diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index f96a23a1..3577a313 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -105,11 +105,23 @@ jobs:
         # header or a still-proxied /actuator route rather than confirming
         # the current config is live.
         #
-        # `systemctl reload caddy` sends SIGHUP; Caddy re-reads /etc/caddy/Caddyfile
-        # (symlinked to infra/caddy/Caddyfile) without dropping connections.
-        # If Caddy is not running this step fails fast and clearly before the
-        # smoke test issues a misleading "port 443 refused" error.
-        run: sudo systemctl reload caddy
+        # The runner executes job steps inside Docker containers (DooD).
+        # `systemctl` is not present in Ubuntu container images and cannot
+        # reach the host's systemd directly. We use the Docker socket
+        # (mounted into every job container via runner-config.yaml) to spin
+        # up a privileged sibling container in the host PID namespace;
+        # nsenter then enters the host's namespaces so systemctl talks to
+        # the real host systemd daemon. No sudoers entry is required — the
+        # Docker socket already grants root-equivalent host access.
+        #
+        # `systemctl reload caddy` sends SIGHUP; Caddy re-reads
+        # /etc/caddy/Caddyfile (symlinked to infra/caddy/Caddyfile) without
+        # dropping connections. If Caddy is not running this step fails fast
+        # before the smoke test issues a misleading "port 443 refused" error.
+        run: |
+          docker run --rm --privileged --pid=host \
+            ubuntu:22.04 \
+            nsenter -t 1 -m -u -n -p -i -- /bin/systemctl reload caddy
 
       - name: Smoke test deployed environment
         # Healthchecks confirm containers are healthy; they do NOT confirm the