Commit graph

259 commits

Author SHA1 Message Date
d329b6dc19 Bump hyper 2026-05-28 22:13:15 -08:00
0a3f236638 Bump riverside fix script 2026-05-28 17:42:30 -08:00
f61913dc90 Bump riverside 2026-05-28 17:39:47 -08:00
4c10105cbb Bump hyper 2026-05-28 16:04:38 -08:00
6e15ad142d extend withWww to philippeterson.com and coldairnetworks.com; drop fbksdigital
- philippeterson.com and coldairnetworks.com now use withWww, fixing the same
  www.* cert-mismatch problem that affected pdxdestiny.com
- fbksdigital.com vhost removed (disabled for now)
- ACME cyclic dependency list updated accordingly

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-28 15:47:02 -08:00
2624efbde8 add withWww helper and fix www.pdxdestiny.com cert mismatch
www.pdxdestiny.com had no vhost so nginx fell back to the coldairnetworks.com
cert. Added a withWww helper that generates apex + www redirect pair, and
wired up pdxdestiny.com as the first user.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-28 15:44:30 -08:00
81a97f086e bump hyper 2026-05-27 21:55:51 -08:00
Philip Peterson
0954d0e8d7 Bump image 2026-05-27 22:55:15 -07:00
e0849cdb62 bump 2026-05-26 00:00:59 -08:00
0f6cc351d3 bump 2026-05-25 23:31:49 -08:00
0d678388e5 wip 2026-05-25 23:23:11 -08:00
005b8e62e5 wip 2026-05-25 23:19:34 -08:00
31bb508d8f wip 2026-05-25 23:13:54 -08:00
6881cd74e1 vnc: increase desktop resolution to 1920x1080
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 21:04:59 -08:00
6b7cc9f88b wip 2026-05-25 19:55:28 -08:00
855f5dbded fix VNC pid exhaustion: remove bluez loop, raise machine.slice limit
kded5 was activating org.bluez.obex in a tight loop (no BT hardware in
container), spawning thousands of obexd threads until the libpod scope hit
its TasksMax=9286 systemd default — causing fork failures and a 502.

- vnc-desktop/Dockerfile: purge bluez/bluez-obexd and delete D-Bus service
  activation files so kded5 can't trigger the loop
- linux.nix: machine.slice TasksMax=infinity so the libpod scope ceiling
  can't be hit by legitimate KDE thread counts
- linux.nix: containers.conf pids_limit=0 (unlimited) to let podman pass
  TasksMax=infinity to new container scopes

pids.current went from 9286 (exhausted) to 159 after the fix.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 19:53:28 -08:00
9a6bbc8015 move vnc-desktop from arion to oci-containers with --pids-limit=-1
docker-compose→podman-socket ignores containers.conf pids_limit and always
creates the container with PidsLimit=2048, which KDE Plasma exhausts causing
QThread creation failures and kcrash. Switching to virtualisation.oci-containers
uses podman run directly so --pids-limit=-1 (unlimited) is respected. cgroup
pids.max now shows "max" instead of 2048.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 19:43:53 -08:00
c51352e6fe fix riverside DNS, VNC stale lock, and pids limit
- firewall.nix: allow DNS (UDP/TCP 53) from all podman bridge networks
  (10.89.0.0/16); NixOS only auto-adds a rule for podman0 but docker-compose
  arion stacks land on podman1/2/3 where container DNS was silently blocked
- vnc-desktop/start.sh: rm stale /tmp/.X1-lock on container start so
  container restarts don't leave Xvnc unable to bind display :1
- linux.nix: TasksMax=infinity on arion-vnc-desktop so the systemd cgroup
  doesn't cap KDE Plasma's thread count below the container pids limit
- arion-riverside/arion-compose.nix: add ADMIN_PASS env var required by
  the riverside entrypoint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 19:36:36 -08:00
25b13b47e5 vnc: KDE Plasma desktop, local image build via systemd
Replace openbox with kde-plasma-desktop + konsole. Build the container
image locally via a oneshot systemd service (build-vnc-image) that runs
before arion-vnc-desktop on each boot. Nix hashes the Dockerfile and
start.sh at eval time so the build is skipped when nothing changed.
No registry push/pull required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 19:14:53 -08:00
24d6d22961 fix vnc htpasswd: correct username and valid apr1 hash
Previous secret had truncated hash and wrong username (admin).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 19:01:38 -08:00
359292b497 fix nginx/arion/runner failures introduced by podman switch
- Break systemd ordering deadlock: nginx.after mkForce removes
  DNS-challenge ACME services (philippeterson, webdav) from nginx's
  After list, which was creating a cycle through nginx-config-reload
  back to HTTP-webroot ACME services that need nginx Before them.

