Merge pull request #373 from linuxserver/monthly

thelamer · web-flow · commit 241ea4454f8f · 2026-02-10T08:41:01.000-05:00
- #371 - #372 - #375 - #374 - #376
diff --git a/ansible/filter_plugins/admonition.py b/ansible/filter_plugins/admonition.py
@@ -40,14 +40,16 @@ def admonition(self, text, flavour="gfm", severity:str = "note", collapse=None,
 
         note = ""
 
-        aa_severity = severity
+        clear_text = text
 
         if severity == "deprecation":
             note = f"# DEPRECATION NOTICE \n{text}"
         elif flavour == "gfm":
             severity = severities.get(severity,"NOTE")
             text = text.replace("\n", "\n>")
             note = f">[!{severity}]\n>{text}"
+            if collapse != None:
+                note = f"<details>\n<summary>{title}</summary>\n\n{clear_text}\n</details>"
         elif flavour == "mkdocs":
             severity = severities.get(severity, "note")
             if collapse == None:
@@ -62,4 +64,3 @@ def admonition(self, text, flavour="gfm", severity:str = "note", collapse=None,
             note += f"\n\n    {text}"
 
         return note
-
diff --git a/ansible/roles/deprecate/tasks/main.yml b/ansible/roles/deprecate/tasks/main.yml
@@ -11,6 +11,7 @@
   loop:
     - root/etc/s6-overlay/s6-rc.d/init-deprecate/dependencies.d
     - root/etc/s6-overlay/s6-rc.d/init-services/dependencies.d
+    - root/etc/s6-overlay/s6-rc.d/user/contents.d
 
 - name: Create deprecation files
   file:
diff --git a/ansible/roles/documentation/templates/README_SNIPPETS/SELKIES.j2 b/ansible/roles/documentation/templates/README_SNIPPETS/SELKIES.j2
@@ -12,21 +12,103 @@ The web interface includes a terminal with passwordless `sudo` access. Any user
 
 While not generally recommended, certain legacy environments specifically those with older hardware or outdated Linux distributions may require the deactivation of the standard seccomp profile to get containerized desktop software to run. This can be achieved by utilizing the `--security-opt seccomp=unconfined` parameter. It is critical to use this option only when absolutely necessary as it disables a key security layer of Docker, elevating the potential for container escape vulnerabilities.
 
-### Options in all Selkies-based GUI containers
+### Hardware Acceleration & The Move to Wayland
+
+We are currently transitioning our desktop containers from X11 to Wayland. While X11 is still the default, we strongly encourage users to test the new Wayland mode.
+
+**Important:** GPU acceleration support for X11 is being deprecated. Future development for hardware acceleration will focus entirely on the Wayland stack.
+
+To enable Wayland mode, set the following environment variable:
+*   `-e PIXELFLUX_WAYLAND=true`
+
+**Why use Wayland?**
+*   **Zero Copy Encoding:** When configured correctly with a GPU, the frame is rendered and encoded on the video card without ever being copied to the system RAM. This drastically lowers CPU usage and latency.
+*   **Modern Stack:** Single-application containers utilize **Labwc** (replacing Openbox) and full desktop containers use **KDE Plasma Wayland**, providing a more modern and secure compositing environment while retaining the same user experience.
+
+#### GPU Configuration
+
+To use hardware acceleration in Wayland mode, we distinguish between the card used for **Rendering** (3D apps/Desktops) and **Encoding** (Video Stream).
+
+**Configuration Variables:**
+*   `DRINODE`: The path to the GPU used for **Rendering** (EGL).
+*   `DRI_NODE`: The path to the GPU used for **Encoding** (VAAPI/NVENC).
 
-This container is based on [Docker Baseimage Selkies](https://github.com/linuxserver/docker-baseimage-selkies), which provides the following environment variables and run configurations to customize its functionality.
+If both variables point to the same device, the container will automatically enable **Zero Copy** encoding, significantly reducing CPU usage and latency.
 
