Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix RDP: revert to system-level approach with declarative service masking and explicit start

Browse Source 
Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/cedebc7f-683e-469d-bd91-a0b87495d055

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-04-08 21:02:49 +00:00
committed by GitHub
parent 4c5e639cfa
commit ebd41797f7
1 changed files with 17 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
modules/rdp.nix
View File

@@ -13,6 +13,11 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
# Enable the GNOME Remote Desktop service at the system level # Enable the GNOME Remote Desktop service at the system level
services.gnome.gnome-remote-desktop.enable = true; services.gnome.gnome-remote-desktop.enable = true;
# Prevent the system-level service from auto-starting via GDM's target ordering.
# This avoids the "Session Already Running" GDM dialog when free is auto-logged-in.
# We start the service explicitly from the setup script after configuration is complete.
systemd.services."gnome-remote-desktop".wantedBy = lib.mkForce [];
# Open RDP port in the firewall # Open RDP port in the firewall
networking.firewall.allowedTCPPorts = [ 3389 ]; networking.firewall.allowedTCPPorts = [ 3389 ];
@@ -39,6 +44,7 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
pkgs.openssl pkgs.openssl
pkgs.hostname pkgs.hostname
pkgs.gawk pkgs.gawk
pkgs.systemd
]; ];
script = '' script = ''
# Ensure directory structure exists # Ensure directory structure exists
@@ -82,16 +88,14 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
if [ ! -f /var/lib/gnome-remote-desktop/rdp-password ]; then if [ ! -f /var/lib/gnome-remote-desktop/rdp-password ]; then
PASSWORD=$(openssl rand -base64 16) PASSWORD=$(openssl rand -base64 16)
echo "$PASSWORD" > /var/lib/gnome-remote-desktop/rdp-password echo "$PASSWORD" > /var/lib/gnome-remote-desktop/rdp-password
chmod 600 /var/lib/gnome-remote-desktop/rdp-password
else else
PASSWORD=$(cat /var/lib/gnome-remote-desktop/rdp-password) PASSWORD=$(cat /var/lib/gnome-remote-desktop/rdp-password)
fi fi
chown root:gnome-remote-desktop /var/lib/gnome-remote-desktop/rdp-password
chmod 640 /var/lib/gnome-remote-desktop/rdp-password
# Write username to a separate file for the hub # Write username to a separate file for the hub
echo "sovran" > /var/lib/gnome-remote-desktop/rdp-username echo "sovran" > /var/lib/gnome-remote-desktop/rdp-username
chown root:gnome-remote-desktop /var/lib/gnome-remote-desktop/rdp-username chmod 600 /var/lib/gnome-remote-desktop/rdp-username
chmod 640 /var/lib/gnome-remote-desktop/rdp-username
# Get current IP address # Get current IP address
LOCAL_IP=$(hostname -I | awk '{print $1}') LOCAL_IP=$(hostname -I | awk '{print $1}')
@@ -113,56 +117,16 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
chmod 600 "$CRED_FILE" chmod 600 "$CRED_FILE"
grdctl --system rdp enable
grdctl --system rdp set-credentials sovran "$PASSWORD"
grdctl --system rdp disable-view-only || true
# Start the service now that everything is configured.
# The service won't auto-start (wantedBy is empty), so we start it explicitly
# after TLS certs and credentials are fully configured.
systemctl start gnome-remote-desktop.service || true
echo "GNOME Remote Desktop RDP configured successfully" echo "GNOME Remote Desktop RDP configured successfully"
''; '';
}; };
# User-level service that enables RDP screen sharing within the free user's graphical session.
# This avoids the GDM "Session Already Running" conflict caused by the system-level RDP endpoint.
systemd.user.services.gnome-remote-desktop-session = {
description = "Enable GNOME Remote Desktop screen sharing for user session";
wantedBy = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = [
pkgs.gnome-remote-desktop
];
script = ''
# Read the password generated by the system-level setup service.
# Wait for the password file to be available (system service may still be running).
for i in $(seq 1 30); do
[ -f /var/lib/gnome-remote-desktop/rdp-password ] && break
sleep 1
done
if [ ! -f /var/lib/gnome-remote-desktop/rdp-password ]; then
echo "ERROR: Timed out waiting for RDP password file"
exit 1
fi
PASSWORD=$(cat /var/lib/gnome-remote-desktop/rdp-password 2>/dev/null || echo "")
if [ -z "$PASSWORD" ]; then
echo "ERROR: RDP password file is empty"
exit 1
fi
# Enable RDP in the user session (screen sharing mode takes over existing desktop)
grdctl rdp enable
grdctl rdp set-credentials sovran "$PASSWORD"
grdctl rdp disable-view-only || true
echo "GNOME Remote Desktop user-session screen sharing enabled"
'';
};
# Add free user to gnome-remote-desktop group so the user-level service can read credential files
users.users.free.extraGroups = [ "gnome-remote-desktop" ];
# Prevent the system-level RDP service from starting — we use user-session sharing instead.
# We keep services.gnome.gnome-remote-desktop.enable = true for the grdctl binary,
# but prevent the system service from auto-starting (which causes the GDM "Session Already Running" conflict).
systemd.services."gnome-remote-desktop".wantedBy = lib.mkForce [];
} }