- firewall.nix: allow DNS (UDP/TCP 53) from all podman bridge networks (10.89.0.0/16); NixOS only auto-adds a rule for podman0 but docker-compose arion stacks land on podman1/2/3 where container DNS was silently blocked - vnc-desktop/start.sh: rm stale /tmp/.X1-lock on container start so container restarts don't leave Xvnc unable to bind display :1 - linux.nix: TasksMax=infinity on arion-vnc-desktop so the systemd cgroup doesn't cap KDE Plasma's thread count below the container pids limit - arion-riverside/arion-compose.nix: add ADMIN_PASS env var required by the riverside entrypoint Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
31 lines
737 B
Bash
31 lines
737 B
Bash
#!/bin/bash
|
|
set -e
|
|
|
|
mkdir -p /root/.vnc /root/.ssh
|
|
chmod 700 /root/.ssh
|
|
|
|
# Clean up stale X lock files from previous container runs
|
|
rm -f /tmp/.X1-lock /tmp/.X11-unix/X1
|
|
|
|
# Set VNC password from environment
|
|
echo "${VNC_PASSWORD:?VNC_PASSWORD must be set}" | vncpasswd -f > /root/.vnc/passwd
|
|
chmod 600 /root/.vnc/passwd
|
|
|
|
# Start Xvnc (headless X server + VNC server in one)
|
|
Xvnc :1 \
|
|
-rfbport 5901 \
|
|
-SecurityTypes VncAuth \
|
|
-PasswordFile /root/.vnc/passwd \
|
|
-geometry 1280x800 \
|
|
-depth 24 \
|
|
-AlwaysShared \
|
|
&
|
|
|
|
export DISPLAY=:1
|
|
sleep 2
|
|
|
|
# Start KDE Plasma session
|
|
dbus-run-session -- startplasma-x11 &
|
|
|
|
# Serve noVNC web UI + bridge WebSocket -> VNC
|
|
exec websockify --web /usr/share/novnc 6080 localhost:5901
|