From 4e6da4e81a8a4ab61db85f25c63db98ca64f85ff Mon Sep 17 00:00:00 2001
From: CodeMaster4711 <cedi27@t-online.de>
Date: Tue, 24 Mar 2026 20:43:03 +0100
Subject: [PATCH 1/4] fix: nix container version

---
 nixos-node/modules/server-configuration.nix | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/nixos-node/modules/server-configuration.nix b/nixos-node/modules/server-configuration.nix
index e50c760..187728d 100644
--- a/nixos-node/modules/server-configuration.nix
+++ b/nixos-node/modules/server-configuration.nix
@@ -236,7 +236,7 @@ services:
     restart: unless-stopped
 
   api-gateway:
-    image: ghcr.io/csfx-cloud/csf-ce-api-gateway:0.2.2-alpha.42
+    image: ghcr.io/csfx-cloud/csf-ce-api-gateway:0.2.2-alpha.44
     container_name: csf-api-gateway
     env_file:
       - /etc/csf-core/gateway.env
@@ -266,7 +266,7 @@ services:
       start_period: 30s
 
   registry:
-    image: ghcr.io/csfx-cloud/csf-ce-registry:0.2.2-alpha.42
+    image: ghcr.io/csfx-cloud/csf-ce-registry:0.2.2-alpha.44
     container_name: csf-registry
     environment:
       DATABASE_URL: postgres://csf:csfpassword@patroni:5432/csf_core
@@ -282,7 +282,7 @@ services:
     restart: unless-stopped
 
   scheduler:
-    image: ghcr.io/csfx-cloud/csf-ce-scheduler:0.2.2-alpha.42
+    image: ghcr.io/csfx-cloud/csf-ce-scheduler:0.2.2-alpha.44
     container_name: csf-scheduler
     environment:
       DATABASE_URL: postgres://csf:csfpassword@patroni:5432/csf_core
@@ -297,7 +297,7 @@ services:
     restart: unless-stopped
 
   volume-manager:
-    image: ghcr.io/csfx-cloud/csf-ce-volume-manager:0.2.2-alpha.42
+    image: ghcr.io/csfx-cloud/csf-ce-volume-manager:0.2.2-alpha.44
     container_name: csf-volume-manager
     environment:
       DATABASE_URL: postgres://csf:csfpassword@patroni:5432/csf_core
@@ -314,7 +314,7 @@ services:
     restart: unless-stopped
 
   failover-controller:
-    image: ghcr.io/csfx-cloud/csf-ce-failover-controller:0.2.2-alpha.42
+    image: ghcr.io/csfx-cloud/csf-ce-failover-controller:0.2.2-alpha.44
     container_name: csf-failover-controller
     environment:
       DATABASE_URL: postgres://csf:csfpassword@patroni:5432/csf_core
@@ -330,7 +330,7 @@ services:
     restart: unless-stopped
 
   sdn-controller:
-    image: ghcr.io/csfx-cloud/csf-ce-sdn-controller:0.2.2-alpha.42
+    image: ghcr.io/csfx-cloud/csf-ce-sdn-controller:0.2.2-alpha.44
     container_name: csf-sdn-controller
     environment:
       DATABASE_URL: postgres://csf:csfpassword@patroni:5432/csf_core

From a6b0bbe86e6de90e9bcab2a1df9a4bed74b33e55 Mon Sep 17 00:00:00 2001
From: CodeMaster4711 <cedi27@t-online.de>
Date: Tue, 24 Mar 2026 20:51:55 +0100
Subject: [PATCH 2/4] fix: agent error

---
 nixos-node/modules/csf-daemon.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos-node/modules/csf-daemon.nix b/nixos-node/modules/csf-daemon.nix
index 22f0626..2e7605b 100644
--- a/nixos-node/modules/csf-daemon.nix
+++ b/nixos-node/modules/csf-daemon.nix
@@ -98,6 +98,7 @@ in
         RestrictRealtime = true;
         SystemCallFilter = "@system-service";
         ReadWritePaths = [ "/var/lib/csf-daemon" ];
+        ReadOnlyPaths = [ "/var/lib/csf-updater/bin" ];
       };
     };
   };

From bbb8694fc2c7a3a065c5a08af073d2009b8a9fd4 Mon Sep 17 00:00:00 2001
From: CodeMaster4711 <cedi27@t-online.de>
Date: Tue, 24 Mar 2026 21:14:05 +0100
Subject: [PATCH 3/4] fix: updater error with images and pull