-#### Optional Environment Variables
+##### Intel & AMD (Open Source Drivers)
 
+For Intel and AMD GPUs.
+
+```yaml
+    devices:
+      - /dev/dri:/dev/dri
+    environment:
+      - PIXELFLUX_WAYLAND=true
+      # Optional: Specify device if multiple exist (IE: /dev/dri/renderD129)
+      - DRINODE=/dev/dri/renderD128
+      - DRI_NODE=/dev/dri/renderD128
+```
+
+{% if show_nvidia is defined %}##### Nvidia (Proprietary Drivers)
+
+**Note: Nvidia support is not available for Alpine-based images.**
+
+**Prerequisites:**
+1.  **Driver:** Proprietary drivers **580 or higher** are required.
+2.  **Kernel Parameter:** Set `nvidia-drm.modeset=1` in your host bootloader (GRUB/systemd-boot).
+3.  **Initialization:** On headless systems, run `nvidia-modprobe --modeset` on the host (once per boot) to initialize the card.
+4.  **Docker Runtime:** Configure the host docker daemon to use the Nvidia runtime:
+    ```bash
+    sudo nvidia-ctk runtime configure --runtime=docker
+    sudo systemctl restart docker
+    ```
+
+**Compose Configuration:**
+
+```yaml
+services:
+  {{ project_name }}:
+    image: lscr.io/{{ lsio_project_name_short }}/{{ project_name }}:{{ release_tag }}
+    environment:
+      - PIXELFLUX_WAYLAND=true
+      # Ensure these point to the rendered node injected by the runtime (usually renderD128)
+      - DRINODE=/dev/dri/renderD128
+      - DRI_NODE=/dev/dri/renderD128
+    deploy:
+      resources:
+        reservations:
+          devices:
+            - driver: nvidia
+              count: 1
+              capabilities: [compute,video,graphics,utility]
+```
+{% endif %}
+
+### SealSkin Compatibility
+
+This container is compatible with [SealSkin](https://sealskin.app).
+
+SealSkin is a self-hosted, client-server platform that provides secure authentication and collaboration features while using a browser extension to intercept user actions such as clicking a link or downloading a file and redirect them to a secure, isolated application environment running on a remote server.
+
+*   **SealSkin Server:** [Get it Here](https://github.com/linuxserver/docker-sealskin)
+*   **Browser Extension:** [Chrome](https://chromewebstore.google.com/detail/sealskin-isolation/lclgfmnljgacfdpmmmjmfpdelndbbfhk) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/sealskin-isolation/).
+*   **Mobile App:** [iOS](https://apps.apple.com/us/app/sealskin/id6758210210) and [Android](https://play.google.com/store/apps/details?id=io.linuxserver.sealskin)
+
+
+### Options in all Selkies-based GUI containers
+
+This container is based on [Docker Baseimage Selkies](https://github.com/linuxserver/docker-baseimage-selkies).
+
+{% set blurb1 %}
 | Variable | Description |
 | :----: | --- |
 | PIXELFLUX_WAYLAND | **Experimental** If set to true the container will initialize in Wayland mode running [Smithay](https://github.com/Smithay/smithay) and Labwc while enabling zero copy encoding with a GPU |
 | CUSTOM_PORT | Internal port the container listens on for http if it needs to be swapped from the default `{% if external_http_port is defined %}{{ external_http_port }}{% else %}3000{% endif %}` |
 | CUSTOM_HTTPS_PORT | Internal port the container listens on for https if it needs to be swapped from the default `{% if external_https_port is defined %}{{ external_https_port }}{% else %}3001{% endif %}` |
 | CUSTOM_WS_PORT | Internal port the container listens on for websockets if it needs to be swapped from the default 8082 |
 | CUSTOM_USER | HTTP Basic auth username, abc is default. |
-| DRI_NODE | Enable VAAPI stream encoding and use the specified device IE `/dev/dri/renderD128` |
-| DRINODE | Specify which GPU to use for DRI3 acceleration IE `/dev/dri/renderD129` |
+| DRI_NODE | **Encoding GPU**: Enable VAAPI/NVENC stream encoding and use the specified device IE `/dev/dri/renderD128` |
+| DRINODE | **Rendering GPU**: Specify which GPU to use for EGL/3D acceleration IE `/dev/dri/renderD129` |
 | PASSWORD | HTTP Basic auth password, abc is default. If unset there will be no auth |
 | SUBFOLDER | Subfolder for the application if running a subfolder reverse proxy, need both slashes IE `/subfolder/` |
 | TITLE | The page title displayed on the web browser, default "Selkies" |
@@ -51,14 +133,34 @@ This container is based on [Docker Baseimage Selkies](https://github.com/linuxse
 - **4**: Bottom Right
 - **5**: Centered
 - **6**: Animated
+{% endset %}
+{{ blurb1 | admonition(flavour=markdown, title="Click to expand: Optional Environment Variables", collapse="???") }}
 
