {
|
||||||
users.groups.gitea-runner = {};
|
users.groups.gitea-runner = {};
|
||||||
|
|
||||||
systemd.services.gitea-runner-ubuntu = {
|
systemd.services.gitea-runner-ubuntu = {
|
||||||
|
after = [ "arion-forgejo.service" ];
|
||||||
|
wants = [ "arion-forgejo.service" ];
|
||||||
environment.PATH = lib.mkForce (
|
environment.PATH = lib.mkForce (
|
||||||
"${pkgs.podman}/bin:${pkgs.git}/bin:${pkgs.nodejs}/bin:/run/current-system/sw/bin:/run/wrappers/bin"
|
"${pkgs.podman}/bin:${pkgs.git}/bin:${pkgs.nodejs}/bin:/run/current-system/sw/bin:/run/wrappers/bin"
|
||||||
);
|
);
|
||||||
|
|
@ -302,4 +311,24 @@ in {
|
||||||
webroot = null;
|
webroot = null;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Break the systemd ordering cycle that deadlocks nixos-rebuild switch.
|
||||||
|
# The cycle: nginx → After → acme-{philippeterson,webdav}.com (DNS challenge)
|
||||||
|
# → Wants → nginx-config-reload → After → acme-coldairnetworks (HTTP webroot)
|
||||||
|
# → After → nginx
|
||||||
|
# DNS-challenge certs don't need nginx running to provision; nginx only needs the
|
||||||
|
# selfsigned fallback cert before real certs arrive. Remove the real ACME services
|
||||||
|
# from nginx's After so the HTTP-webroot chain doesn't complete the loop.
|
||||||
|
systemd.services.nginx.after = lib.mkForce [
|
||||||
|
"network.target"
|
||||||
|
"acme-selfsigned-coldairnetworks.com.service"
|
||||||
|
"acme-selfsigned-fbksdigital.com.service"
|
||||||
|
"acme-selfsigned-forge.quinefoundation.com.service"
|
||||||
|
"acme-selfsigned-pdxdestiny.com.service"
|
||||||
|
"acme-selfsigned-philippeterson.com.service"
|
||||||
|
"acme-selfsigned-riverside.coldairnetworks.com.service"
|
||||||
|
"acme-selfsigned-vnc.quinefoundation.com.service"
|
||||||
|
"acme-selfsigned-webdav.philippeterson.com.service"
|
||||||
|
"acme-selfsigned-www.philippeterson.com.service"
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -61,8 +61,8 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
"philippeterson.com" = {
|
"philippeterson.com" = {
|
||||||
enableACME = true; # Enable Let's Encrypt certificate for HTTPS
|
enableACME = true;
|
||||||
forceSSL = false; # Redirect HTTP to HTTPS?
|
forceSSL = false;
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
|
|
||||||
root = "/etc/pullomatic/com_philippeterson";
|
root = "/etc/pullomatic/com_philippeterson";
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue