fix riverside DNS, VNC stale lock, and pids limit
- firewall.nix: allow DNS (UDP/TCP 53) from all podman bridge networks (10.89.0.0/16); NixOS only auto-adds a rule for podman0 but docker-compose arion stacks land on podman1/2/3 where container DNS was silently blocked - vnc-desktop/start.sh: rm stale /tmp/.X1-lock on container start so container restarts don't leave Xvnc unable to bind display :1 - linux.nix: TasksMax=infinity on arion-vnc-desktop so the systemd cgroup doesn't cap KDE Plasma's thread count below the container pids limit - arion-riverside/arion-compose.nix: add ADMIN_PASS env var required by the riverside entrypoint Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
25b13b47e5
commit
c51352e6fe
4 changed files with 17 additions and 0 deletions
|
|
@ -18,6 +18,7 @@
|
||||||
DB_PASS = "drupal";
|
DB_PASS = "drupal";
|
||||||
SITE_NAME = "Portfolio";
|
SITE_NAME = "Portfolio";
|
||||||
TRUSTED_HOST = "riverside.coldairnetworks.com";
|
TRUSTED_HOST = "riverside.coldairnetworks.com";
|
||||||
|
ADMIN_PASS = "admin";
|
||||||
};
|
};
|
||||||
volumes = [
|
volumes = [
|
||||||
"/var/riverside/files:/var/www/html/web/sites/default/files"
|
"/var/riverside/files:/var/www/html/web/sites/default/files"
|
||||||
|
|
|
||||||
|
|
@ -13,4 +13,12 @@
|
||||||
|
|
||||||
9090 #sync.io
|
9090 #sync.io
|
||||||
];
|
];
|
||||||
|
|
||||||
|
# Allow DNS from all podman bridge networks (10.89.0.0/16).
|
||||||
|
# NixOS auto-adds a rule for podman0 but not for networks created by
|
||||||
|
# docker-compose/arion (podman1, podman2, podman3…).
|
||||||
|
networking.firewall.extraCommands = ''
|
||||||
|
iptables -I nixos-fw -s 10.89.0.0/16 -p udp --dport 53 -j nixos-fw-accept
|
||||||
|
iptables -I nixos-fw -s 10.89.0.0/16 -p tcp --dport 53 -j nixos-fw-accept
|
||||||
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -115,6 +115,7 @@ in {
|
||||||
systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||||
systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||||
systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||||
|
systemd.services.arion-vnc-desktop.serviceConfig.TasksMax = "infinity";
|
||||||
|
|
||||||
# Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed.
|
# Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed.
|
||||||
# Nix copies the build context into the store; the hash changes when Dockerfile or
|
# Nix copies the build context into the store; the hash changes when Dockerfile or
|
||||||
|
|
@ -210,6 +211,10 @@ in {
|
||||||
defaultNetwork.settings.dns_enabled = true;
|
defaultNetwork.settings.dns_enabled = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# KDE Plasma spawns many threads; raise the default container pids limit (2048) to
|
||||||
|
# avoid "Thread creation error: Resource temporarily unavailable" in the VNC container.
|
||||||
|
virtualisation.containers.containersConf.settings.containers.pids_limit = 8192;
|
||||||
|
|
||||||
virtualisation.oci-containers = {
|
virtualisation.oci-containers = {
|
||||||
backend = "podman";
|
backend = "podman";
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,9 @@ set -e
|
||||||
mkdir -p /root/.vnc /root/.ssh
|
mkdir -p /root/.vnc /root/.ssh
|
||||||
chmod 700 /root/.ssh
|
chmod 700 /root/.ssh
|
||||||
|
|
||||||
|
# Clean up stale X lock files from previous container runs
|
||||||
|
rm -f /tmp/.X1-lock /tmp/.X11-unix/X1
|
||||||
|
|
||||||
# Set VNC password from environment
|
# Set VNC password from environment
|
||||||
echo "${VNC_PASSWORD:?VNC_PASSWORD must be set}" | vncpasswd -f > /root/.vnc/passwd
|
echo "${VNC_PASSWORD:?VNC_PASSWORD must be set}" | vncpasswd -f > /root/.vnc/passwd
|
||||||
chmod 600 /root/.vnc/passwd
|
chmod 600 /root/.vnc/passwd
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue