fix(ci): reload Caddy via nsenter, not sudo systemctl

`sudo systemctl reload caddy` does not work from inside a DooD job container: `systemctl` is absent from Ubuntu container images and container processes cannot reach the host systemd without entering its namespaces. Replace with `docker run --privileged --pid=host ubuntu:22.04 nsenter -t 1 -m -u -n -p -i -- /bin/systemctl reload caddy`, which uses the already-mounted Docker socket to spin up a privileged sibling container that enters the host PID namespace via nsenter. Tested live on the Hetzner VPS. No sudoers entry required. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-11 22:28:24 +02:00
parent 90f52eae41
commit d750d5cee2
1 changed files with 17 additions and 5 deletions
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -128,11 +128,23 @@ jobs:
        # header or a still-proxied /actuator route rather than confirming
        # the current config is live.
        #
-        # `systemctl reload caddy` sends SIGHUP; Caddy re-reads /etc/caddy/Caddyfile
-        # (symlinked to infra/caddy/Caddyfile) without dropping connections.
-        # If Caddy is not running this step fails fast and clearly before the
-        # smoke test issues a misleading "port 443 refused" error.
-        run: sudo systemctl reload caddy
+        # The runner executes job steps inside Docker containers (DooD).
+        # `systemctl` is not present in Ubuntu container images and cannot
+        # reach the host's systemd directly. We use the Docker socket
+        # (mounted into every job container via runner-config.yaml) to spin
+        # up a privileged sibling container in the host PID namespace;
+        # nsenter then enters the host's namespaces so systemctl talks to
+        # the real host systemd daemon. No sudoers entry is required — the
+        # Docker socket already grants root-equivalent host access.
+        #
+        # `systemctl reload caddy` sends SIGHUP; Caddy re-reads
+        # /etc/caddy/Caddyfile (symlinked to infra/caddy/Caddyfile) without
+        # dropping connections. If Caddy is not running this step fails fast
+        # before the smoke test issues a misleading "port 443 refused" error.
+        run: |
+          docker run --rm --privileged --pid=host \
+            ubuntu:22.04 \
+            nsenter -t 1 -m -u -n -p -i -- /bin/systemctl reload caddy

      - name: Smoke test deployed environment
        # Healthchecks confirm containers are healthy; they do NOT confirm the