Paperless-ngx uses WebSockets to push task completion status to the
browser. Without Upgrade/Connection headers the UI hangs indefinitely
after upload while waiting for the done notification.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
recommendedProxySettings already injects Host, X-Real-IP, X-Forwarded-*
via an include in the location block. Our explicit extraConfig set them
again, causing Django to receive 'host,host' and reject with DisallowedHost.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The vnc-desktop container no longer runs a desktop environment. KDE Plasma
and Xvnc now run directly on the host via a vnc-kde systemd service, with
port 5901 firewalled to the podman bridge subnet only. The container is
reduced to a websockify bridge forwarding the noVNC web UI to hetzner-host:5901.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a discover-logging/ build step that fetches the plasma-discover
source, instruments PKTransaction.cpp with qWarning calls at key points
(trigger, statusChanged, progressChanged, cleanup, errorFound,
installFile) to diagnose hanging .deb installs, then rebuilds and
reinstalls the patched packagekit-backend.so.
Also installs Firefox via the Mozilla apt repo (Ubuntu 24.04 ships
Firefox as a snap which doesn't work in the container).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- philippeterson.com and coldairnetworks.com now use withWww, fixing the same
www.* cert-mismatch problem that affected pdxdestiny.com
- fbksdigital.com vhost removed (disabled for now)
- ACME cyclic dependency list updated accordingly
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
www.pdxdestiny.com had no vhost so nginx fell back to the coldairnetworks.com
cert. Added a withWww helper that generates apex + www redirect pair, and
wired up pdxdestiny.com as the first user.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
kded5 was activating org.bluez.obex in a tight loop (no BT hardware in
container), spawning thousands of obexd threads until the libpod scope hit
its TasksMax=9286 systemd default — causing fork failures and a 502.
- vnc-desktop/Dockerfile: purge bluez/bluez-obexd and delete D-Bus service
activation files so kded5 can't trigger the loop
- linux.nix: machine.slice TasksMax=infinity so the libpod scope ceiling
can't be hit by legitimate KDE thread counts
- linux.nix: containers.conf pids_limit=0 (unlimited) to let podman pass
TasksMax=infinity to new container scopes
pids.current went from 9286 (exhausted) to 159 after the fix.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>