C0: fix homepage container /app/config write permissions

The previous Dockerfile chowned /app/config to 1000:1000 so the runtime user could seed missing skeleton configs (e.g. proxmox.yaml) and write /app/config/logs. The nix derivation didn't replicate that, so the new amd64 image crashed with EACCES on cold start (fixed-forward — caught during ringtail cutover, ArgoCD #348). Add fakeRootCommands to dockerTools to create /app and /app/config and chown them at build time. The deployment's ConfigMap subPath mounts leave the parent directory as image filesystem, so its ownership has to be set at build time, not at runtime.
2026-05-10 20:48:48 -07:00 · 2026-05-10 20:48:48 -07:00 · 678f26b0e7
commit 678f26b0e7
parent ad7a0ed105
2 changed files with 16 additions and 0 deletions
--- a/containers/homepage/default.nix
+++ b/containers/homepage/default.nix
@ -100,6 +100,17 @@ pkgs.dockerTools.buildLayeredImage {
    chmod 1777 tmp
  '';

+  # /app/config must be writable by the runtime user (1000): homepage seeds
+  # missing skeleton configs (proxmox.yaml, etc.) and writes /app/config/logs.
+  # The deployment mounts ConfigMap files at /app/config/<file>.yaml via
+  # subPath, which leaves the parent dir as image filesystem — so its
+  # ownership has to be set at build time.
+  fakeRootCommands = ''
+    mkdir -p app/config
+    chown -R 1000:1000 app
+  '';
+  enableFakechroot = true;
+
  config = {
    Entrypoint = [ "${homepage}/bin/homepage" ];
    Env = [