Paperless-ngx uses WebSockets to push task completion status to the
browser. Without Upgrade/Connection headers the UI hangs indefinitely
after upload while waiting for the done notification.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
recommendedProxySettings already injects Host, X-Real-IP, X-Forwarded-*
via an include in the location block. Our explicit extraConfig set them
again, causing Django to receive 'host,host' and reject with DisallowedHost.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- philippeterson.com and coldairnetworks.com now use withWww, fixing the same
www.* cert-mismatch problem that affected pdxdestiny.com
- fbksdigital.com vhost removed (disabled for now)
- ACME cyclic dependency list updated accordingly
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
www.pdxdestiny.com had no vhost so nginx fell back to the coldairnetworks.com
cert. Added a withWww helper that generates apex + www redirect pair, and
wired up pdxdestiny.com as the first user.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Break systemd ordering deadlock: nginx.after mkForce removes
DNS-challenge ACME services (philippeterson, webdav) from nginx's
After list, which was creating a cycle through nginx-config-reload
back to HTTP-webroot ACME services that need nginx Before them.
- Fix arion services not finding podman socket: arion NixOS module
sets backend=podman-socket but doesn't inject DOCKER_HOST; add
explicit DOCKER_HOST=unix:///run/podman/podman.sock for all three
arion projects.
- Fix gitea-runner startup race: add After/Wants on arion-forgejo so
the runner doesn't try to register before Forgejo is up.
- Fix riverside image reference: pinned digest was stale after a
re-push; switch to :latest.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Custom Podman image (forge.quinefoundation.com/ironmagma/vnc-desktop) running
TigerVNC + noVNC + openbox, proxied via nginx with ACME TLS and basic auth.
Also switches all arion projects from docker to podman backend.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Map container port 80 (not 8080) to host 3011
- Mount postgres data at /var/lib/postgresql (postgres 18 changed path)
- Set TRUSTED_HOST env var so Drupal accepts the hostname
- Enable ACME/HTTPS for riverside.coldairnetworks.com with HTTP→HTTPS redirect
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add riverside OCI container (forge.quinefoundation.com/ironmagma/riverside)
on port 3011 with nginx vhost. Fix forgejo-arion service failure by ensuring
nix-instantiate is in PATH when arion evaluates the compose config.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>