diff --git a/modules/rdp.nix b/modules/rdp.nix index 3d28dd2..9fb154a 100755 --- a/modules/rdp.nix +++ b/modules/rdp.nix @@ -1,16 +1,51 @@ { config, pkgs, lib, ... }: - lib.mkIf config.sovran_systemsOS.features.rdp { +lib.mkIf config.sovran_systemsOS.features.rdp { - services.gnome.gnome-remote-desktop.enable = true; + services.gnome.gnome-remote-desktop.enable = true; - networking.firewall.allowedTCPPorts = [ 3389 ]; + networking.firewall.allowedTCPPorts = [ 3389 ]; - environment.systemPackages = with pkgs; [ - freerdp - ]; + environment.systemPackages = with pkgs; [ + freerdp + ]; + + # gnome-remote-desktop ships a system service that needs to be explicitly enabled + systemd.services.gnome-remote-desktop = { + wantedBy = [ "graphical.target" ]; + after = [ "graphical.target" ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 5; + }; + }; + + # Configure RDP credentials and enable RDP mode on first boot + systemd.services.gnome-remote-desktop-setup = { + description = "Configure GNOME Remote Desktop RDP"; + wantedBy = [ "multi-user.target" ]; + before = [ "gnome-remote-desktop.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + path = [ pkgs.gnome-remote-desktop ]; + script = '' + # Enable RDP backend + grdctl --system rdp enable + + # Disable requiring a prompt/handshake for unattended access + grdctl --system rdp set-credentials sovran "$(cat /var/lib/gnome-remote-desktop/rdp-password 2>/dev/null || echo 'changeme')" + + # Generate a default password file if one doesn't exist + if [ ! -f /var/lib/gnome-remote-desktop/rdp-password ]; then + mkdir -p /var/lib/gnome-remote-desktop + ${pkgs.openssl}/bin/openssl rand -base64 16 > /var/lib/gnome-remote-desktop/rdp-password + chmod 600 /var/lib/gnome-remote-desktop/rdp-password + echo "Generated new RDP password at /var/lib/gnome-remote-desktop/rdp-password" + fi + + grdctl --system rdp set-credentials sovran "$(cat /var/lib/gnome-remote-desktop/rdp-password)" + ''; + }; } - - - -