-#### Optional Run Configurations
-
+{% set blurb2 %}
 | Argument | Description |
 | :----: | --- |
 | `--privileged` | Starts a Docker-in-Docker (DinD) environment. For better performance, mount the Docker data directory from the host, e.g., `-v /path/to/docker-data:/var/lib/docker`. |
 | `-v /var/run/docker.sock:/var/run/docker.sock` | Mounts the host's Docker socket to manage host containers from within this container. |
-| `--device /dev/dri:/dev/dri` | Mount a GPU into the container, this can be used in conjunction with the `DRINODE` environment variable to leverage a host video card for GPU accelerated applications. Only **Open Source** drivers are supported IE (Intel,AMDGPU,Radeon,ATI,Nouveau) |
+| `--device /dev/dri:/dev/dri` | Mount a GPU into the container, this can be used in conjunction with the `DRINODE` environment variable to leverage a host video card for GPU accelerated applications. |
+{% endset %}
+{{ blurb2 | admonition(flavour=markdown, title="Click to expand: Optional Run Configurations (DinD & GPU Mounts)", collapse="???") }}
+
+{% set blurb3 %}
+**Note:** This section applies only if you are **NOT** using `PIXELFLUX_WAYLAND=true`.
+
+When using 3d acceleration via Nvidia DRM or DRI3 in X11 mode, it is important to clamp the virtual display to a reasonable max resolution to avoid memory exhaustion or poor performance.
+
+* `-e MAX_RESOLUTION=3840x2160`
+
+This will set the total virtual framebuffer to 4K. By default, the virtual monitor is 16K. If you have performance issues in an accelerated X11 session, try clamping the resolution to 1080p and work up from there:
+
+```
+-e SELKIES_MANUAL_WIDTH=1920
+-e SELKIES_MANUAL_HEIGHT=1080
+-e MAX_RESOLUTION=1920x1080
+```
+{% endset %}
+{{ blurb3 | admonition(flavour=markdown, title="Click to expand: Legacy X11 Resolution & Acceleration", collapse="???") }}
 
 ### Language Support - Internationalization
 
@@ -75,84 +177,7 @@ To launch the desktop session in a different language, set the `LC_ALL` environm
 *   `-e LC_ALL=nl_NL.UTF-8` - Netherlands
 *   `-e LC_ALL=it_IT.UTF-8` - Italian
 
-### SealSkin Compatibility
-
-This container is compatible with [SealSkin](https://github.com/linuxserver/docker-sealskin).
-
-SealSkin is a self-hosted, client-server platform that provides secure authentication and collaboration features while using a browser extension to intercept user actions such as clicking a link or downloading a file and redirect them to a secure, isolated application environment running on a remote server.
-
-*   **SealSkin Server:** [Get it Here](https://github.com/linuxserver/docker-sealskin)
-*   **Browser Extension:** [Install Here](https://chromewebstore.google.com/detail/sealskin-isolation/lclgfmnljgacfdpmmmjmfpdelndbbfhk)
-
-### All GPU Acceleration - use sane resolutions
-
-When using 3d acceleration via Nvidia DRM or DRI3 it is important to clamp the virtual display to a reasonable max resolution. This can be achieved with the environment setting: 
-
-* `-e MAX_RESOLUTION=3840x2160`
-
-This will set the total virtual framebuffer to 4K, you can also set a manual resolution to achieve this.
-By default the virtual monitor in the session is 16K to support large monitors and dual display configurations. Leaving it this large has no impact on CPU based performance but costs GPU memory usage and memory bandwidth when leveraging one for acceleration. If you have performance issues in an accelerated session, try clamping the resolution to 1080p and work up from there:
-
-```
--e SELKIES_MANUAL_WIDTH=1920
--e SELKIES_MANUAL_HEIGHT=1080
--e MAX_RESOLUTION=1920x1080
-```
-
-### DRI3 GPU Acceleration
-
-For accelerated apps or games, render devices can be mounted into the container and leveraged by applications using:
-
-`--device /dev/dri:/dev/dri`
-
-This feature only supports **Open Source** GPU drivers:
-
-| Driver | Description |
-| :----: | --- |
-| Intel | i965 and i915 drivers for Intel iGPU chipsets |
-| AMD | AMDGPU, Radeon, and ATI drivers for AMD dedicated or APU chipsets |
-| NVIDIA | nouveau2 drivers only, closed source NVIDIA drivers lack DRI3 support |
-
-The `DRINODE` environment variable can be used to point to a specific GPU.
-
-DRI3 will work on aarch64 given the correct drivers are installed inside the container for your chipset.
-
-{% if show_nvidia is defined %}### Nvidia GPU Support
-
-**Note: Nvidia support is not available for Alpine-based images.**
-
-Nvidia GPU support is available by leveraging Zink for OpenGL. When a compatible Nvidia GPU is passed through, it will also be **automatically utilized for hardware-accelerated video stream encoding** (using the `x264enc` full-frame profile), significantly reducing CPU load.
-
-Enable Nvidia support with the following runtime flags:
-
-| Flag | Description |
-| :----: | --- |
-| `--gpus all` | Passes all available host GPUs to the container. This can be filtered to specific GPUs. |
-| `--runtime nvidia` | Specifies the Nvidia runtime, which provides the necessary drivers and tools from the host. |
-
-For Docker Compose, you must first configure the Nvidia runtime as the default on the host:
-
-```
-sudo nvidia-ctk runtime configure --runtime=docker --set-as-default
-sudo systemctl restart docker
-```
-
-Then, assign the GPU to the service in your `compose.yaml`:
-
-```
-services:
-  {{ project_name }}:
-    image: lscr.io/{{ lsio_project_name_short }}/{{ project_name }}:{{ release_tag }}
-    deploy:
-      resources:
-        reservations:
-          devices:
-            - driver: nvidia
-              count: 1
-              capabilities: [compute,video,graphics,utility]
-```
-
-{% endif %}### Application Management
+### Application Management
 