---
 control-plane/csf-updater/src/verify.rs     | 12 ++++++++++++
 nixos-node/modules/server-configuration.nix |  6 +++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/control-plane/csf-updater/src/verify.rs b/control-plane/csf-updater/src/verify.rs
index c074b47..5fae4e2 100644
--- a/control-plane/csf-updater/src/verify.rs
+++ b/control-plane/csf-updater/src/verify.rs
@@ -81,6 +81,18 @@ async fn remote_digest(client: &reqwest::Client, image: &str, tag: &str, ghcr_au
 }
 
 fn local_digest(image: &str) -> Result<String> {
+    let pull = std::process::Command::new("docker")
+        .args(["pull", "--quiet", image])
+        .output()?;
+
+    if !pull.status.success() {
+        bail!(
+            "docker pull failed for {}: {}",
+            image,
+            String::from_utf8_lossy(&pull.stderr).trim()
+        );
+    }
+
     let output = std::process::Command::new("docker")
         .args(["image", "inspect", "--format", "{{json .RepoDigests}}", image])
         .output()?;
diff --git a/nixos-node/modules/server-configuration.nix b/nixos-node/modules/server-configuration.nix
index 187728d..56a3153 100644
--- a/nixos-node/modules/server-configuration.nix
+++ b/nixos-node/modules/server-configuration.nix
@@ -102,6 +102,10 @@ in
   };
   users.groups.csf-updater = {};
 
+  systemd.tmpfiles.rules = [
+    "d /var/lib/csf-updater 0710 csf-updater csf-daemon -"
+  ];
+
   systemd.services.csf-updater = {
     description = "CSF Control Plane Updater";
     after = [ "docker.service" "network-online.target" "csf-control-plane.service" ];
@@ -158,7 +162,7 @@ in
   system.activationScripts.csf-binaries = {
     text = ''
       mkdir -p ${binDir}
-      chown csf-updater:csf-updater ${binDir}
+      chown csf-updater:csf-daemon ${binDir}
       chmod 750 ${binDir}
       if [ ! -f ${binDir}/csf-updater ]; then
         cp ${csfUpdaterBin}/bin/csf-updater ${binDir}/csf-updater

From cd9b47ce0cbfb59292ba28fdfc173c5c0f2e9914 Mon Sep 17 00:00:00 2001
From: CodeMaster4711 <cedi27@t-online.de>
Date: Tue, 24 Mar 2026 21:32:05 +0100
Subject: [PATCH 4/4] fix: image version

---
 nixos-node/modules/server-configuration.nix | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/nixos-node/modules/server-configuration.nix b/nixos-node/modules/server-configuration.nix
index 56a3153..904afc6 100644
--- a/nixos-node/modules/server-configuration.nix
+++ b/nixos-node/modules/server-configuration.nix
@@ -240,7 +240,7 @@ services:
     restart: unless-stopped
 
   api-gateway:
-    image: ghcr.io/csfx-cloud/csf-ce-api-gateway:0.2.2-alpha.44
+    image: ghcr.io/csfx-cloud/csf-ce-api-gateway:0.2.2-alpha.47
     container_name: csf-api-gateway
     env_file:
       - /etc/csf-core/gateway.env
@@ -270,7 +270,7 @@ services:
       start_period: 30s
 
   registry:
-    image: ghcr.io/csfx-cloud/csf-ce-registry:0.2.2-alpha.44
+    image: ghcr.io/csfx-cloud/csf-ce-registry:0.2.2-alpha.47
     container_name: csf-registry
     environment:
       DATABASE_URL: postgres://csf:csfpassword@patroni:5432/csf_core
@@ -286,7 +286,7 @@ services:
     restart: unless-stopped
 
   scheduler:
-    image: ghcr.io/csfx-cloud/csf-ce-scheduler:0.2.2-alpha.44
+    image: ghcr.io/csfx-cloud/csf-ce-scheduler:0.2.2-alpha.47
     container_name: csf-scheduler
     environment:
       DATABASE_URL: postgres://csf:csfpassword@patroni:5432/csf_core
@@ -301,7 +301,7 @@ services:
     restart: unless-stopped
 
   volume-manager:
-    image: ghcr.io/csfx-cloud/csf-ce-volume-manager:0.2.2-alpha.44
+    image: ghcr.io/csfx-cloud/csf-ce-volume-manager:0.2.2-alpha.47
     container_name: csf-volume-manager
     environment:
       DATABASE_URL: postgres://csf:csfpassword@patroni:5432/csf_core
@@ -318,7 +318,7 @@ services:
     restart: unless-stopped
 
   failover-controller:
-    image: ghcr.io/csfx-cloud/csf-ce-failover-controller:0.2.2-alpha.44
+    image: ghcr.io/csfx-cloud/csf-ce-failover-controller:0.2.2-alpha.47
     container_name: csf-failover-controller
     environment:
       DATABASE_URL: postgres://csf:csfpassword@patroni:5432/csf_core
@@ -334,7 +334,7 @@ services:
     restart: unless-stopped
 
   sdn-controller:
-    image: ghcr.io/csfx-cloud/csf-ce-sdn-controller:0.2.2-alpha.44
+    image: ghcr.io/csfx-cloud/csf-ce-sdn-controller:0.2.2-alpha.47
     container_name: csf-sdn-controller
     environment:
       DATABASE_URL: postgres://csf:csfpassword@patroni:5432/csf_core