From 62639006ac934c8afdae27e5f7890c30cdf5f24b Mon Sep 17 00:00:00 2001
From: Joe Doss <joe@quickvm.com>
Date: Sun, 3 May 2026 10:59:08 -0500
Subject: [PATCH] Clear stale pcscd socket files on container start

The pcscd container's socket directory is a persistent podman named
volume, so /run/pcscd/pcscd.comm and pcscd.pid survive reboots. pcscd
refuses to start when those files exist, fails ten times, and gives up,
which knocks out the HSM cache backend and cascades into Infisical
outages on every reboot.

Wrap the CMD in /bin/sh to rm the stale files before exec'ing pcscd.
---
 psi/providers/nitrokeyhsm/cli.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/psi/providers/nitrokeyhsm/cli.py b/psi/providers/nitrokeyhsm/cli.py
index 3bcff6b..d7a9d77 100644
--- a/psi/providers/nitrokeyhsm/cli.py
+++ b/psi/providers/nitrokeyhsm/cli.py
@@ -156,7 +156,12 @@ def preflight(config: ConfigOption = None) -> None:
 
 RUN mkdir -p /run/pcscd && chmod 777 /run/pcscd
 
-CMD ["/usr/sbin/pcscd", "-f", "--disable-polkit"]
+# pcscd refuses to start if pcscd.comm/pcscd.pid already exist (it assumes
+# another pcscd is running). When the socket directory is a persistent
+# named volume, those files survive reboots and stop the daemon coming
+# back. Clear them before starting; exec so SIGTERM still reaches pcscd.
+CMD ["/bin/sh", "-c", \
+    "rm -f /run/pcscd/pcscd.comm /run/pcscd/pcscd.pid && exec /usr/sbin/pcscd -f --disable-polkit"]
 """
 
 _PCSCD_QUADLET = """\