fix riverside DNS, VNC stale lock, and pids limit

- firewall.nix: allow DNS (UDP/TCP 53) from all podman bridge networks
  (10.89.0.0/16); NixOS only auto-adds a rule for podman0 but docker-compose
  arion stacks land on podman1/2/3 where container DNS was silently blocked
- vnc-desktop/start.sh: rm stale /tmp/.X1-lock on container start so
  container restarts don't leave Xvnc unable to bind display :1
- linux.nix: TasksMax=infinity on arion-vnc-desktop so the systemd cgroup
  doesn't cap KDE Plasma's thread count below the container pids limit
- arion-riverside/arion-compose.nix: add ADMIN_PASS env var required by
  the riverside entrypoint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Philip Peterson 2026-05-25 19:36:36 -08:00
parent 25b13b47e5
commit c51352e6fe
4 changed files with 17 additions and 0 deletions

View file

@ -18,6 +18,7 @@
DB_PASS = "drupal"; DB_PASS = "drupal";
SITE_NAME = "Portfolio"; SITE_NAME = "Portfolio";
TRUSTED_HOST = "riverside.coldairnetworks.com"; TRUSTED_HOST = "riverside.coldairnetworks.com";
ADMIN_PASS = "admin";
}; };
volumes = [ volumes = [
"/var/riverside/files:/var/www/html/web/sites/default/files" "/var/riverside/files:/var/www/html/web/sites/default/files"

View file

@ -13,4 +13,12 @@
9090 #sync.io 9090 #sync.io
]; ];
# Allow DNS from all podman bridge networks (10.89.0.0/16).
# NixOS auto-adds a rule for podman0 but not for networks created by
# docker-compose/arion (podman1, podman2, podman3…).
networking.firewall.extraCommands = ''
iptables -I nixos-fw -s 10.89.0.0/16 -p udp --dport 53 -j nixos-fw-accept
iptables -I nixos-fw -s 10.89.0.0/16 -p tcp --dport 53 -j nixos-fw-accept
'';
} }

View file

@ -115,6 +115,7 @@ in {
systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-vnc-desktop.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-vnc-desktop.serviceConfig.TasksMax = "infinity";
# Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed. # Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed.
# Nix copies the build context into the store; the hash changes when Dockerfile or # Nix copies the build context into the store; the hash changes when Dockerfile or
@ -210,6 +211,10 @@ in {
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
}; };
# KDE Plasma spawns many threads; raise the default container pids limit (2048) to
# avoid "Thread creation error: Resource temporarily unavailable" in the VNC container.
virtualisation.containers.containersConf.settings.containers.pids_limit = 8192;
virtualisation.oci-containers = { virtualisation.oci-containers = {
backend = "podman"; backend = "podman";

View file

@ -4,6 +4,9 @@ set -e
mkdir -p /root/.vnc /root/.ssh mkdir -p /root/.vnc /root/.ssh
chmod 700 /root/.ssh chmod 700 /root/.ssh
# Clean up stale X lock files from previous container runs
rm -f /tmp/.X1-lock /tmp/.X11-unix/X1
# Set VNC password from environment # Set VNC password from environment
echo "${VNC_PASSWORD:?VNC_PASSWORD must be set}" | vncpasswd -f > /root/.vnc/passwd echo "${VNC_PASSWORD:?VNC_PASSWORD must be set}" | vncpasswd -f > /root/.vnc/passwd
chmod 600 /root/.vnc/passwd chmod 600 /root/.vnc/passwd