Commit graph

5 commits

Author SHA1 Message Date
Philip Peterson
097e3a312f Move KDE desktop to host; container becomes noVNC proxy only
The vnc-desktop container no longer runs a desktop environment. KDE Plasma
and Xvnc now run directly on the host via a vnc-kde systemd service, with
port 5901 firewalled to the podman bridge subnet only. The container is
reduced to a websockify bridge forwarding the noVNC web UI to hetzner-host:5901.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01 03:13:20 -07:00
6881cd74e1 vnc: increase desktop resolution to 1920x1080
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 21:04:59 -08:00
c51352e6fe fix riverside DNS, VNC stale lock, and pids limit
- firewall.nix: allow DNS (UDP/TCP 53) from all podman bridge networks
  (10.89.0.0/16); NixOS only auto-adds a rule for podman0 but docker-compose
  arion stacks land on podman1/2/3 where container DNS was silently blocked
- vnc-desktop/start.sh: rm stale /tmp/.X1-lock on container start so
  container restarts don't leave Xvnc unable to bind display :1
- linux.nix: TasksMax=infinity on arion-vnc-desktop so the systemd cgroup
  doesn't cap KDE Plasma's thread count below the container pids limit
- arion-riverside/arion-compose.nix: add ADMIN_PASS env var required by
  the riverside entrypoint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 19:36:36 -08:00
25b13b47e5 vnc: KDE Plasma desktop, local image build via systemd
Replace openbox with kde-plasma-desktop + konsole. Build the container
image locally via a oneshot systemd service (build-vnc-image) that runs
before arion-vnc-desktop on each boot. Nix hashes the Dockerfile and
start.sh at eval time so the build is skipped when nothing changed.
No registry push/pull required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 19:14:53 -08:00
d7109b6585 add VNC desktop container at vnc.quinefoundation.com
Custom Podman image (forge.quinefoundation.com/ironmagma/vnc-desktop) running
TigerVNC + noVNC + openbox, proxied via nginx with ACME TLS and basic auth.
Also switches all arion projects from docker to podman backend.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 17:08:15 -08:00