fix: pass BLOUD_APPS_DIR to app service prestart hooks for SSO config

d-buckner · d-buckner · commit cfd95b5ac067 · 2026-02-25T20:06:03.000-08:00
App prestart hooks run bloud-agent in a systemd context that doesn't
inherit the host-agent service environment. Without BLOUD_APPS_DIR set,
bloud-agent falls back to the relative default '../../apps' which doesn't
exist, causing writeSSOEnvVars to fail silently. This left miniflux (and
any other native-oidc app) missing OAUTH2_PROVIDER, OAUTH2_CLIENT_ID,
and other SSO env vars, so it fell back to local login.

- nixos/bloud.nix: add bloud.appsDir option (default: resolved ../apps path)
- nixos/lib/bloud-app.nix: set BLOUD_APPS_DIR on each app's systemd service
- cli/pve.go: fix cmdRebuildPVE init script permissions (sudo rm for
  root-owned leftovers, chmod -R u+w after copying read-only nix store)
diff --git a/cli/pve.go b/cli/pve.go
@@ -1352,8 +1352,9 @@ fi
 PKG=$(echo "$AGENT_BIN" | sed 's|/bin/host-agent||')
 SRC="$PKG/share/bloud"
 echo "==> Source: $SRC"
-rm -rf ` + pveSyncDir + `
+sudo rm -rf ` + pveSyncDir + `
 cp -r "$SRC" ` + pveSyncDir + `
+chmod -R u+w ` + pveSyncDir + `
 mkdir -p ` + pveSyncDir + `/build
 cp "$AGENT_BIN" ` + pveSyncDir + `/build/host-agent
 chmod +x ` + pveSyncDir + `/build/host-agent
diff --git a/nixos/bloud.nix b/nixos/bloud.nix
@@ -53,6 +53,12 @@ in
       description = "Path to the host-agent binary for app configuration hooks";
     };
 
+    appsDir = lib.mkOption {
+      type = lib.types.str;
+      default = toString ../apps;
+      description = "Absolute path to the apps directory (passed to prestart hooks as BLOUD_APPS_DIR)";
+    };
+
     dataDir = lib.mkOption {
       type = lib.types.str;
       default = "bloud";
diff --git a/nixos/lib/bloud-app.nix b/nixos/lib/bloud-app.nix
@@ -231,7 +231,10 @@ in
         } // lib.optionalAttrs (port != null && network != "host") {
           ports = [ "${toString appCfg.port}:${toString containerPort}" ];
         } // lib.optionalAttrs (userns != null) { inherit userns; }
-          // lib.optionalAttrs (envFile != null) { inherit envFile; });
+          // lib.optionalAttrs (envFile != null) { inherit envFile; }) // {
+          # Pass BLOUD_APPS_DIR so prestart hooks can load catalog metadata (e.g. for SSO config)
+          environment = { BLOUD_APPS_DIR = config.bloud.appsDir; };
+        };
       } // dbInitService // resolvedExtraServices;
     }
     resolvedExtraConfig
