vnc tweaks
This commit is contained in:
parent
33d2ae427a
commit
bc38566d5c
2 changed files with 34 additions and 19 deletions
|
|
@ -31,6 +31,7 @@ nixos-rebuild switch --flake /root/petersweb-infra/nixos#mainframe
|
|||
| `keys/` | SSH public keys used as age recipients |
|
||||
| `system/` | User definitions and home-manager config |
|
||||
| `pdxdestiny/` | Static site files for pdxdestiny.com |
|
||||
| `vnc-desktop/` | Dockerfile + build scripts for the KDE Plasma VNC desktop container |
|
||||
|
||||
## Secrets (agenix)
|
||||
|
||||
|
|
@ -75,19 +76,32 @@ Note: `secrets/default.nix` is the agenix recipients file. Agenix looks for `sec
|
|||
| `gitea-runner-ubuntu.service` | Forgejo (Gitea) Actions CI runner, uses docker images |
|
||||
| `forgejo-arion.service` | Forgejo itself, run via Arion/Podman |
|
||||
| `riverside-arion.service` | Riverside app, run via Arion/Docker |
|
||||
| `docker-navidrome.service` | Navidrome music server on port 4533 |
|
||||
| `docker-nextcloud.service` | Nextcloud/SSH container on port 8087 |
|
||||
| `docker-sync.io.service` | sync.io app on port 9090 |
|
||||
| `docker-blog-quine.service` | Blog on port 3010 |
|
||||
| `docker-coldairnetworks.service` | Cold Air Networks site on port 3012 |
|
||||
| `podman-navidrome.service` | Navidrome music server on port 4533 |
|
||||
| `podman-nextcloud.service` | Nextcloud/SSH container on port 8087 |
|
||||
| `podman-sync.io.service` | sync.io app on port 9090 |
|
||||
| `podman-blog-quine.service` | Blog on port 3010 |
|
||||
| `podman-coldairnetworks.service` | Cold Air Networks site on port 3012 |
|
||||
| `podman-vnc-desktop.service` | KDE Plasma desktop, noVNC on port 6080 (localhost only) |
|
||||
| `build-vnc-image.service` | Builds the VNC desktop image from `vnc-desktop/`; runs before `podman-vnc-desktop` |
|
||||
| nginx | Reverse proxy + ACME certs for multiple domains |
|
||||
|
||||
## Virtualisation
|
||||
|
||||
- **Podman** is used for Forgejo (via Arion). `DOCKER_HOST` for the gitea-runner is set to `unix:///run/podman/podman.sock`.
|
||||
- **Docker** is used for the OCI containers (navidrome, nextcloud, etc.) and the riverside Arion stack.
|
||||
- **Podman** is used for all OCI containers (`virtualisation.oci-containers.backend = "podman"`) — navidrome, nextcloud, blog, VNC desktop, etc. — and for Forgejo via Arion.
|
||||
- **Docker** is still present for the Riverside Arion stack.
|
||||
- `DOCKER_HOST` for the gitea-runner is set to `unix:///run/podman/podman.sock`.
|
||||
- The gitea-runner runs docker images for CI jobs, so the `gitea-runner` user is in the `docker` and `podman` supplementary groups.
|
||||
|
||||
## VNC desktop
|
||||
|
||||
`podman-vnc-desktop.service` runs a KDE Plasma desktop inside a container, accessible via noVNC at `localhost:6080` (reverse-proxied by nginx). The image is built locally — no registry involved.
|
||||
|
||||
- **Image source**: `vnc-desktop/Dockerfile` (Ubuntu 24.04, TigerVNC, KDE, Firefox, patched Discover)
|
||||
- **Auto-rebuild**: `build-vnc-image.service` runs on boot and on `nixos-rebuild switch` whenever `vnc-desktop/` changes. The trigger is `vncContext = builtins.path { path = ./vnc-desktop; }` — a Nix store path that invalidates when any file in the directory changes.
|
||||
- **Auto-restart**: `podman-vnc-desktop.service` has `restartTriggers = [ vncContext ]`, so the container restarts automatically after a rebuild during `nixos-rebuild switch`.
|
||||
- **Secrets**: `VNC_PASSWORD` and `ROOT_PASSWORD` come from `age.secrets.vnc-password`.
|
||||
- **Discover logging**: `vnc-desktop/discover-logging/` contains a build-time patch (`patch.py`) that instruments `PKTransaction.cpp` with `qWarning` calls to diagnose hanging installs. Logs visible via `podman logs vnc-desktop`.
|
||||
|
||||
## Networking / DNS
|
||||
|
||||
- Dynamic DNS via `invoke-ddns` (NearlyFreeSpeech provider).
|
||||
|
|
|
|||
|
|
@ -2,6 +2,18 @@ FROM ubuntu:24.04
|
|||
|
||||
ENV DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
# Set up Mozilla apt repo before installing KDE so the priority-1000 pin is
|
||||
# already in place when kde-plasma-desktop resolves Firefox — otherwise apt
|
||||
# installs Ubuntu's snap stub first and the real Firefox never displaces it.
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates gnupg \
|
||||
&& wget -qO- https://packages.mozilla.org/apt/repo-signing-key.gpg \
|
||||
| gpg --dearmor > /usr/share/keyrings/packages.mozilla.org.gpg \
|
||||
&& echo "deb [signed-by=/usr/share/keyrings/packages.mozilla.org.gpg] https://packages.mozilla.org/apt mozilla main" \
|
||||
> /etc/apt/sources.list.d/mozilla.list \
|
||||
&& printf 'Package: *\nPin: origin packages.mozilla.org\nPin-Priority: 1000\n' \
|
||||
> /etc/apt/preferences.d/mozilla \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
RUN apt-get update && apt-get install -y \
|
||||
tigervnc-standalone-server \
|
||||
tigervnc-common \
|
||||
|
|
@ -14,6 +26,7 @@ RUN apt-get update && apt-get install -y \
|
|||
dbus-x11 \
|
||||
openssh-client \
|
||||
curl \
|
||||
firefox \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Remove Bluetooth stack — obexd gets activated in a tight loop by kded5
|
||||
|
|
@ -22,18 +35,6 @@ RUN apt-get purge -y --auto-remove bluez bluez-obexd 2>/dev/null || true; \
|
|||
rm -f /usr/share/dbus-1/services/org.bluez.obex.service \
|
||||
/usr/share/dbus-1/system-services/org.bluez.service
|
||||
|
||||
# Firefox via Mozilla apt repo (Ubuntu 24.04 ships Firefox as snap by default)
|
||||
RUN apt-get install -y --no-install-recommends wget ca-certificates gnupg \
|
||||
&& wget -qO- https://packages.mozilla.org/apt/repo-signing-key.gpg \
|
||||
| gpg --dearmor > /usr/share/keyrings/packages.mozilla.org.gpg \
|
||||
&& echo "deb [signed-by=/usr/share/keyrings/packages.mozilla.org.gpg] https://packages.mozilla.org/apt mozilla main" \
|
||||
> /etc/apt/sources.list.d/mozilla.list \
|
||||
&& printf 'Package: *\nPin: origin packages.mozilla.org\nPin-Priority: 1000\n' \
|
||||
> /etc/apt/preferences.d/mozilla \
|
||||
&& apt-get update \
|
||||
&& apt-get install -y --no-install-recommends firefox \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
COPY discover-logging/ /discover-logging/
|
||||
RUN chmod +x /discover-logging/build.sh && /discover-logging/build.sh
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue