The directory was created by the old DynamicUser (uid 63182). Add a
tmpfiles rule to guarantee correct ownership after any rebuild.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Create a persistent gitea-runner system user in the docker group instead
of relying on DynamicUser — supplementary groups were silently ignored
with DynamicUser=true, leaving the runner unable to reach the socket.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Jobs now execute directly on the runner host rather than inside a docker
container, giving them access to Node.js, Docker, and other host tools
without needing a custom image.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
riverside needs a postgres sidecar which oci-containers can't express.
Also adds docker to arion PATH (fixes forgejo-arion) and creates
/var/riverside/{files,postgres} state directories.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Systemd services don't source /etc/set-environment, so NIX_PATH was unset
when arion tried to evaluate arion-pkgs.nix via import <nixpkgs>.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add riverside OCI container (forge.quinefoundation.com/ironmagma/riverside)
on port 3011 with nginx vhost. Fix forgejo-arion service failure by ensuring
nix-instantiate is in PATH when arion evaluates the compose config.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>