add VNC desktop container at vnc.quinefoundation.com
Custom Podman image (forge.quinefoundation.com/ironmagma/vnc-desktop) running TigerVNC + noVNC + openbox, proxied via nginx with ACME TLS and basic auth. Also switches all arion projects from docker to podman backend. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
7b0482f2ff
commit
d7109b6585
7 changed files with 109 additions and 1 deletions
18
nixos/arion-vnc/arion-compose.nix
Normal file
18
nixos/arion-vnc/arion-compose.nix
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
project.name = "vnc-desktop";
|
||||
|
||||
services.vnc = {
|
||||
service = {
|
||||
image = "forge.quinefoundation.com/ironmagma/vnc-desktop:latest";
|
||||
container_name = "vnc-desktop";
|
||||
restart = "unless-stopped";
|
||||
env_file = [ "/run/agenix/vnc-password" ];
|
||||
volumes = [
|
||||
"/root/.ssh:/root/host-ssh:ro"
|
||||
];
|
||||
extra_hosts = [ "hetzner-host:host-gateway" ];
|
||||
ports = [ "127.0.0.1:6080:6080" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
3
nixos/arion-vnc/arion-pkgs.nix
Normal file
3
nixos/arion-vnc/arion-pkgs.nix
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
import <nixpkgs> {
|
||||
system = "x86_64-linux";
|
||||
}
|
||||
|
|
@ -66,6 +66,16 @@ in {
|
|||
file = ./secrets/forgejo-runner-token.age;
|
||||
owner = "root";
|
||||
};
|
||||
|
||||
vnc-password = {
|
||||
file = ./secrets/vnc-password.age;
|
||||
owner = "root";
|
||||
};
|
||||
|
||||
vnc-htpasswd = {
|
||||
file = ./secrets/vnc-htpasswd.age;
|
||||
owner = "nginx";
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
|
|
@ -93,9 +103,10 @@ in {
|
|||
];
|
||||
|
||||
virtualisation.arion = {
|
||||
backend = "docker";
|
||||
backend = "podman";
|
||||
projects.forgejo.settings = import ./arion/arion-compose.nix;
|
||||
projects.riverside.settings = import ./arion-riverside/arion-compose.nix;
|
||||
projects.vnc-desktop.settings = import ./arion-vnc/arion-compose.nix;
|
||||
};
|
||||
|
||||
services.gitea-actions-runner.instances."ubuntu" = {
|
||||
|
|
|
|||
|
|
@ -200,6 +200,23 @@
|
|||
};
|
||||
};
|
||||
|
||||
"vnc.quinefoundation.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
basicAuthFile = config.age.secrets.vnc-htpasswd.path;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:6080/";
|
||||
extraConfig = ''
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_read_timeout 86400;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
"forge.quinefoundation.com-https" = {
|
||||
serverName = "forge.quinefoundation.com";
|
||||
enableACME = true;
|
||||
|
|
|
|||
|
|
@ -17,4 +17,11 @@ in {
|
|||
|
||||
# TOKEN=<forgejo runner registration token from Forgejo admin>
|
||||
"./forgejo-runner-token.age".publicKeys = [mainframePublicKey];
|
||||
|
||||
# VNC_PASSWORD=<vnc session password>
|
||||
"./vnc-password.age".publicKeys = [mainframePublicKey];
|
||||
|
||||
# htpasswd-format credentials for nginx basic auth on vnc.quinefoundation.com
|
||||
# Generate with: htpasswd -n <username>
|
||||
"./vnc-htpasswd.age".publicKeys = [mainframePublicKey];
|
||||
}
|
||||
|
|
|
|||
23
nixos/vnc-desktop/Dockerfile
Normal file
23
nixos/vnc-desktop/Dockerfile
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
FROM ubuntu:24.04
|
||||
|
||||
ENV DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
RUN apt-get update && apt-get install -y \
|
||||
tigervnc-standalone-server \
|
||||
tigervnc-common \
|
||||
novnc \
|
||||
python3-websockify \
|
||||
openbox \
|
||||
xterm \
|
||||
x11-utils \
|
||||
xfonts-base \
|
||||
dbus-x11 \
|
||||
openssh-client \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
COPY start.sh /start.sh
|
||||
RUN chmod +x /start.sh
|
||||
|
||||
EXPOSE 6080
|
||||
|
||||
CMD ["/start.sh"]
|
||||
29
nixos/vnc-desktop/start.sh
Normal file
29
nixos/vnc-desktop/start.sh
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
mkdir -p /root/.vnc /root/.ssh
|
||||
chmod 700 /root/.ssh
|
||||
|
||||
# Set VNC password from environment
|
||||
echo "${VNC_PASSWORD:?VNC_PASSWORD must be set}" | vncpasswd -f > /root/.vnc/passwd
|
||||
chmod 600 /root/.vnc/passwd
|
||||
|
||||
# Start Xvnc (headless X server + VNC server in one)
|
||||
Xvnc :1 \
|
||||
-rfbport 5901 \
|
||||
-SecurityTypes VncAuth \
|
||||
-PasswordFile /root/.vnc/passwd \
|
||||
-geometry 1280x800 \
|
||||
-depth 24 \
|
||||
-AlwaysShared \
|
||||
&
|
||||
|
||||
export DISPLAY=:1
|
||||
sleep 2
|
||||
|
||||
# Start window manager and initial terminal
|
||||
openbox-session &
|
||||
xterm &
|
||||
|
||||
# Serve noVNC web UI + bridge WebSocket -> VNC
|
||||
exec websockify --web /usr/share/novnc 6080 localhost:5901
|
||||
Loading…
Reference in a new issue