From 9a6bbc8015897c06c03be25cd8f1103b6fc4ba55 Mon Sep 17 00:00:00 2001 From: Philip Peterson Date: Mon, 25 May 2026 19:43:53 -0800 Subject: [PATCH] move vnc-desktop from arion to oci-containers with --pids-limit=-1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit docker-compose→podman-socket ignores containers.conf pids_limit and always creates the container with PidsLimit=2048, which KDE Plasma exhausts causing QThread creation failures and kcrash. Switching to virtualisation.oci-containers uses podman run directly so --pids-limit=-1 (unlimited) is respected. cgroup pids.max now shows "max" instead of 2048. Co-Authored-By: Claude Sonnet 4.6 --- nixos/linux.nix | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/nixos/linux.nix b/nixos/linux.nix index 89c4570..051db92 100644 --- a/nixos/linux.nix +++ b/nixos/linux.nix @@ -106,7 +106,6 @@ in { backend = "podman-socket"; projects.forgejo.settings = import ./arion/arion-compose.nix; projects.riverside.settings = import ./arion-riverside/arion-compose.nix; - projects.vnc-desktop.settings = import ./arion-vnc/arion-compose.nix; }; # The arion NixOS module sets backend = "podman-socket" but doesn't inject @@ -114,16 +113,14 @@ in { # (no daemon). Point it at the podman-compatible socket instead. systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; - systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; - systemd.services.arion-vnc-desktop.serviceConfig.TasksMax = "infinity"; # Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed. # Nix copies the build context into the store; the hash changes when Dockerfile or # start.sh change, triggering a rebuild on the next nixos-rebuild switch. systemd.services.build-vnc-image = { description = "Build VNC desktop container image from Dockerfile"; - wantedBy = [ "arion-vnc-desktop.service" ]; - before = [ "arion-vnc-desktop.service" ]; + wantedBy = [ "podman-vnc-desktop.service" ]; + before = [ "podman-vnc-desktop.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -229,6 +226,18 @@ in { # ports = ["8081:80"]; # }; + "vnc-desktop" = { + autoStart = true; + image = "forge.quinefoundation.com/ironmagma/vnc-desktop:latest"; + environmentFiles = [ config.age.secrets.vnc-password.path ]; + volumes = [ "/root/.ssh:/root/host-ssh:ro" ]; + ports = [ "127.0.0.1:6080:6080" ]; + extraOptions = [ + "--add-host=hetzner-host:host-gateway" + "--pids-limit=-1" + ]; + }; + "navidrome" = { autoStart = true; environment = {