The vnc-desktop container no longer runs a desktop environment. KDE Plasma
and Xvnc now run directly on the host via a vnc-kde systemd service, with
port 5901 firewalled to the podman bridge subnet only. The container is
reduced to a websockify bridge forwarding the noVNC web UI to hetzner-host:5901.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- philippeterson.com and coldairnetworks.com now use withWww, fixing the same
www.* cert-mismatch problem that affected pdxdestiny.com
- fbksdigital.com vhost removed (disabled for now)
- ACME cyclic dependency list updated accordingly
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
www.pdxdestiny.com had no vhost so nginx fell back to the coldairnetworks.com
cert. Added a withWww helper that generates apex + www redirect pair, and
wired up pdxdestiny.com as the first user.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
kded5 was activating org.bluez.obex in a tight loop (no BT hardware in
container), spawning thousands of obexd threads until the libpod scope hit
its TasksMax=9286 systemd default — causing fork failures and a 502.
- vnc-desktop/Dockerfile: purge bluez/bluez-obexd and delete D-Bus service
activation files so kded5 can't trigger the loop
- linux.nix: machine.slice TasksMax=infinity so the libpod scope ceiling
can't be hit by legitimate KDE thread counts
- linux.nix: containers.conf pids_limit=0 (unlimited) to let podman pass
TasksMax=infinity to new container scopes
pids.current went from 9286 (exhausted) to 159 after the fix.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
docker-compose→podman-socket ignores containers.conf pids_limit and always
creates the container with PidsLimit=2048, which KDE Plasma exhausts causing
QThread creation failures and kcrash. Switching to virtualisation.oci-containers
uses podman run directly so --pids-limit=-1 (unlimited) is respected. cgroup
pids.max now shows "max" instead of 2048.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- firewall.nix: allow DNS (UDP/TCP 53) from all podman bridge networks
(10.89.0.0/16); NixOS only auto-adds a rule for podman0 but docker-compose
arion stacks land on podman1/2/3 where container DNS was silently blocked
- vnc-desktop/start.sh: rm stale /tmp/.X1-lock on container start so
container restarts don't leave Xvnc unable to bind display :1
- linux.nix: TasksMax=infinity on arion-vnc-desktop so the systemd cgroup
doesn't cap KDE Plasma's thread count below the container pids limit
- arion-riverside/arion-compose.nix: add ADMIN_PASS env var required by
the riverside entrypoint
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace openbox with kde-plasma-desktop + konsole. Build the container
image locally via a oneshot systemd service (build-vnc-image) that runs
before arion-vnc-desktop on each boot. Nix hashes the Dockerfile and
start.sh at eval time so the build is skipped when nothing changed.
No registry push/pull required.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Break systemd ordering deadlock: nginx.after mkForce removes
DNS-challenge ACME services (philippeterson, webdav) from nginx's
After list, which was creating a cycle through nginx-config-reload
back to HTTP-webroot ACME services that need nginx Before them.
- Fix arion services not finding podman socket: arion NixOS module
sets backend=podman-socket but doesn't inject DOCKER_HOST; add
explicit DOCKER_HOST=unix:///run/podman/podman.sock for all three
arion projects.
- Fix gitea-runner startup race: add After/Wants on arion-forgejo so
the runner doesn't try to register before Forgejo is up.
- Fix riverside image reference: pinned digest was stale after a
re-push; switch to :latest.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Custom Podman image (forge.quinefoundation.com/ironmagma/vnc-desktop) running
TigerVNC + noVNC + openbox, proxied via nginx with ACME TLS and basic auth.
Also switches all arion projects from docker to podman backend.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The directory was created by the old DynamicUser (uid 63182). Add a
tmpfiles rule to guarantee correct ownership after any rebuild.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Create a persistent gitea-runner system user in the docker group instead
of relying on DynamicUser — supplementary groups were silently ignored
with DynamicUser=true, leaving the runner unable to reach the socket.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Jobs now execute directly on the runner host rather than inside a docker
container, giving them access to Node.js, Docker, and other host tools
without needing a custom image.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
riverside needs a postgres sidecar which oci-containers can't express.
Also adds docker to arion PATH (fixes forgejo-arion) and creates
/var/riverside/{files,postgres} state directories.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Systemd services don't source /etc/set-environment, so NIX_PATH was unset
when arion tried to evaluate arion-pkgs.nix via import <nixpkgs>.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add riverside OCI container (forge.quinefoundation.com/ironmagma/riverside)
on port 3011 with nginx vhost. Fix forgejo-arion service failure by ensuring
nix-instantiate is in PATH when arion evaluates the compose config.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>