vinzenz/hyperhive
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix weston-vnc: use /etc/hostname instead of hostname binary, disable TLS

Browse source 
- Replace ${pkgs.coreutils}/bin/hostname with cat /etc/hostname:
  hostname binary is in pkgs.inetutils, not pkgs.coreutils; /etc/hostname
  is always present in NixOS containers and is simpler.
- Add --disable-transport-layer-security: weston VNC requires TLS certs
  by default; since VNC is loopback-only (relayed by the harness WS proxy)
  TLS adds no security benefit and cert generation adds complexity.
This commit is contained in:
iris 2026-05-20 14:27:55 +02:00
parent 37522fd629
commit 29df223650
1 changed files with 13 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

17
nix/templates/weston-vnc.nix
View file

@ -79,10 +79,15 @@
mkdir -p /run/user/0 && chmod 700 /run/user/0 || true mkdir -p /run/user/0 && chmod 700 /run/user/0 || true
# --- Compute deterministic VNC port via FNV-1a --- # --- Compute deterministic VNC port via FNV-1a ---
# Agent name = hostname with leading "h-" stripped, mirroring # Agent name = container hostname with leading "h-" stripped,
# lifecycle::agent_web_port in hive-c0re/src/lifecycle.rs. # mirroring lifecycle::agent_web_port in hive-c0re/src/lifecycle.rs.
# Read from /etc/hostname (always present in NixOS containers)
# to avoid a dependency on the `hostname` binary (which lives in
# pkgs.inetutils, not pkgs.coreutils).
# VNC_PORT_BASE=15900, VNC_PORT_RANGE=900 → [15900, 16799]. # VNC_PORT_BASE=15900, VNC_PORT_RANGE=900 → [15900, 16799].
AGENT_NAME=$(${pkgs.coreutils}/bin/hostname | ${pkgs.gnused}/bin/sed 's/^h-//') RAW_HOST=$(${pkgs.coreutils}/bin/cat /etc/hostname)
AGENT_NAME=$(${pkgs.coreutils}/bin/printf '%s' "$RAW_HOST" \
| ${pkgs.gnused}/bin/sed 's/^h-//')
hash=2166136261 hash=2166136261
for byte in $(${pkgs.coreutils}/bin/printf '%s' "$AGENT_NAME" \ for byte in $(${pkgs.coreutils}/bin/printf '%s' "$AGENT_NAME" \
| ${pkgs.coreutils}/bin/od -An -tu1 \ | ${pkgs.coreutils}/bin/od -An -tu1 \
@ -99,10 +104,14 @@
${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \ ${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \
"$VNC_PORT" > /etc/hyperhive/gui.json || true "$VNC_PORT" > /etc/hyperhive/gui.json || true
# --disable-transport-layer-security: VNC is loopback-only
# (relayed by the harness WebSocket proxy); TLS would require
# cert generation and adds no real security benefit here.
exec ${pkgs.weston}/bin/weston \ exec ${pkgs.weston}/bin/weston \
--backend=vnc-backend.so \ --backend=vnc-backend.so \
--renderer=pixman \ --renderer=pixman \
--port="$VNC_PORT" --port="$VNC_PORT" \
--disable-transport-layer-security
''; '';
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "5s"; RestartSec = "5s";