- Fix arion services not finding podman socket: arion NixOS module
  sets backend=podman-socket but doesn't inject DOCKER_HOST; add
  explicit DOCKER_HOST=unix:///run/podman/podman.sock for all three
  arion projects.

- Fix gitea-runner startup race: add After/Wants on arion-forgejo so
  the runner doesn't try to register before Forgejo is up.

- Fix riverside image reference: pinned digest was stale after a
  re-push; switch to :latest.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 18:58:08 -08:00
3876bb177a use podman 2026-05-25 17:27:24 -08:00
5414b356c8 fix 2026-05-25 17:25:54 -08:00
66d0248203 add vnc secrets 2026-05-25 17:23:05 -08:00
6d27c40759 add VNC setup README
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 17:15:30 -08:00
d7109b6585 add VNC desktop container at vnc.quinefoundation.com
Custom Podman image (forge.quinefoundation.com/ironmagma/vnc-desktop) running
TigerVNC + noVNC + openbox, proxied via nginx with ACME TLS and basic auth.
Also switches all arion projects from docker to podman backend.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 17:08:15 -08:00
7b0482f2ff fix 2026-05-25 15:02:45 -08:00
96bed19729 fix 2026-05-25 14:43:03 -08:00
aa2fce1b7f fix riverside 2026-05-25 14:29:58 -08:00
14455adbf5 fix arion 2026-05-25 12:25:33 -08:00
5a17e00958 bump version of riverside 2026-05-25 12:10:14 -08:00
b583167dae bump version of riverside 2026-05-25 11:00:40 -08:00
bec97c3f17 ensure gitea-runner owns its ubuntu state dir
The directory was created by the old DynamicUser (uid 63182). Add a
tmpfiles rule to guarantee correct ownership after any rebuild.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-24 23:48:13 -08:00
8e9328e704 give gitea runner docker socket access
Create a persistent gitea-runner system user in the docker group instead
of relying on DynamicUser — supplementary groups were silently ignored
with DynamicUser=true, leaving the runner unable to reach the socket.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-24 23:46:25 -08:00
eaa3a8625b run gitea actions runner in host mode
Jobs now execute directly on the runner host rather than inside a docker
container, giving them access to Node.js, Docker, and other host tools
without needing a custom image.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-24 23:41:07 -08:00
2544666cc9 fixes 2026-05-24 23:31:05 -08:00
cfd7fc1d6a ubuntu runner 2026-05-24 23:03:36 -08:00
8f9028c7a5 tmux 2026-05-24 00:27:15 -08:00
524f751e0d try fix env var 2026-05-23 22:30:47 -08:00
425a7ba6d4 fix 2026-05-23 22:28:08 -08:00
e77a076c17 fix path 2026-05-23 22:19:31 -08:00
8003d7c038 Add postmark 2026-05-23 20:12:53 -08:00
b86e07f29e fix 2026-05-14 14:49:25 -08:00
8d4dae8dd9 Fix riverside port mapping, postgres volume path, and enable HTTPS
- Map container port 80 (not 8080) to host 3011
- Mount postgres data at /var/lib/postgresql (postgres 18 changed path)
- Set TRUSTED_HOST env var so Drupal accepts the hostname
- Enable ACME/HTTPS for riverside.coldairnetworks.com with HTTP→HTTPS redirect

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 14:33:31 -08:00
e3bad28a0a fix 2026-05-14 14:30:35 -08:00
9b8b06a693 fix 2026-05-14 14:25:52 -08:00
93506862ec Move riverside to arion with postgres companion service
riverside needs a postgres sidecar which oci-containers can't express.
Also adds docker to arion PATH (fixes forgejo-arion) and creates
/var/riverside/{files,postgres} state directories.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 14:23:42 -08:00
d0a9b5337f bump sha 2026-05-14 22:17:19 +00:00
c95df34f03 fix 2026-05-14 14:13:11 -08:00
4d3ebd9d91 Fix arion NIX_PATH so nix-instantiate can find nixpkgs
Systemd services don't source /etc/set-environment, so NIX_PATH was unset
when arion tried to evaluate arion-pkgs.nix via import <nixpkgs>.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 14:04:55 -08:00