Fix RDP frozen screen: add session-level GNOME Remote Desktop configuration

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/e099592f-2d1e-4894-a91c-b4ef9b4a5244

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>

modules/rdp.nix

@@ -1,5 +1,33 @@
 { config, lib, pkgs, ... }:
 
+let
+  rdp-session-setup-script = pkgs.writeShellScript "rdp-session-setup.sh" ''
+    export PATH="${lib.makeBinPath [ pkgs.gnome-remote-desktop pkgs.coreutils ]}:$PATH"
+
+    # Wait for the system-level setup to have generated credentials
+    for i in $(seq 1 30); do
+      [ -f /var/lib/gnome-remote-desktop/rdp-password ] && break
+      echo "Waiting for RDP credentials... ($i/30)"
+      sleep 1
+    done
+
+    PASSWORD=$(cat /var/lib/gnome-remote-desktop/rdp-password 2>/dev/null || echo "")
+    if [ -z "$PASSWORD" ]; then
+      echo "ERROR: RDP password file not found or empty after waiting; session-level RDP setup aborted" >&2
+      exit 1
+    fi
+
+    TLS_DIR="/var/lib/gnome-remote-desktop/tls"
+
+    # Configure session-level RDP (no --system flag)
+    grdctl rdp set-tls-cert "$TLS_DIR/rdp-tls.crt" || { echo "ERROR: grdctl rdp set-tls-cert failed" >&2; exit 1; }
+    grdctl rdp set-tls-key "$TLS_DIR/rdp-tls.key" || { echo "ERROR: grdctl rdp set-tls-key failed" >&2; exit 1; }
+    grdctl rdp set-credentials sovran "$PASSWORD" || { echo "ERROR: grdctl rdp set-credentials failed" >&2; exit 1; }
+    grdctl rdp enable || { echo "ERROR: grdctl rdp enable failed" >&2; exit 1; }
+    echo "Session-level RDP configured successfully"
+  '';
+in
+
 lib.mkIf config.sovran_systemsOS.features.rdp {
 
   users.users.gnome-remote-desktop = {
@@ -10,6 +38,9 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
   };
   users.groups.gnome-remote-desktop = {};
 
+  # Give the 'free' user read access to RDP credential files
+  users.users.free.extraGroups = [ "gnome-remote-desktop" ];
+
   # Enable the GNOME Remote Desktop service at the system level
   services.gnome.gnome-remote-desktop.enable = true;
 
@@ -70,7 +101,7 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
 
       # Always fix ownership and permissions (handles re-enable after disable)
       chown -R gnome-remote-desktop:gnome-remote-desktop "$TLS_DIR"
-      chmod 600 "$TLS_DIR/rdp-tls.key"
+      chmod 640 "$TLS_DIR/rdp-tls.key"
       chmod 644 "$TLS_DIR/rdp-tls.crt"
 
       # Configure TLS certificate
@@ -82,14 +113,14 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
       if [ ! -f /var/lib/gnome-remote-desktop/rdp-password ]; then
         PASSWORD=$(openssl rand -base64 16)
         echo "$PASSWORD" > /var/lib/gnome-remote-desktop/rdp-password
-        chmod 600 /var/lib/gnome-remote-desktop/rdp-password
+        chmod 640 /var/lib/gnome-remote-desktop/rdp-password
       else
         PASSWORD=$(cat /var/lib/gnome-remote-desktop/rdp-password)
       fi
 
       # Write username to a separate file for the hub
       echo "sovran" > /var/lib/gnome-remote-desktop/rdp-username
-      chmod 600 /var/lib/gnome-remote-desktop/rdp-username
+      chmod 640 /var/lib/gnome-remote-desktop/rdp-username
 
       # Get current IP address
       LOCAL_IP=$(hostname -I | awk '{print $1}')
@@ -118,4 +149,15 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
       echo "GNOME Remote Desktop RDP configured successfully"
     '';
   };
+
+  # Autostart session-level RDP configuration when the 'free' user's GNOME session starts
+  environment.etc."xdg/autostart/sovran-rdp-session-setup.desktop".text = ''
+    [Desktop Entry]
+    Type=Application
+    Name=Sovran RDP Session Setup
+    Exec=${rdp-session-setup-script}
+    Terminal=false
+    X-GNOME-Autostart-enabled=true
+    NoDisplay=true
+  '';
 }