- Break systemd ordering deadlock: nginx.after mkForce removes
DNS-challenge ACME services (philippeterson, webdav) from nginx's
After list, which was creating a cycle through nginx-config-reload
back to HTTP-webroot ACME services that need nginx Before them.
- Fix arion services not finding podman socket: arion NixOS module
sets backend=podman-socket but doesn't inject DOCKER_HOST; add
explicit DOCKER_HOST=unix:///run/podman/podman.sock for all three
arion projects.
- Fix gitea-runner startup race: add After/Wants on arion-forgejo so
the runner doesn't try to register before Forgejo is up.
- Fix riverside image reference: pinned digest was stale after a
re-push; switch to :latest.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
riverside needs a postgres sidecar which oci-containers can't express.
Also adds docker to arion PATH (fixes forgejo-arion) and creates
/var/riverside/{files,postgres} state directories.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>