fix: service file crash on fresh installs, CI workflow portability

- Remove MemoryDenyWriteExecute=yes from archipelago.service — ring (rustls) and secp256k1 (bitcoin/nostr) crypto libraries need executable memory mappings that this restriction blocks - Add + prefix to ExecStartPre so mkdir/chown run as root - Use $HOME/archy instead of /home/archipelago/archy in CI workflows so builds work on both .228 and VPS CI runners Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 13:08:21 +01:00 · 2026-04-07 13:08:21 +01:00 · e5f695c1c4
commit e5f695c1c4
parent 637818c9f1
3 changed files with 12 additions and 9 deletions
--- a/.gitea/workflows/build-iso-dev.yml
+++ b/.gitea/workflows/build-iso-dev.yml
@ -13,13 +13,14 @@ jobs:
      - name: Checkout
        run: |
          # Direct fetch + sync (actions/checkout token is broken on this Gitea)
-          cd /home/archipelago/archy && git fetch origin main && git reset --hard origin/main
+          REPO_DIR="$HOME/archy"
+          cd "$REPO_DIR" && git fetch origin main && git reset --hard origin/main
          echo "=== Source at commit: $(git log --oneline -1) ==="
          rsync -a --delete \
            --exclude '.git' --exclude 'node_modules' --exclude 'target' \
            --exclude 'image-recipe/build' --exclude 'image-recipe/results' \
            --exclude 'web/dist' \
-            /home/archipelago/archy/ "$GITHUB_WORKSPACE/"
+            "$REPO_DIR/" "$GITHUB_WORKSPACE/"
          cd "$GITHUB_WORKSPACE"
          echo "=== Workspace version: $(grep '^version' core/archipelago/Cargo.toml) ==="
          [ -f "scripts/first-boot-containers.sh" ] && echo "  first-boot-containers.sh: PRESENT" || echo "  first-boot-containers.sh: MISSING"
--- a/.gitea/workflows/build-iso.yml
+++ b/.gitea/workflows/build-iso.yml
@ -13,11 +13,12 @@ jobs:
      - name: Checkout
        run: |
          # Direct clone using stored credentials (actions/checkout token is broken)
-          cd /home/archipelago/archy && git fetch origin main && git reset --hard origin/main
+          REPO_DIR="$HOME/archy"
+          cd "$REPO_DIR" && git fetch origin main && git reset --hard origin/main
          echo "=== Source at commit: $(git log --oneline -1) ==="
          echo "=== Syncing to workspace ==="
          rsync -a --delete --exclude='.git' --exclude='target/' --exclude='node_modules/' \
-            /home/archipelago/archy/ "$GITHUB_WORKSPACE/" || cp -a /home/archipelago/archy/* "$GITHUB_WORKSPACE/"
+            "$REPO_DIR/" "$GITHUB_WORKSPACE/" || cp -a "$REPO_DIR"/* "$GITHUB_WORKSPACE/"
          cd "$GITHUB_WORKSPACE"
          echo "=== Workspace version: $(grep '^version' core/archipelago/Cargo.toml) ==="
          echo "=== Key files ==="
@ -45,7 +46,7 @@ jobs:
        run: |
          WORK_DIR="image-recipe/build/auto-installer"
          mkdir -p "$WORK_DIR"
-          CACHED="/home/archipelago/archy/image-recipe/build/auto-installer/debian-live-installer.iso"
+          CACHED="$HOME/archy/image-recipe/build/auto-installer/debian-live-installer.iso"
          if [ -f "$CACHED" ] && [ ! -f "$WORK_DIR/debian-live-installer.iso" ]; then
            cp "$CACHED" "$WORK_DIR/debian-live-installer.iso"
            echo "Cached Debian Live ISO copied ($(du -h "$WORK_DIR/debian-live-installer.iso" | cut -f1))"
--- a/image-recipe/configs/archipelago.service
+++ b/image-recipe/configs/archipelago.service
@ -9,8 +9,9 @@ User=archipelago
 Environment="ARCHIPELAGO_BIND=127.0.0.1:5678"
 # DEV_MODE disabled in production — enabled via override.conf on dev servers
 Environment="XDG_RUNTIME_DIR=/run/user/1000"
-ExecStartPre=/bin/bash -c 'mkdir -p /run/user/1000 && chown archipelago:archipelago /run/user/1000 && chmod 700 /run/user/1000'
-ExecStartPre=/bin/bash -c 'mkdir -p /var/lib/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /var/lib/archipelago/host-ip.env'
+# + prefix runs these as root (needed for chown/mkdir outside ReadWritePaths)
+ExecStartPre=+/bin/bash -c 'mkdir -p /run/user/1000 && chown archipelago:archipelago /run/user/1000 && chmod 700 /run/user/1000'
+ExecStartPre=+/bin/bash -c 'mkdir -p /var/lib/archipelago && chown archipelago:archipelago /var/lib/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /var/lib/archipelago/host-ip.env && chown archipelago:archipelago /var/lib/archipelago/host-ip.env'
 ExecStart=/usr/local/bin/archipelago
 Restart=on-failure
 RestartSec=5
@ -42,8 +43,8 @@ RestrictRealtime=yes
 # SystemCallFilter disabled: rootless podman needs clone/unshare for user namespaces
 SystemCallArchitectures=native

-# Memory protection
-MemoryDenyWriteExecute=yes
+# MemoryDenyWriteExecute removed: ring (rustls) and secp256k1 (bitcoin/nostr)
+# use assembly code that requires executable memory mappings on some platforms

 # Resource limits
 MemoryMax=4G