2026-05-12 09:28:45 +02:00
2 changed files with 15 additions and 10 deletions
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -158,16 +158,20 @@ jobs:
        # public surface works. This step catches: Caddy not reloaded, HSTS
        # header dropped, /actuator block bypassed.
        #
-        # --resolve pins staging.raddatz.cloud to the runner's loopback so we
-        # do NOT depend on the host router doing hairpin NAT (many SOHO
-        # routers do not, or do so only after a firmware update). SNI still
-        # uses the public hostname so the cert validates correctly.
+        # --resolve pins staging.raddatz.cloud to the Docker bridge gateway IP
+        # (the host) so we do NOT depend on hairpin NAT on the host router.
+        # 127.0.0.1 cannot be used: job containers run in bridge network mode
+        # (runner-config.yaml), so 127.0.0.1 is the container's loopback, not
+        # the host's. The bridge gateway IS the host; Caddy binds 0.0.0.0:443
+        # and is therefore reachable from the container via that IP.
+        # SNI still uses the public hostname so the TLS cert validates correctly.
        run: |
          set -e
          HOST="staging.raddatz.cloud"
          URL="https://$HOST"
-          RESOLVE="--resolve $HOST:443:127.0.0.1"
-          echo "Smoke test: $URL (pinned to 127.0.0.1)"
+          HOST_IP=$(ip route show default | awk '/default/ {print $3}')
+          RESOLVE="--resolve $HOST:443:$HOST_IP"
+          echo "Smoke test: $URL (pinned to $HOST_IP via bridge gateway)"
          curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null
          # Pin the preload-list-eligible HSTS value, not just header presence:
          # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -107,14 +107,15 @@ jobs:

      - name: Smoke test deployed environment
        # See nightly.yml — same three checks, against the prod vhost.
-        # --resolve pins archiv.raddatz.cloud to the runner's loopback so
-        # the smoke test does NOT depend on hairpin NAT on the host router.
+        # --resolve pins to the bridge gateway IP (the host), not 127.0.0.1
+        # — see nightly.yml for the full network topology explanation.
        run: |
          set -e
          HOST="archiv.raddatz.cloud"
          URL="https://$HOST"
-          RESOLVE="--resolve $HOST:443:127.0.0.1"
-          echo "Smoke test: $URL (pinned to 127.0.0.1)"
+          HOST_IP=$(ip route show default | awk '/default/ {print $3}')
+          RESOLVE="--resolve $HOST:443:$HOST_IP"
+          echo "Smoke test: $URL (pinned to $HOST_IP via bridge gateway)"
          curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null
          # Pin the preload-list-eligible HSTS value, not just header presence:
          # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must