fix: resolve user-scope/system-scope dep mismatch for native apps

d-buckner · d-buckner · commit 437cbdfeaa45 · 2026-03-10T21:36:11.000-07:00
Two boot failures fixed:

1. podman-apps-network.service was missing PATH=/run/wrappers, causing
   "newuidmap not found" on every boot. Authentik containers depended on
   this network service, so they never started.

2. metadata.nix auto-wires native app deps (postgres, redis) as
   Requires= in user-scope podman services. But postgres.service and
   redis.service are system-scope, invisible to user units, causing
   "Unit postgres.service not found" on start.

Fix: native apps now expose user-scope readiness units activated via
inotify (no polling):
- postgres: systemd.user.paths.postgres watches the actual socket at
  /run/postgresql/.s.PGSQL.5432
- All mkNativeApp apps: system service writes /run/bloud-ready/{name}
  in ExecStartPost (+prefix for root), user-scope path unit watches
  that file and activates a no-op {name}.service alias
- /run/bloud-ready/ created via systemd.tmpfiles.rules

Any future native app added via mkNativeApp gets this for free.
diff --git a/apps/postgres/module.nix b/apps/postgres/module.nix
@@ -72,6 +72,24 @@ in
       }];
     };
 
+    # User-scope readiness for postgres: watch the actual socket via inotify.
+    # The socket appearing IS the readiness signal — no sentinel file needed.
+    # Podman container services declare Requires=postgres.service (user scope).
+    systemd.user.paths.postgres = {
+      description = "Watch for PostgreSQL socket";
+      pathConfig.PathExists = "/run/postgresql/.s.PGSQL.5432";
+      wantedBy = [ "default.target" ];
+    };
+
+    systemd.user.services.postgres = {
+      description = "PostgreSQL ready (user scope alias)";
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = "${pkgs.coreutils}/bin/true";
+      };
+    };
+
     # Canonical alias so app modules can declare `postgres.service` as a dependency
     # without knowing the NixOS-generated service name (postgresql.service).
     # Convention: native apps expose {appName}.service for systemd dependency tracking.
diff --git a/claude.md b/claude.md
@@ -376,7 +376,7 @@ Set `BLOUD_PVE_HOST` in your `.env` file or environment, then:
 
 `BLOUD_PVE_HOST` can be set in a `.env` file at the project root — the CLI loads it automatically:
 ```
-BLOUD_PVE_HOST=root@192.168.0.62
+BLOUD_PVE_HOST=root@10.0.0.165
 ```
 
 ### After Changing NixOS Config
diff --git a/cli/main.go b/cli/main.go
@@ -219,7 +219,7 @@ func printUsage() {
 		fmt.Println("  setup-builder         Provision BLOUD_BUILDER_HOST with Go + Node via Nix")
 		fmt.Println()
 		fmt.Println("Environment:")
-		fmt.Println("  BLOUD_PVE_HOST        Proxmox SSH target (e.g. root@192.168.0.62)")
+		fmt.Println("  BLOUD_PVE_HOST        Proxmox SSH target (e.g. root@10.0.0.165)")
 		fmt.Println("  BLOUD_PVE_VMID        VM ID (default: 9999)")
 		fmt.Println("  BLOUD_BUILDER_HOST    SSH target for local ISO builds (e.g. builder@192.168.0.105)")
 		fmt.Println()
diff --git a/nixos/bloud.nix b/nixos/bloud.nix
@@ -91,6 +91,11 @@ in
       chown -R ${cfg.user}:users /home/${cfg.user}/.local/share/${cfg.dataDir}/media
     '';
 
