move vnc-desktop from arion to oci-containers with --pids-limit=-1

docker-compose→podman-socket ignores containers.conf pids_limit and always
creates the container with PidsLimit=2048, which KDE Plasma exhausts causing
QThread creation failures and kcrash. Switching to virtualisation.oci-containers
uses podman run directly so --pids-limit=-1 (unlimited) is respected. cgroup
pids.max now shows "max" instead of 2048.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Philip Peterson 2026-05-25 19:43:53 -08:00
parent c51352e6fe
commit 9a6bbc8015

View file

@ -106,7 +106,6 @@ in {
backend = "podman-socket"; backend = "podman-socket";
projects.forgejo.settings = import ./arion/arion-compose.nix; projects.forgejo.settings = import ./arion/arion-compose.nix;
projects.riverside.settings = import ./arion-riverside/arion-compose.nix; projects.riverside.settings = import ./arion-riverside/arion-compose.nix;
projects.vnc-desktop.settings = import ./arion-vnc/arion-compose.nix;
}; };
# The arion NixOS module sets backend = "podman-socket" but doesn't inject # The arion NixOS module sets backend = "podman-socket" but doesn't inject
@ -114,16 +113,14 @@ in {
# (no daemon). Point it at the podman-compatible socket instead. # (no daemon). Point it at the podman-compatible socket instead.
systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-vnc-desktop.serviceConfig.TasksMax = "infinity";
# Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed. # Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed.
# Nix copies the build context into the store; the hash changes when Dockerfile or # Nix copies the build context into the store; the hash changes when Dockerfile or
# start.sh change, triggering a rebuild on the next nixos-rebuild switch. # start.sh change, triggering a rebuild on the next nixos-rebuild switch.
systemd.services.build-vnc-image = { systemd.services.build-vnc-image = {
description = "Build VNC desktop container image from Dockerfile"; description = "Build VNC desktop container image from Dockerfile";
wantedBy = [ "arion-vnc-desktop.service" ]; wantedBy = [ "podman-vnc-desktop.service" ];
before = [ "arion-vnc-desktop.service" ]; before = [ "podman-vnc-desktop.service" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
@ -229,6 +226,18 @@ in {
# ports = ["8081:80"]; # ports = ["8081:80"];
# }; # };
"vnc-desktop" = {
autoStart = true;
image = "forge.quinefoundation.com/ironmagma/vnc-desktop:latest";
environmentFiles = [ config.age.secrets.vnc-password.path ];
volumes = [ "/root/.ssh:/root/host-ssh:ro" ];
ports = [ "127.0.0.1:6080:6080" ];
extraOptions = [
"--add-host=hetzner-host:host-gateway"
"--pids-limit=-1"
];
};
"navidrome" = { "navidrome" = {
autoStart = true; autoStart = true;
environment = { environment = {