Official NixOS Wiki

Remote Desktop: Difference between revisions

← Older edit
Sandro (talk | contribs)
78 edits
VisualWikitext
Crazivik (talk | contribs)
19 edits
mNo edit summary
Sandro (talk | contribs)
78 edits
Fix syntax highlighting
 
(5 intermediate revisions by 3 users not shown)
Line 10: Line 10:


== Self hosting ==
== Self hosting ==
* [[RustDesk]] (nixpkgs: rustdesk-server)
* [[RustDesk]] available in nixpkgs as rustdesk-server


== Clients ==
== Clients ==
Line 64: Line 64:


A basic server setup service entry would look like this:  
A basic server setup service entry would look like this:  
    services.guacamole-server = {
 
        enable = true;
<syntaxhighlight lang="nix">
        host = "127.0.0.1";
services.guacamole-server = {
        port = 4822;
    enable = true;
        userMappingXml = ./user-mapping.xml;
    host = "127.0.0.1";
    };
    port = 4822;
    userMappingXml = ./user-mapping.xml;
};
</syntaxhighlight>
 
This creates the <code>guacamole-server.service</code> systemd unit.
This creates the <code>guacamole-server.service</code> systemd unit.


Line 114: Line 118:
A basic client setup service entry would look like this:
A basic client setup service entry would look like this:


    services.guacamole-client = {
<syntaxhighlight lang="nix">
        enable = true;
services.guacamole-client = {
        enableWebserver = true;
    enable = true;
        settings = {
    enableWebserver = true;
            guacd-port = 4822;
    settings = {
            guacd-hostname = "localhost";
        guacd-port = 4822;
        };
        guacd-hostname = "localhost";
     };
     };
};
</syntaxhighlight>


This creates a <code>tomcat.service</code> systemd unit.
This creates a <code>tomcat.service</code> systemd unit.
Line 139: Line 145:
This example has a virtual host available as <code>https://remote.mydomain.net</code>. It uses the [https://search.nixos.org/options?type=packages&query=services.nginx nginx] service, and [https://letsencrypt.org/ LetsEncrypt] for SSL. Configuration of a DNS domain and records is outside the scope of this document.
This example has a virtual host available as <code>https://remote.mydomain.net</code>. It uses the [https://search.nixos.org/options?type=packages&query=services.nginx nginx] service, and [https://letsencrypt.org/ LetsEncrypt] for SSL. Configuration of a DNS domain and records is outside the scope of this document.


    services.nginx = {
<syntaxhighlight lang="nix">
        enable = true;
services.nginx = {
        upstreams."guacamole_server" = {
  enable = true;
            extraConfig = ''
  upstreams."guacamole_server" = {
                keepalive 4;
    extraConfig = ''
            '';
      keepalive 4;
            servers = {
    '';
                "127.0.0.1:8080" = {};
    servers = {
            };
      "127.0.0.1:8080" = { };
        };
    };
        virtualHosts."remote.mydomain.net" = {
};
            forceSSL = true; # redirect http to https
 
            enableACME = true;
virtualHosts."remote.mydomain.net" = {
            locations."/" = {
  forceSSL = true; # redirect http to https
                extraConfig = ''
  enableACME = true;
                    proxy_buffering off;
  locations."/" = {
                    proxy_set_header Upgrade $http_upgrade;
    extraConfig = ''
                    proxy_set_header Connection $http_connection;
      proxy_buffering off;
                    proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Connection $http_connection;
                    proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-NginX-Proxy true;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_pass http://guacamole_server/guacamole$request_uri;
      proxy_set_header Host $host;
                    proxy_redirect http://guacamole_server/ https://$server_name/;
      proxy_set_header X-NginX-Proxy true;
                '';
      proxy_pass http://guacamole_server/guacamole$request_uri;
            };
      proxy_redirect http://guacamole_server/ https://$server_name/;
        };
    '';
    };       
  };
    # this sets up the letsencrypt service to get ssl certs for the above
     
    security.acme = {
# this sets up the letsencrypt service to get ssl certs for the above
        acceptTerms = true;
security.acme = {
        defaults.email = "your.email@server.name";
  acceptTerms = true;
    };     
  defaults.email = "your.email@server.name";
};     
</syntaxhighlight>


