fix riverside DNS, VNC stale lock, and pids limit
- firewall.nix: allow DNS (UDP/TCP 53) from all podman bridge networks (10.89.0.0/16); NixOS only auto-adds a rule for podman0 but docker-compose arion stacks land on podman1/2/3 where container DNS was silently blocked - vnc-desktop/start.sh: rm stale /tmp/.X1-lock on container start so container restarts don't leave Xvnc unable to bind display :1 - linux.nix: TasksMax=infinity on arion-vnc-desktop so the systemd cgroup doesn't cap KDE Plasma's thread count below the container pids limit - arion-riverside/arion-compose.nix: add ADMIN_PASS env var required by the riverside entrypoint Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
25b13b47e5
commit
c51352e6fe
4 changed files with 17 additions and 0 deletions
|
|
@ -18,6 +18,7 @@
|
|||
DB_PASS = "drupal";
|
||||
SITE_NAME = "Portfolio";
|
||||
TRUSTED_HOST = "riverside.coldairnetworks.com";
|
||||
ADMIN_PASS = "admin";
|
||||
};
|
||||
volumes = [
|
||||
"/var/riverside/files:/var/www/html/web/sites/default/files"
|
||||
|
|
|
|||
|
|
@ -13,4 +13,12 @@
|
|||
|
||||
9090 #sync.io
|
||||
];
|
||||
|
||||
# Allow DNS from all podman bridge networks (10.89.0.0/16).
|
||||
# NixOS auto-adds a rule for podman0 but not for networks created by
|
||||
# docker-compose/arion (podman1, podman2, podman3…).
|
||||
networking.firewall.extraCommands = ''
|
||||
iptables -I nixos-fw -s 10.89.0.0/16 -p udp --dport 53 -j nixos-fw-accept
|
||||
iptables -I nixos-fw -s 10.89.0.0/16 -p tcp --dport 53 -j nixos-fw-accept
|
||||
'';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -115,6 +115,7 @@ in {
|
|||
systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||
systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||
systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||
systemd.services.arion-vnc-desktop.serviceConfig.TasksMax = "infinity";
|
||||
|
||||
# Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed.
|
||||
# Nix copies the build context into the store; the hash changes when Dockerfile or
|
||||
|
|
@ -210,6 +211,10 @@ in {
|
|||
defaultNetwork.settings.dns_enabled = true;
|
||||
};
|
||||
|
||||
# KDE Plasma spawns many threads; raise the default container pids limit (2048) to
|
||||
# avoid "Thread creation error: Resource temporarily unavailable" in the VNC container.
|
||||
virtualisation.containers.containersConf.settings.containers.pids_limit = 8192;
|
||||
|
||||
virtualisation.oci-containers = {
|
||||
backend = "podman";
|
||||
|
||||
|
|
|
|||
|
|
@ -4,6 +4,9 @@ set -e
|
|||
mkdir -p /root/.vnc /root/.ssh
|
||||
chmod 700 /root/.ssh
|
||||
|
||||
# Clean up stale X lock files from previous container runs
|
||||
rm -f /tmp/.X1-lock /tmp/.X11-unix/X1
|
||||
|
||||
# Set VNC password from environment
|
||||
echo "${VNC_PASSWORD:?VNC_PASSWORD must be set}" | vncpasswd -f > /root/.vnc/passwd
|
||||
chmod 600 /root/.vnc/passwd
|
||||
|
|
|
|||
Loading…
Reference in a new issue