fix(ci): replace overlay2 sync with workspace bind mount for DooD

runner-config.yaml: correct path to /srv/gitea-workspace (VPS, not Synology).
docker-compose.observability.yml: revert 5 bind mounts to plain relative paths;
  OBS_CONFIG_DIR variable is no longer needed.
nightly.yml / release.yml: remove OBS_CONFIG_DIR env injection and the
  "Sync observability configs to host" step from both workflows.

With workdir_parent=/srv/gitea-workspace and an identical host<->container
bind mount, $(pwd) inside job containers resolves to a real host path the
daemon can find — no privileged container, no overlay2 inspection, no nsenter.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/nightly.yml

@@ -85,7 +85,6 @@ jobs:
           GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
           GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
           SENTRY_DSN=${{ secrets.SENTRY_DSN }}
-          OBS_CONFIG_DIR=/srv/familienarchiv-staging/obs-configs
           EOF
 
       - name: Verify backend /import:ro mount is wired
@@ -132,24 +131,6 @@ jobs:
             --profile staging \
             up -d --wait --remove-orphans
 
-      - name: Sync observability configs to host
-        # DooD: runner-config.yaml only shares /var/run/docker.sock with the host
-        # daemon — no workspace directory is mapped. Relative bind mounts in
-        # docker-compose.observability.yml would resolve to paths that don't
-        # exist on the host; Docker auto-creates directories in their place,
-        # causing "not a directory" mount failures at container startup.
-        #
-        # Fix: find the job container's overlay2 merged directory (visible in the
-        # host's mount namespace), then use nsenter to copy from there into a
-        # stable host path. The overlay path is the job container's full
-        # filesystem as seen from the host — no socket tricks needed.
-        run: |
-          OVERLAY=$(docker inspect "$(hostname)" --format '{{.GraphDriver.Data.MergedDir}}')
-          SRC="${OVERLAY}$(pwd)/infra/observability"
-          docker run --rm --privileged --pid=host \
-            alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d \
-            sh -c "nsenter -t 1 -m -- sh -c 'mkdir -p /srv/familienarchiv-staging/obs-configs && cp -r \"${SRC}/.\" /srv/familienarchiv-staging/obs-configs/'"
-
       - name: Start observability stack
         run: |
           docker compose \

.gitea/workflows/release.yml

@@ -83,7 +83,6 @@ jobs:
           GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
           GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
           SENTRY_DSN=${{ secrets.SENTRY_DSN }}
-          OBS_CONFIG_DIR=/srv/familienarchiv-production/obs-configs
           EOF
 
       - name: Build images
@@ -105,16 +104,6 @@ jobs:
             --env-file .env.production \
             up -d --wait --remove-orphans
 
-      - name: Sync observability configs to host
-        # DooD: same overlay2 trick as nightly.yml — see that file for the
-        # full rationale. Production path: /srv/familienarchiv-production/obs-configs.
-        run: |
-          OVERLAY=$(docker inspect "$(hostname)" --format '{{.GraphDriver.Data.MergedDir}}')
-          SRC="${OVERLAY}$(pwd)/infra/observability"
-          docker run --rm --privileged --pid=host \
-            alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d \
-            sh -c "nsenter -t 1 -m -- sh -c 'mkdir -p /srv/familienarchiv-production/obs-configs && cp -r \"${SRC}/.\" /srv/familienarchiv-production/obs-configs/'"
-
       - name: Start observability stack
         run: |
           docker compose \