The <code>upstreams."guacamole_server".servers</code> setting points the to IP:port where the <code>guacamole-client</code> webportal is hosted. In this example <code>nginx</code> and <code>guacamole</code> are on the same host.
The <code>upstreams."guacamole_server".servers</code> setting points the to IP:port where the <code>guacamole-client</code> webportal is hosted. In this example <code>nginx</code> and <code>guacamole</code> are on the same host.
Line 187: Line 195:
In the case of the above reverse proxy example, the correct firewall ports will also need to be opened on the server hosting the <code>nginx</code> proxy.
In the case of the above reverse proxy example, the correct firewall ports will also need to be opened on the server hosting the <code>nginx</code> proxy.


    networking.firewall = {
<syntaxhighlight lang="nix">
        enable = true;
networking.firewall = {
        allowedTCPPorts = [
  enable = true;
            80 # http
  allowedTCPPorts = [
            443 # https
    80 # http
            8080 # guacamole
    443 # https
            4822 # guacamole
    8080 # guacamole
        ];
    4822 # guacamole
    };                                         
  ];
 
};                                         
</syntaxhighlight>


For any systems that will be reached from the guacamole service, the corresponding ports will need to be opened. The below example opens ports that match the connection settings in the above <code>user-mapping.xml</code>.
For any systems that will be reached from the guacamole service, the corresponding ports will need to be opened. The below example opens ports that match the connection settings in the above <code>user-mapping.xml</code>.


    networking.firewall = {
<syntaxhighlight lang="nix">
        enable = true;
networking.firewall = {
        allowedTCPPorts = [
  enable = true;
            22 # ssh
  allowedTCPPorts = [
            3389 # rdp
    3389 # rdp
        ];
  ];
    };                                         
};                                         
</syntaxhighlight>


==== References ====
==== References ====
Line 222: Line 232:
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">


services.xserver.enable = true;
services.xserver = {
services.xserver.displayManager.sddm.enable = true;
  enable = true;
services.xserver.desktopManager.plasma5.enable = true;
  displayManager.sddm.enable = true;
  desktopManager.plasma5.enable = true;
};


services.xrdp.enable = true;
services.xrdp = {
services.xrdp.defaultWindowManager = "startplasma-x11";
  enable = true;
services.xrdp.openFirewall = true;
  defaultWindowManager = "startplasma-x11";
  openFirewall = true;
};
</syntaxhighlight>
</syntaxhighlight>


Line 254: Line 268:
To fix this we need to enable and start the systemd unit at boot using <code>wantedBy = [ "graphical.target" ];</code> as shown below:
To fix this we need to enable and start the systemd unit at boot using <code>wantedBy = [ "graphical.target" ];</code> as shown below:


<syntaxhighlight lang="nix">services.gnome.gnome-remote-desktop.enable = true; # 'true' does not make the unit start by default at boot
<syntaxhighlight lang="nix">services.gnome.gnome-remote-desktop.enable = true;
systemd.services.gnome-remote-desktop = {  
systemd.services.gnome-remote-desktop = {  
   wantedBy = [ "graphical.target" ]; # for starting the unit by default at boot
   wantedBy = [ "graphical.target" ]; # for starting the unit automatically at boot
};
};
services.displayManager.autoLogin.enable = false;
services.displayManager.autoLogin.enable = false;
services.getty.autologinUser = null;
networking.firewall.allowedTCPPorts = [ 3389 ];</syntaxhighlight>
networking.firewall.allowedTCPPorts = [ 3389 ];</syntaxhighlight>


Line 268: Line 281:


<code>services.meshcentral.enable = true;</code>
<code>services.meshcentral.enable = true;</code>
However, the agent (client) is not available. ([https://github.com/NixOS/nixpkgs/issues/167527 Request])


[[Category:Applications]]
[[Category:Applications]]
[[Category:Desktop]]
[[Category:Desktop]]
[[Category:Server]]
[[Category:Server]]
Retrieved from "https://wiki.nixos.org/wiki/Remote_Desktop"