fix weston-vnc: use /etc/hostname instead of hostname binary, disable TLS

- Replace ${pkgs.coreutils}/bin/hostname with cat /etc/hostname: hostname binary is in pkgs.inetutils, not pkgs.coreutils; /etc/hostname is always present in NixOS containers and is simpler. - Add --disable-transport-layer-security: weston VNC requires TLS certs by default; since VNC is loopback-only (relayed by the harness WS proxy) TLS adds no security benefit and cert generation adds complexity.
2026-05-20 14:27:55 +02:00 · 2026-05-20 14:27:55 +02:00 · 29df223650
commit 29df223650
parent 37522fd629
1 changed files with 13 additions and 4 deletions
--- a/nix/templates/weston-vnc.nix
+++ b/nix/templates/weston-vnc.nix
@ -79,10 +79,15 @@
          mkdir -p /run/user/0 && chmod 700 /run/user/0 || true

          # --- Compute deterministic VNC port via FNV-1a ---
-          # Agent name = hostname with leading "h-" stripped, mirroring
-          # lifecycle::agent_web_port in hive-c0re/src/lifecycle.rs.
+          # Agent name = container hostname with leading "h-" stripped,
+          # mirroring lifecycle::agent_web_port in hive-c0re/src/lifecycle.rs.
+          # Read from /etc/hostname (always present in NixOS containers)
+          # to avoid a dependency on the `hostname` binary (which lives in
+          # pkgs.inetutils, not pkgs.coreutils).
          # VNC_PORT_BASE=15900, VNC_PORT_RANGE=900 → [15900, 16799].
-          AGENT_NAME=$(${pkgs.coreutils}/bin/hostname | ${pkgs.gnused}/bin/sed 's/^h-//')
+          RAW_HOST=$(${pkgs.coreutils}/bin/cat /etc/hostname)
+          AGENT_NAME=$(${pkgs.coreutils}/bin/printf '%s' "$RAW_HOST" \
+            | ${pkgs.gnused}/bin/sed 's/^h-//')
          hash=2166136261
          for byte in $(${pkgs.coreutils}/bin/printf '%s' "$AGENT_NAME" \
              | ${pkgs.coreutils}/bin/od -An -tu1 \
@ -99,10 +104,14 @@
          ${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \
            "$VNC_PORT" > /etc/hyperhive/gui.json || true

+          # --disable-transport-layer-security: VNC is loopback-only
+          # (relayed by the harness WebSocket proxy); TLS would require
+          # cert generation and adds no real security benefit here.
          exec ${pkgs.weston}/bin/weston \
            --backend=vnc-backend.so \
            --renderer=pixman \
-            --port="$VNC_PORT"
+            --port="$VNC_PORT" \
+            --disable-transport-layer-security
        '';
        Restart = "on-failure";
        RestartSec = "5s";