From 29df223650a48974510b00d2e85609d132c7cc4e Mon Sep 17 00:00:00 2001
From: iris <iris@hyperhive>
Date: Wed, 20 May 2026 14:27:55 +0200
Subject: [PATCH] fix weston-vnc: use /etc/hostname instead of hostname binary,
 disable TLS

- Replace ${pkgs.coreutils}/bin/hostname with cat /etc/hostname:
  hostname binary is in pkgs.inetutils, not pkgs.coreutils; /etc/hostname
  is always present in NixOS containers and is simpler.
- Add --disable-transport-layer-security: weston VNC requires TLS certs
  by default; since VNC is loopback-only (relayed by the harness WS proxy)
  TLS adds no security benefit and cert generation adds complexity.
---
 nix/templates/weston-vnc.nix | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/nix/templates/weston-vnc.nix b/nix/templates/weston-vnc.nix
index 1d6324f..401760f 100644
--- a/nix/templates/weston-vnc.nix
+++ b/nix/templates/weston-vnc.nix
@@ -79,10 +79,15 @@
           mkdir -p /run/user/0 && chmod 700 /run/user/0 || true
 
           # --- Compute deterministic VNC port via FNV-1a ---
-          # Agent name = hostname with leading "h-" stripped, mirroring
-          # lifecycle::agent_web_port in hive-c0re/src/lifecycle.rs.
+          # Agent name = container hostname with leading "h-" stripped,
+          # mirroring lifecycle::agent_web_port in hive-c0re/src/lifecycle.rs.
+          # Read from /etc/hostname (always present in NixOS containers)
+          # to avoid a dependency on the `hostname` binary (which lives in
+          # pkgs.inetutils, not pkgs.coreutils).
           # VNC_PORT_BASE=15900, VNC_PORT_RANGE=900 → [15900, 16799].
-          AGENT_NAME=$(${pkgs.coreutils}/bin/hostname | ${pkgs.gnused}/bin/sed 's/^h-//')
+          RAW_HOST=$(${pkgs.coreutils}/bin/cat /etc/hostname)
+          AGENT_NAME=$(${pkgs.coreutils}/bin/printf '%s' "$RAW_HOST" \
+            | ${pkgs.gnused}/bin/sed 's/^h-//')
           hash=2166136261
           for byte in $(${pkgs.coreutils}/bin/printf '%s' "$AGENT_NAME" \
               | ${pkgs.coreutils}/bin/od -An -tu1 \
@@ -99,10 +104,14 @@
           ${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \
             "$VNC_PORT" > /etc/hyperhive/gui.json || true
 
+          # --disable-transport-layer-security: VNC is loopback-only
+          # (relayed by the harness WebSocket proxy); TLS would require
+          # cert generation and adds no real security benefit here.
           exec ${pkgs.weston}/bin/weston \
             --backend=vnc-backend.so \
             --renderer=pixman \
-            --port="$VNC_PORT"
+            --port="$VNC_PORT" \
+            --disable-transport-layer-security
         '';
         Restart = "on-failure";
         RestartSec = "5s";