From c51352e6fe7ea88852c6d51b96f914230bb274d3 Mon Sep 17 00:00:00 2001 From: Philip Peterson Date: Mon, 25 May 2026 19:36:36 -0800 Subject: [PATCH] fix riverside DNS, VNC stale lock, and pids limit - firewall.nix: allow DNS (UDP/TCP 53) from all podman bridge networks (10.89.0.0/16); NixOS only auto-adds a rule for podman0 but docker-compose arion stacks land on podman1/2/3 where container DNS was silently blocked - vnc-desktop/start.sh: rm stale /tmp/.X1-lock on container start so container restarts don't leave Xvnc unable to bind display :1 - linux.nix: TasksMax=infinity on arion-vnc-desktop so the systemd cgroup doesn't cap KDE Plasma's thread count below the container pids limit - arion-riverside/arion-compose.nix: add ADMIN_PASS env var required by the riverside entrypoint Co-Authored-By: Claude Sonnet 4.6 --- nixos/arion-riverside/arion-compose.nix | 1 + nixos/firewall.nix | 8 ++++++++ nixos/linux.nix | 5 +++++ nixos/vnc-desktop/start.sh | 3 +++ 4 files changed, 17 insertions(+) diff --git a/nixos/arion-riverside/arion-compose.nix b/nixos/arion-riverside/arion-compose.nix index 5a7c25f..2577efb 100644 --- a/nixos/arion-riverside/arion-compose.nix +++ b/nixos/arion-riverside/arion-compose.nix @@ -18,6 +18,7 @@ DB_PASS = "drupal"; SITE_NAME = "Portfolio"; TRUSTED_HOST = "riverside.coldairnetworks.com"; + ADMIN_PASS = "admin"; }; volumes = [ "/var/riverside/files:/var/www/html/web/sites/default/files" diff --git a/nixos/firewall.nix b/nixos/firewall.nix index f3099cb..aeb679b 100644 --- a/nixos/firewall.nix +++ b/nixos/firewall.nix @@ -13,4 +13,12 @@ 9090 #sync.io ]; + + # Allow DNS from all podman bridge networks (10.89.0.0/16). + # NixOS auto-adds a rule for podman0 but not for networks created by + # docker-compose/arion (podman1, podman2, podman3…). + networking.firewall.extraCommands = '' + iptables -I nixos-fw -s 10.89.0.0/16 -p udp --dport 53 -j nixos-fw-accept + iptables -I nixos-fw -s 10.89.0.0/16 -p tcp --dport 53 -j nixos-fw-accept + ''; } diff --git a/nixos/linux.nix b/nixos/linux.nix index f86b2cd..89c4570 100644 --- a/nixos/linux.nix +++ b/nixos/linux.nix @@ -115,6 +115,7 @@ in { systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; + systemd.services.arion-vnc-desktop.serviceConfig.TasksMax = "infinity"; # Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed. # Nix copies the build context into the store; the hash changes when Dockerfile or @@ -210,6 +211,10 @@ in { defaultNetwork.settings.dns_enabled = true; }; + # KDE Plasma spawns many threads; raise the default container pids limit (2048) to + # avoid "Thread creation error: Resource temporarily unavailable" in the VNC container. + virtualisation.containers.containersConf.settings.containers.pids_limit = 8192; + virtualisation.oci-containers = { backend = "podman"; diff --git a/nixos/vnc-desktop/start.sh b/nixos/vnc-desktop/start.sh index fe604fd..aac2379 100644 --- a/nixos/vnc-desktop/start.sh +++ b/nixos/vnc-desktop/start.sh @@ -4,6 +4,9 @@ set -e mkdir -p /root/.vnc /root/.ssh chmod 700 /root/.ssh +# Clean up stale X lock files from previous container runs +rm -f /tmp/.X1-lock /tmp/.X11-unix/X1 + # Set VNC password from environment echo "${VNC_PASSWORD:?VNC_PASSWORD must be set}" | vncpasswd -f > /root/.vnc/passwd chmod 600 /root/.vnc/passwd