 There are two methods for installing applications inside the container: PRoot Apps (recommended for persistence) and Native Apps.
 
@@ -178,20 +203,17 @@ You can install packages from the system's native repository using the [universa
     - INSTALL_PACKAGES=libfuse2|git|gdb
 ```
 
-#### Hardening
+### Advanced Configuration
 
+{% set blurb4 %}
 These variables can be used to lock down the desktop environment for single-application use cases or to restrict user capabilities.
 
-##### Meta Variables
-
-These variables act as presets, enabling multiple hardening options at once. Individual options can still be set to override the preset.
-
 | Variable | Description |
 | :----: | --- |
 | **`HARDEN_DESKTOP`** | Enables `DISABLE_OPEN_TOOLS`, `DISABLE_SUDO`, and `DISABLE_TERMINALS`. Also sets related Selkies UI settings (`SELKIES_FILE_TRANSFERS`, `SELKIES_COMMAND_ENABLED`, `SELKIES_UI_SIDEBAR_SHOW_FILES`, `SELKIES_UI_SIDEBAR_SHOW_APPS`) if they are not explicitly set by the user. |
 | **`HARDEN_OPENBOX`** | Enables `DISABLE_CLOSE_BUTTON`, `DISABLE_MOUSE_BUTTONS`, and `HARDEN_KEYBINDS`. It also flags `RESTART_APP` if not set by the user, ensuring the primary application is automatically restarted if closed. |
 
-##### Individual Hardening Variables
+**Individual Hardening Variables:**
 
 | Variable | Description |
 | :--- | --- |
@@ -202,47 +224,26 @@ These variables act as presets, enabling multiple hardening options at once. Ind
 | **`DISABLE_MOUSE_BUTTONS`** | If true, disables the right-click and middle-click context menus and actions within the Openbox window manager. |
 | **`HARDEN_KEYBINDS`** | If true, disables default Openbox keybinds that can bypass other hardening options (e.g., `Alt+F4` to close windows, `Alt+Escape` to show the root menu). |
 | **`RESTART_APP`** | If true, enables a watchdog service that automatically restarts the main application if it is closed. The user's autostart script is made read-only and root owned to prevent tampering. |
+{% endset %}
+{{ blurb4 | admonition(flavour=markdown, title="Click to expand: Hardening Options", collapse="???") }}
 
-#### Selkies application settings
-
+{% set blurb5 %}
 Using environment variables every facet of the application can be configured.
 
-##### Booleans and Locking
-Boolean settings accept `true` or `false`. You can also prevent the user from changing a boolean setting in the UI by appending `|locked`. The UI toggle for this setting will be hidden.
-
-*   **Example**: To force CPU encoding on and prevent the user from disabling it:
-    ```bash
-    -e SELKIES_USE_CPU="true|locked"
-    ```
-
-##### Enums and Lists
-These settings accept a comma-separated list of values. Their behavior depends on the number of items provided:
-
-*   **Multiple Values**: The first item in the list becomes the default selection, and all items in the list become the available options in the UI dropdown.
-*   **Single Value**: The provided value becomes the default, and the UI dropdown is hidden because the choice is locked.
+**Booleans and Locking:**
+Boolean settings accept `true` or `false`. You can also prevent the user from changing a boolean setting in the UI by appending `|locked`.
+*   Example: `-e SELKIES_USE_CPU="true|locked"`
 
-*   **Example**: Force the encoder to be `jpeg` with no other options available to the user:
-    ```bash
-    -e SELKIES_ENCODER="jpeg"
-    ```
-
-##### Ranges
