From d750d5cee2ff41930639e19dd51f4d56cbf50955 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 11 May 2026 22:28:24 +0200
Subject: [PATCH] fix(ci): reload Caddy via nsenter, not sudo systemctl

`sudo systemctl reload caddy` does not work from inside a DooD job
container: `systemctl` is absent from Ubuntu container images and
container processes cannot reach the host systemd without entering its
namespaces. Replace with `docker run --privileged --pid=host ubuntu:22.04
nsenter -t 1 -m -u -n -p -i -- /bin/systemctl reload caddy`, which uses
the already-mounted Docker socket to spin up a privileged sibling
container that enters the host PID namespace via nsenter. Tested live on
the Hetzner VPS. No sudoers entry required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/nightly.yml | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index 2cb71392..72eaa60f 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -128,11 +128,23 @@ jobs:
         # header or a still-proxied /actuator route rather than confirming
         # the current config is live.
         #
-        # `systemctl reload caddy` sends SIGHUP; Caddy re-reads /etc/caddy/Caddyfile
-        # (symlinked to infra/caddy/Caddyfile) without dropping connections.
-        # If Caddy is not running this step fails fast and clearly before the
-        # smoke test issues a misleading "port 443 refused" error.
-        run: sudo systemctl reload caddy
+        # The runner executes job steps inside Docker containers (DooD).
+        # `systemctl` is not present in Ubuntu container images and cannot
+        # reach the host's systemd directly. We use the Docker socket
+        # (mounted into every job container via runner-config.yaml) to spin
+        # up a privileged sibling container in the host PID namespace;
+        # nsenter then enters the host's namespaces so systemctl talks to
+        # the real host systemd daemon. No sudoers entry is required — the
+        # Docker socket already grants root-equivalent host access.
+        #
+        # `systemctl reload caddy` sends SIGHUP; Caddy re-reads
+        # /etc/caddy/Caddyfile (symlinked to infra/caddy/Caddyfile) without
+        # dropping connections. If Caddy is not running this step fails fast
+        # before the smoke test issues a misleading "port 443 refused" error.
+        run: |
+          docker run --rm --privileged --pid=host \
+            ubuntu:22.04 \
+            nsenter -t 1 -m -u -n -p -i -- /bin/systemctl reload caddy
 
       - name: Smoke test deployed environment
         # Healthchecks confirm containers are healthy; they do NOT confirm the