feat(fw): auto-update invidious-companion and harden its env file #90

Merged

dominik.polakovics merged 2 commits from afk/89 into main 2026-06-04 13:36:17 +02:00

Conversation 0 Commits 2 Files changed 2 +66 -6

dominik.polakovics commented 2026-06-04 10:18:16 +02:00

Owner

Copy link

What & why

invidious-companion's :latest image had frozen at a ~3-month-old build —
--pull=newer only re-pulls on container (re)creation, which nothing ever
triggered — breaking PO-token validation and playback. And its env file
(PORT/HOST/SERVER_SECRET_KEY) was written once at boot by a
RemainAfterExit oneshot, so when /run/invidious-companion was cleaned the
container couldn't restart without manual recreation. This makes the runtime
fix permanent and removes both failure modes.

1. Auto-update the companion image

• labels."io.containers.autoupdate" = "registry" on the container.
• Enable the packaged podman-auto-update.timer
  (systemd.timers.podman-auto-update.wantedBy = [ "timers.target" ]) — NixOS
  25.11 has no virtualisation.podman.autoUpdate option. podman auto-update
  runs daily, pulls a newer :latest, restarts the unit, and rolls back by
  default.
• podman.sdnotify = "healthy" so rollback covers a functionally-broken
  image, not just a launch failure. Verified the image ships its own
  HEALTHCHECK (/thc → :8282/healthz) — no health endpoint invented.
• Dropped the now-redundant --pull=newer.

2. Harden env-file generation (regenerate on every start)

• Dropped RemainAfterExit=true on invidious-companion-env-generate; the
  companion's existing Requires=/After= re-triggers the now-transient
  oneshot on every (re)start, including auto-update restarts.
• Backed /run/invidious-companion with RuntimeDirectory +
  RuntimeDirectoryMode=0700 + RuntimeDirectoryPreserve=yes and removed the
  /run tmpfiles rule, so a /run wipe can no longer leave the container
  without its env file.

3. Invidious update strategy — decision (ADR-0013)

Invidious itself stays the native services.invidious module, tracked via
channel bumps. Containerising it (quay.io/invidious/invidious:latest) is
rejected — it would mean reimplementing the DB / nginx / TLS / http3-ytproxy /
admin-init wiring the module does today, plus a Postgres data migration.
Recorded in docs/adr/0013-invidious-stays-native.md.

Verification

• fw host dry-build passes (the pre-commit gate). ✅
• Runtime acceptance — companion survives a /run-wipe + restart with no
  manual env recreation, and the timer pulls a newer digest over time — is
  HITL on the web microVM, which agents can't SSH into (#88).

Closes #89

## What & why `invidious-companion`'s `:latest` image had frozen at a ~3-month-old build — `--pull=newer` only re-pulls on container (re)creation, which nothing ever triggered — breaking PO-token validation and playback. And its env file (`PORT`/`HOST`/`SERVER_SECRET_KEY`) was written once at boot by a `RemainAfterExit` oneshot, so when `/run/invidious-companion` was cleaned the container couldn't restart without manual recreation. This makes the runtime fix permanent and removes both failure modes. ### 1. Auto-update the companion image - `labels."io.containers.autoupdate" = "registry"` on the container. - Enable the packaged `podman-auto-update.timer` (`systemd.timers.podman-auto-update.wantedBy = [ "timers.target" ]`) — NixOS 25.11 has no `virtualisation.podman.autoUpdate` option. `podman auto-update` runs daily, pulls a newer `:latest`, restarts the unit, and rolls back by default. - `podman.sdnotify = "healthy"` so rollback covers a *functionally*-broken image, not just a launch failure. Verified the image ships its own HEALTHCHECK (`/thc` → `:8282/healthz`) — no health endpoint invented. - Dropped the now-redundant `--pull=newer`. ### 2. Harden env-file generation (regenerate on every start) - Dropped `RemainAfterExit=true` on `invidious-companion-env-generate`; the companion's existing `Requires=`/`After=` re-triggers the now-transient oneshot on every (re)start, including auto-update restarts. - Backed `/run/invidious-companion` with `RuntimeDirectory` + `RuntimeDirectoryMode=0700` + `RuntimeDirectoryPreserve=yes` and removed the `/run` tmpfiles rule, so a `/run` wipe can no longer leave the container without its env file. ### 3. Invidious update strategy — decision (ADR-0013) Invidious itself stays the native `services.invidious` module, tracked via channel bumps. Containerising it (`quay.io/invidious/invidious:latest`) is rejected — it would mean reimplementing the DB / nginx / TLS / http3-ytproxy / admin-init wiring the module does today, plus a Postgres data migration. Recorded in `docs/adr/0013-invidious-stays-native.md`. ## Verification - `fw` host dry-build passes (the pre-commit gate). ✅ - Runtime acceptance — companion survives a `/run`-wipe + restart with no manual env recreation, and the timer pulls a newer digest over time — is **HITL on the web microVM**, which agents can't SSH into (#88). Closes #89

dominik.polakovics added 1 commit 2026-06-04 10:18:16 +02:00

feat(fw): auto-update invidious-companion and harden its env file ... b0fdb96a73

Replace the ineffective --pull=newer on the invidious-companion container
with real image auto-update, and stop its env file from vanishing on restart.

- Label the container io.containers.autoupdate=registry and enable the
  packaged podman-auto-update.timer, so `podman auto-update` pulls newer
  :latest images daily (rollback is on by default). The old --pull=newer only
  re-pulled on container (re)creation, which nothing triggered, so the image
  froze at a ~3-month-old build and broke PO-token validation / playback.
- Set podman.sdnotify="healthy" (the image ships a /thc -> :8282/healthz
  HEALTHCHECK) so auto-update rolls back a functionally-broken new image, not
  just one that fails to launch.
- Regenerate the env file on every companion start: drop RemainAfterExit so
  the companion's Requires= re-triggers the now-transient oneshot on each
  (re)start (including auto-update restarts), and back the dir with
  RuntimeDirectory + RuntimeDirectoryPreserve instead of a tmpfiles /run rule,
  so a /run wipe can no longer leave the container without its env file.
- ADR-0013: record keeping Invidious itself native (services.invidious,
  tracked via channel bumps) and rejecting containerisation.

Runtime acceptance (survives /run-wipe restart; timer pulls newer digests)
is HITL on the web microVM, which agents can't SSH into (#88).

dominik.polakovics added 1 commit 2026-06-04 13:35:42 +02:00

docs(fw): renumber invidious ADR 0013 -> 0014 to avoid collision ... a76f84af0f

PR #93 added ADR-0013 (afk-claim-is-the-branch) and merged first, so this invidious-stays-native ADR moves to 0014. Pure file rename; no content or cross-reference change.

dominik.polakovics merged commit 888f119259 into main 2026-06-04 13:36:17 +02:00

dominik.polakovics referenced this pull request from a commit 2026-06-04 13:36:19 +02:00

Merge pull request 'feat(fw): auto-update invidious-companion and harden its env file' (#90) from afk/89 into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

  

enhancement

  

in-progress

  

needs-info

  

needs-triage

  

p0

  

ready-for-agent

  

ready-for-human

  

wontfix

No labels

bug

enhancement

in-progress

needs-info

needs-triage

p0

ready-for-agent

ready-for-human

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

Cloonar/nixos!90

No description provided.