-Range settings define a minimum and maximum for a value (e.g., framerate).
-
-*   **To set a range**: Use a hyphen-separated `min-max` format. The UI will show a slider.
-*   **To set a fixed value**: Provide a single number. This will lock the value and hide the UI slider.
-
-*   **Example**: Lock the framerate to exactly 60 FPS.
-    ```bash
-    -e SELKIES_FRAMERATE="60"
-    ```
+**Enums and Lists:**
+These settings accept a comma-separated list of values. The first item becomes default. If only one item is provided, the UI dropdown is hidden.
+*   Example: `-e SELKIES_ENCODER="jpeg"`
 
-##### Manual Resolution Mode
-The server can be forced to use a single, fixed resolution for all connecting clients. This mode is automatically activated if `SELKIES_MANUAL_WIDTH`, `SELKIES_MANUAL_HEIGHT`, or `SELKIES_IS_MANUAL_RESOLUTION_MODE` is set.
+**Ranges:**
+Use a hyphen-separated `min-max` format for a slider, or a single number to lock the value.
+*   Example: `-e SELKIES_FRAMERATE="60"`
 
-*   If `SELKIES_MANUAL_WIDTH` and/or `SELKIES_MANUAL_HEIGHT` are set, the resolution is locked to those values.
-*   If `SELKIES_IS_MANUAL_RESOLUTION_MODE` is set to `true` without specifying width or height, the resolution defaults to **1024x768**.
-*   When this mode is active, the client UI for changing resolution is disabled.
+**Manual Resolution Mode:**
+If `SELKIES_MANUAL_WIDTH` or `SELKIES_MANUAL_HEIGHT` are set, the resolution is locked to those values.
 
 | Environment Variable | Default Value | Description |
 | --- | --- | --- |
@@ -302,3 +303,5 @@ The server can be forced to use a single, fixed resolution for all connecting cl
 | `SELKIES_ENABLE_PLAYER2` | `True` | Enable sharing link for gamepad player 2. |
 | `SELKIES_ENABLE_PLAYER3` | `True` | Enable sharing link for gamepad player 3. |
 | `SELKIES_ENABLE_PLAYER4` | `True` | Enable sharing link for gamepad player 4. |
+{% endset %}
+{{ blurb5 | admonition(flavour=markdown, title="Click to expand: Selkies Application Settings", collapse="???") }}
diff --git a/ansible/roles/documentation/templates/README_SNIPPETS/USAGE.j2 b/ansible/roles/documentation/templates/README_SNIPPETS/USAGE.j2
@@ -2,7 +2,7 @@
 
 To help you get started creating a container from this image you can either use docker-compose or the docker cli.
 
-{{ "Unless a parameter is flaged as 'optional', it is *mandatory* and a value must be provided." | admonition(flavour=markdown, severity="info") }}
+{{ "Unless a parameter is flagged as 'optional', it is *mandatory* and a value must be provided." | admonition(flavour=markdown, severity="info") }}
 
 ### docker-compose (recommended, [click here for more info]({{ lsio_docs_url }}/general/docker-compose))
 
diff --git a/ansible/roles/repository/templates/Jenkinsfile.j2 b/ansible/roles/repository/templates/Jenkinsfile.j2
@@ -461,7 +461,7 @@ pipeline {
                   -v ${WORKSPACE}:/mnt \
                   -e AWS_ACCESS_KEY_ID=\"${S3_KEY}\" \
                   -e AWS_SECRET_ACCESS_KEY=\"${S3_SECRET}\" \
-                  ghcr.io/linuxserver/baseimage-alpine:3 s6-envdir -fn -- /var/run/s6/container_environment /bin/bash -c "\
+                  ghcr.io/linuxserver/baseimage-alpine:3.23 s6-envdir -fn -- /var/run/s6/container_environment /bin/bash -c "\
                     apk add --no-cache python3 && \
                     python3 -m venv /lsiopy && \
                     pip install --no-cache-dir -U pip && \
