Fix problem with in-pod nginx.conf

.forgejo/workflows/ci.yml

@@ -245,20 +245,20 @@ jobs:
           podman --remote pull "$REGISTRY_HOST/$APP_NAME/sharenet-backend-api-postgres:$IMAGE_TAG"
           podman --remote pull "$REGISTRY_HOST/$APP_NAME/sharenet-frontend:$IMAGE_TAG"
 
-      - name: Prepare in-pod nginx config on host
+      - name: Render nginx.conf and put on host (no unshare)
         run: |
           set -euo pipefail
-          # create dir on host (via user namespace)
+          apk add --no-cache gettext >/dev/null   # envsubst
-          podman --remote unshare mkdir -p /opt/sharenet/nginx /opt/sharenet/volumes/nginx-cache
+          # Render template locally in the job container
-          # render temp config (inside the job container)
-          apk add --no-cache gettext >/dev/null
           envsubst < nginx/nginx.conf > /tmp/nginx.conf
-          # write it onto the host
+
-          podman --remote unshare sh -c 'cat > /opt/sharenet/nginx/nginx.conf' < /tmp/nginx.conf
+          # Write it to the host via a remote Podman helper container.
-          # reasonable perms for rootless mount
+          # Run as uid:gid 1001:1001 so writes match prod-service’s ownership.
-          podman --remote unshare chown -R 1001:1001 /opt/sharenet
+          podman --remote run --rm -i \
-          podman --remote unshare chmod 0755 /opt/sharenet /opt/sharenet/nginx /opt/sharenet/volumes /opt/sharenet/volumes/nginx-cache
+            --user 1001:1001 \
-          podman --remote unshare chmod 0644 /opt/sharenet/nginx/nginx.conf || true
+            -v /opt/sharenet/nginx:/host-nginx:rw \
+            alpine:3.20 sh -c 'install -D -m 0644 /dev/stdin /host-nginx/nginx.conf' \
+            < /tmp/nginx.conf
 
       - name: Install envsubst (Alpine)
         run: apk add --no-cache gettext