Merge pull request #155 from naturallaw777/copilot/update-gnome-remote-desktop-config

Fix RDP "Session Already Running" by switching to user-session screen sharing

modules/rdp.nix

@@ -82,14 +82,16 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
       if [ ! -f /var/lib/gnome-remote-desktop/rdp-password ]; then
         PASSWORD=$(openssl rand -base64 16)
         echo "$PASSWORD" > /var/lib/gnome-remote-desktop/rdp-password
-        chmod 600 /var/lib/gnome-remote-desktop/rdp-password
       else
         PASSWORD=$(cat /var/lib/gnome-remote-desktop/rdp-password)
       fi
+      chown root:gnome-remote-desktop /var/lib/gnome-remote-desktop/rdp-password
+      chmod 640 /var/lib/gnome-remote-desktop/rdp-password
 
       # Write username to a separate file for the hub
       echo "sovran" > /var/lib/gnome-remote-desktop/rdp-username
-      chmod 600 /var/lib/gnome-remote-desktop/rdp-username
+      chown root:gnome-remote-desktop /var/lib/gnome-remote-desktop/rdp-username
+      chmod 640 /var/lib/gnome-remote-desktop/rdp-username
 
       # Get current IP address
       LOCAL_IP=$(hostname -I | awk '{print $1}')
@@ -111,12 +113,54 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
 
       chmod 600 "$CRED_FILE"
 
-      # Enable RDP backend and set credentials
+      # Disable the system-level RDP endpoint so connections go through the user session
-      grdctl --system rdp enable
+      grdctl --system rdp disable || true
-      grdctl --system rdp set-credentials sovran "$PASSWORD"
-      grdctl --system rdp disable-view-only || true
 
       echo "GNOME Remote Desktop RDP configured successfully"
     '';
   };
+
+  # User-level service that enables RDP screen sharing within the free user's graphical session.
+  # This avoids the GDM "Session Already Running" conflict caused by the system-level RDP endpoint.
+  systemd.user.services.gnome-remote-desktop-session = {
+    description = "Enable GNOME Remote Desktop screen sharing for user session";
+    wantedBy = [ "graphical-session.target" ];
+    after = [ "graphical-session.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [
+      pkgs.gnome-remote-desktop
+    ];
+    script = ''
+      # Read the password generated by the system-level setup service.
+      # Wait for the password file to be available (system service may still be running).
+      for i in $(seq 1 30); do
+        [ -f /var/lib/gnome-remote-desktop/rdp-password ] && break
+        sleep 1
+      done
+
+      if [ ! -f /var/lib/gnome-remote-desktop/rdp-password ]; then
+        echo "ERROR: Timed out waiting for RDP password file"
+        exit 1
+      fi
+
+      PASSWORD=$(cat /var/lib/gnome-remote-desktop/rdp-password 2>/dev/null || echo "")
+      if [ -z "$PASSWORD" ]; then
+        echo "ERROR: RDP password file is empty"
+        exit 1
+      fi
+
+      # Enable RDP in the user session (screen sharing mode — takes over existing desktop)
+      grdctl rdp enable
+      grdctl rdp set-credentials sovran "$PASSWORD"
+      grdctl rdp disable-view-only || true
+
+      echo "GNOME Remote Desktop user-session screen sharing enabled"
+    '';
+  };
+
+  # Add free user to gnome-remote-desktop group so the user-level service can read credential files
+  users.users.free.extraGroups = [ "gnome-remote-desktop" ];
 }