fix(indeedhub): frontend nginx needs SET{UID,GID}+CHOWN+DAC_OVERRIDE under cap-drop-ALL

Live fresh-create on .228 (post special-case removal) had nginx workers die with "setgid(101) failed (Operation not permitted)" → workers exited code 2, port published but nothing served (HTTP 000). The orchestrator does --cap-drop=ALL, so unlike the legacy `podman run` (default caps) nginx's master couldn't drop workers to the nginx user. Declare CHOWN/DAC_OVERRIDE/SETGID/SETUID (SET* to drop the worker user, CHOWN+DAC_OVERRIDE for the tmpfs proxy cache). Verified on .228: frontend fresh-creates, caps applied, nginx serves, UI 200 incl. /api/ and /nostr-provider.js. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-21 17:24:34 -04:00 · 2026-06-21 17:24:34 -04:00 · ff8f11b87e
commit ff8f11b87e
parent b73084dbb0
1 changed files with 6 additions and 1 deletions
--- a/apps/indeedhub/manifest.yml
+++ b/apps/indeedhub/manifest.yml
@ -25,7 +25,12 @@ app:
    disk_limit: 1Gi

  security:
-    capabilities: []
+    # nginx master runs as root and drops workers to the nginx user (uid/gid
+    # 101) — needs SET{UID,GID}; CHOWN + DAC_OVERRIDE let it own + write the
+    # proxy cache under the tmpfs /var/cache/nginx. The orchestrator does
+    # --cap-drop=ALL, so (unlike the legacy `podman run` default caps) these
+    # must be declared or nginx workers die with "setgid(101) failed".
+    capabilities: [CHOWN, DAC_OVERRIDE, SETGID, SETUID]
    readonly_root: false
    network_policy: isolated