+    # Create /run/bloud-ready/ for native app readiness sentinels.
+    # Native apps write {name} here on ExecStartPost; user-scope path units watch
+    # for these files via inotify to signal readiness to podman container services.
+    systemd.tmpfiles.rules = [ "d /run/bloud-ready 0755 root root -" ];
+
     # Enable rootless Podman
     virtualisation.podman = {
       enable = true;
@@ -114,6 +119,7 @@ in
       description = "Create podman network for apps stack";
       wantedBy = [ "bloud-apps.target" ];
       before = [ "bloud-apps.target" ];
+      path = [ "/run/wrappers" pkgs.podman ];
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = true;
diff --git a/nixos/lib/metadata.nix b/nixos/lib/metadata.nix
@@ -1,8 +1,8 @@
 # Read a metadata.yaml file and return native systemd service deps.
 #
 # Reads integrations.*.compatible[].app entries and maps each to "{app}.service".
-# Native apps (postgres, redis) expose canonical {appName}.service aliases; other
-# app names resolve to non-existent services and are silently ignored by systemd.
+# Native apps expose user-scope {name}.service aliases (via path units) so these
+# can be used in both After= and Requires= of user-scope podman container services.
 #
 # Usage:
 #   nativeDeps = import ../../nixos/lib/metadata.nix { inherit pkgs lib; };
diff --git a/nixos/lib/native-app.nix b/nixos/lib/native-app.nix
@@ -89,12 +89,35 @@ let
   # Uses + prefix so hooks run as root — needed because native services run
   # as their own system users (not as the bloud user), but the configurator
   # binary and its output files are owned by the bloud user.
-  # NOTE: If a future app's NixOS module already sets ExecStartPre/Post,
-  # use a list here and handle ordering per-app.
+  # ExecStartPost uses mkBefore so the configurator runs before the readiness sentinel.
   hookConfig = lib.optionalAttrs (configuratorHooks && serviceName != null) {
     systemd.services.${serviceName}.serviceConfig = {
       ExecStartPre = lib.mkBefore [ "+${bloudCfg.agentPath} configure prestart ${name}" ];
-      ExecStartPost = [ "+${bloudCfg.agentPath} configure poststart ${name}" ];
+      ExecStartPost = lib.mkBefore [ "+${bloudCfg.agentPath} configure poststart ${name}" ];
+    };
+  };
+
+  # Readiness convention for native apps:
+  # - System service writes /run/bloud-ready/{name} in ExecStartPost (after configurator)
+  # - User-scope path unit watches for this file via inotify (no polling)
+  # - User-scope service is activated by the path unit, providing a dep target
+  #   that podman container services can declare Requires= on
+  readinessConfig = lib.optionalAttrs (serviceName != null) {
+    systemd.services.${serviceName}.serviceConfig = {
+      ExecStartPost = lib.mkAfter [ "+${pkgs.coreutils}/bin/touch /run/bloud-ready/${name}" ];
+    };
+    systemd.user.paths.${name} = {
+      description = "Watch for ${name} readiness sentinel";
+      pathConfig.PathExists = "/run/bloud-ready/${name}";
+      wantedBy = [ "default.target" ];
+    };
+    systemd.user.services.${name} = {
+      description = "${name} ready (user scope alias)";
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = "${pkgs.coreutils}/bin/true";
+      };
     };
   };
 
@@ -112,6 +135,7 @@ in
   config = lib.mkIf appCfg.enable (lib.mkMerge [
     resolvedNixosConfig
     hookConfig
+    readinessConfig
     mediaConfig
   ]);
 }

Original file line number	Diff line number	Diff line change
`@@ -1,8 +1,8 @@`
`1`	`1`	`# Read a metadata.yaml file and return native systemd service deps.`
`2`	`2`	`#`
`3`	`3`	`# Reads integrations.*.compatible[].app entries and maps each to "{app}.service".`
`4`		`-# Native apps (postgres, redis) expose canonical {appName}.service aliases; other`
`5`		`-# app names resolve to non-existent services and are silently ignored by systemd.`
	`4`	`+# Native apps expose user-scope {name}.service aliases (via path units) so these`
	`5`	`+# can be used in both After= and Requires= of user-scope podman container services.`
`6`	`6`	`#`
`7`	`7`	`# Usage:`
`8`	`8`	`# nativeDeps = import ../../nixos/lib/metadata.nix { inherit pkgs lib; };`