Custom Podman image (forge.quinefoundation.com/ironmagma/vnc-desktop) running
TigerVNC + noVNC + openbox, proxied via nginx with ACME TLS and basic auth.
Also switches all arion projects from docker to podman backend.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The directory was created by the old DynamicUser (uid 63182). Add a
tmpfiles rule to guarantee correct ownership after any rebuild.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Create a persistent gitea-runner system user in the docker group instead
of relying on DynamicUser — supplementary groups were silently ignored
with DynamicUser=true, leaving the runner unable to reach the socket.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Jobs now execute directly on the runner host rather than inside a docker
container, giving them access to Node.js, Docker, and other host tools
without needing a custom image.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Map container port 80 (not 8080) to host 3011
- Mount postgres data at /var/lib/postgresql (postgres 18 changed path)
- Set TRUSTED_HOST env var so Drupal accepts the hostname
- Enable ACME/HTTPS for riverside.coldairnetworks.com with HTTP→HTTPS redirect
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
riverside needs a postgres sidecar which oci-containers can't express.
Also adds docker to arion PATH (fixes forgejo-arion) and creates
/var/riverside/{files,postgres} state directories.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Systemd services don't source /etc/set-environment, so NIX_PATH was unset
when arion tried to evaluate arion-pkgs.nix via import <nixpkgs>.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add riverside OCI container (forge.quinefoundation.com/ironmagma/riverside)
on port 3011 with nginx vhost. Fix forgejo-arion service failure by ensuring
nix-instantiate is in PATH when arion evaluates the compose config.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>