image: run as root + use compiled-in /var/log/nginx + explicit -c

The nixpkgs angie build hardcodes /var/log/nginx for error_log and
defaults its worker group to 'nogroup' (which fakeNss doesn't ship).
Run as root in the container, mkdir the compiled-in log dir, and pass
-c /etc/angie/angie.conf explicitly so our custom main config wins
over whatever default ships in /etc/angie/.

flake.nix

@@ -18,8 +18,12 @@
       # chart mounts at /etc/angie/http.d/*.conf — same idiom as the alpine
       # nginx image's /etc/nginx/conf.d/.
       mainConf = pkgs.writeText "angie.conf" ''
+        # Run as root in the container — fakeNss doesn't ship a "nogroup"
+        # group, which is the compiled-in default group for this angie build,
+        # and the worker would refuse to start otherwise.
+        user root;
         worker_processes auto;
-        error_log /var/log/angie/error.log notice;
+        error_log /var/log/nginx/error.log notice;
         pid /run/angie.pid;
 
         events { worker_connections 1024; }
@@ -47,15 +51,19 @@
           coreutils
           bash
         ];
-        # Writable runtime dirs — image filesystem is otherwise read-only.
+        # Writable runtime dirs. /var/log/nginx is the compiled-in path for
+        # angie (matches nixpkgs' nginx build flags); the chart's main config
+        # also writes pid to /run.
         extraCommands = ''
-          mkdir -p var/log/angie var/cache/angie var/lib/angie run tmp etc/angie/http.d
-          chmod 1777 tmp
+          mkdir -p var/log/nginx var/cache/angie var/lib/angie run tmp etc/angie/http.d
+          chmod 1777 tmp run
           cp ${mainConf} etc/angie/angie.conf
         '';
         config = {
           Entrypoint = [ "${angie}/bin/angie" ];
           Cmd = [
+            "-c"
+            "/etc/angie/angie.conf"
             "-g"
             "daemon off;"
           ];