From 91a7c2d713d9e366e5195445390ea9af78913408 Mon Sep 17 00:00:00 2001
From: Adam Reif <adam@litprotocol.com>
Date: Thu, 26 Mar 2026 19:21:29 -0500
Subject: [PATCH] fix: start dstack-ingress before other services (CPL-152)

dstack-ingress must obtain the TLS certificate before the API server
starts accepting traffic. Adds a healthcheck that waits for the cert
file, and makes lit-api-server depend on dstack-ingress being healthy.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.phala.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/docker-compose.phala.yml b/docker-compose.phala.yml
index 70d6694a..338008b0 100644
--- a/docker-compose.phala.yml
+++ b/docker-compose.phala.yml
@@ -68,6 +68,8 @@ services:
       # Optional overide for NodeConfig.toml (chain, contract_address).
       # - ./NodeConfig.toml:/app/NodeConfig.toml:ro
     depends_on:
+      dstack-ingress:
+        condition: service_healthy
       lit-actions:
         condition: service_started
       otel-collector:
@@ -125,9 +127,12 @@ services:
     volumes:
       - /var/run/dstack.sock:/var/run/dstack.sock
       - cert-data:/etc/letsencrypt
-    depends_on:
-      lit-api-server:
-        condition: service_started
+    healthcheck:
+      test: ["CMD", "test", "-f", "/etc/letsencrypt/live/${CERTBOT_DOMAIN}/fullchain.pem"]
+      interval: 10s
+      timeout: 5s
+      retries: 30
+      start_period: 120s
     restart: unless-stopped
 
 volumes: