Remote Desktop: Difference between revisions

(5 intermediate revisions by 2 users not shown)

Line 10:

== Self hosting ==

* [[RustDesk]] (nixpkgs: rustdesk-server)

* [[RustDesk]] available in nixpkgs as rustdesk-server

== Clients ==

Line 44:

<code>pathToScript</code> can also be a path to an executable like <code>${pkgs.icewm}/bin/icewm</code>

=== ~~Tiger VNC~~ ===

=== TigerVNC ===

Nixpkgs has a package but no service.

The server component can be started using the <code>vncserver</code> command.

To connect, use the <code>vncviewer</code> command.

For an automated nixos config see [[TigerVNC]].

However, you'll more likely have success running [https://search.nixos.org/packages?channel=unstable&query=x11vnc&show=x11vnc x11vnc] on the remote/far-away server, while only using `vncviewer` from the TigerVNC package from where you're sitting. Quality documentation for x11vnc usage is at its [https://github.com/LibVNC/x11vnc/?tab=readme-ov-file#readme official repository].

=== x2go ===

Line 64:

Line 68:

A basic server setup service entry would look like this:

services.guacamole-server = {

enable = true;

host = "127.0.0.1";

services.guacamole-server = {

port = 4822;

enable = true;

userMappingXml = ./user-mapping.xml;

host = "127.0.0.1";

};

port = 4822;

userMappingXml = ./user-mapping.xml;

};

</syntaxhighlight>

This creates the <code>guacamole-server.service</code> systemd unit.

Line 114:

Line 122:

A basic client setup service entry would look like this:

services.guacamole-client = {

enable = true;

services.guacamole-client = {

enableWebserver = true;

enable = true;

settings = {

enableWebserver = true;

guacd-port = 4822;

settings = {

guacd-hostname = "localhost";

guacd-port = 4822;

};

guacd-hostname = "localhost";

};

</syntaxhighlight>

This creates a <code>tomcat.service</code> systemd unit.

Line 139:

Line 149:

This example has a virtual host available as <code>https://remote.mydomain.net</code>. It uses the [https://search.nixos.org/options?type=packages&query=services.nginx nginx] service, and [https://letsencrypt.org/ LetsEncrypt] for SSL. Configuration of a DNS domain and records is outside the scope of this document.

services.nginx = {

~~<nowiki> </nowiki>~~ enable = true;

services.nginx = {

~~<nowiki> </nowiki>~~ upstreams."guacamole_server" = {

enable = true;

~~<nowiki> </nowiki>~~ extraConfig = ~~<nowiki>~~''~~</nowiki>~~

upstreams."guacamole_server" = {

~~<nowiki> </nowiki>~~ keepalive 4;

extraConfig = ''

~~<nowiki> </nowiki> <nowiki>''</nowiki>~~'';

keepalive 4;

~~<nowiki> </nowiki>~~ servers = {

'';

~~<nowiki> </nowiki>~~ "127.0.0.1:8080" = {};

servers = {

~~<nowiki> </nowiki>~~ };

"127.0.0.1:8080" = { };

~~<nowiki> </nowiki>~~ };

};

~~<nowiki> </nowiki>~~ virtualHosts."remote.mydomain.net" = {

};

~~<nowiki> </nowiki>~~ forceSSL = true; # redirect http to https

~~<nowiki> </nowiki>~~ enableACME = true;

virtualHosts."remote.mydomain.net" = {

~~<nowiki> </nowiki>~~ locations."/" = {

forceSSL = true; # redirect http to https

~~<nowiki> </nowiki>~~ extraConfig = ~~<nowiki>~~''~~</nowiki>~~

enableACME = true;

~~<nowiki> </nowiki>~~ proxy_buffering off;

locations."/" = {

~~<nowiki> </nowiki>~~ proxy_set_header Upgrade $http_upgrade;

extraConfig = ''

~~<nowiki> </nowiki>~~ proxy_set_header Connection $http_connection;

proxy_buffering off;

~~<nowiki> </nowiki>~~ proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Upgrade $http_upgrade;

~~<nowiki> </nowiki>~~ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Connection $http_connection;

~~<nowiki> </nowiki>~~ proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

~~<nowiki> </nowiki>~~ proxy_set_header X-NginX-Proxy true;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

~~<nowiki> </nowiki>~~ proxy_pass http://guacamole_server/guacamole$request_uri;

proxy_set_header Host $host;

proxy_redirect http://guacamole_server/ https://$server_name/;

proxy_set_header X-NginX-Proxy true;

~~<nowiki> </nowiki> <nowiki>''</nowiki>~~'';

proxy_pass http://guacamole_server/guacamole$request_uri;

};

proxy_redirect http://guacamole_server/ https://$server_name/;

};

'';

};

# this sets up the letsencrypt service to get ssl certs for the above

security.acme = {

# this sets up the letsencrypt service to get ssl certs for the above

acceptTerms = true;

security.acme = {

defaults.email = "your.email@server.name";

acceptTerms = true;

};

defaults.email = "your.email@server.name";

};

</syntaxhighlight>

The <code>upstreams."guacamole_server".servers</code> setting points the to IP:port where the <code>guacamole-client</code> webportal is hosted. In this example <code>nginx</code> and <code>guacamole</code> are on the same host.

Line 187:

Line 199:

In the case of the above reverse proxy example, the correct firewall ports will also need to be opened on the server hosting the <code>nginx</code> proxy.

networking.firewall = {

enable = true;

networking.firewall = {

allowedTCPPorts = [

enable = true;

80 # http

allowedTCPPorts = [

443 # https

80 # http

8080 # guacamole

443 # https

4822 # guacamole

8080 # guacamole

];

4822 # guacamole

};

];

};

</syntaxhighlight>

For any systems that will be reached from the guacamole service, the corresponding ports will need to be opened. The below example opens ports that match the connection settings in the above <code>user-mapping.xml</code>.

networking.firewall = {

enable = true;

networking.firewall = {

allowedTCPPorts = [

enable = true;

~~22 # ssh~~

allowedTCPPorts = [

3389 # rdp

];

};

</syntaxhighlight>

==== References ====

Line 222:

Line 236:

services.xserver.enable = true;

services.xserver = {

~~services.xserver.~~displayManager.sddm.enable = true;

enable = true;

~~services.xserver.~~desktopManager.plasma5.enable = true;

displayManager.sddm.enable = true;

desktopManager.plasma5.enable = true;

};

services.xrdp.enable = true;

services.xrdp = {

~~services.xrdp.~~defaultWindowManager = "startplasma-x11";

enable = true;

~~services.xrdp.~~openFirewall = true;

defaultWindowManager = "startplasma-x11";

openFirewall = true;

};

</syntaxhighlight>

Line 254:

Line 272:

To fix this we need to enable and start the systemd unit at boot using <code>wantedBy = [ "graphical.target" ];</code> as shown below:

<syntaxhighlight lang="nix">services.gnome.gnome-remote-desktop.enable = true; ~~# 'true' does not make the unit start automatically at boot~~

<syntaxhighlight lang="nix">services.gnome.gnome-remote-desktop.enable = true;

systemd.services.gnome-remote-desktop = {

wantedBy = [ "graphical.target" ]; # for starting the unit automatically at boot

};

services.displayManager.autoLogin.enable = false;

~~services.getty.autologinUser = null;~~

networking.firewall.allowedTCPPorts = [ 3389 ];</syntaxhighlight>

Line 268:

Line 285:

<code>services.meshcentral.enable = true;</code>

~~However, the agent (client) is not available. ([https://github.com/NixOS/nixpkgs/issues/167527 Request])~~

[[Category:Applications]]

[[Category:Desktop]]

[[Category:Server]]

@@ Line 10: / Line 10: @@
 == Self hosting ==
-* [[RustDesk]] (nixpkgs: rustdesk-server)
+* [[RustDesk]] available in nixpkgs as rustdesk-server
 == Clients ==
@@ Line 44: / Line 44: @@
 <code>pathToScript</code> can also be a path to an executable like <code>${pkgs.icewm}/bin/icewm</code>
-=== Tiger VNC ===
+=== TigerVNC ===
 Nixpkgs has a package but no service.
 The server component can be started using the <code>vncserver</code> command.
 To connect, use the <code>vncviewer</code> command.
+For an automated nixos config see [[TigerVNC]].
+However, you'll more likely have success running [https://search.nixos.org/packages?channel=unstable&query=x11vnc&show=x11vnc x11vnc] on the remote/far-away server, while only using `vncviewer` from the TigerVNC package from where you're sitting. Quality documentation for x11vnc usage is at its [https://github.com/LibVNC/x11vnc/?tab=readme-ov-file#readme official repository].
 === x2go ===
@@ Line 64: / Line 68: @@
 A basic server setup service entry would look like this:
-    services.guacamole-server = {
-        enable = true;
+<syntaxhighlight lang="nix">
-        host = "127.0.0.1";
+services.guacamole-server = {
-        port = 4822;
+    enable = true;
-        userMappingXml = ./user-mapping.xml;
+    host = "127.0.0.1";
-    };
+    port = 4822;
+    userMappingXml = ./user-mapping.xml;
+};
+</syntaxhighlight>
 This creates the <code>guacamole-server.service</code> systemd unit.
@@ Line 114: / Line 122: @@
 A basic client setup service entry would look like this:
-    services.guacamole-client = {
+<syntaxhighlight lang="nix">
-        enable = true;
+services.guacamole-client = {
-        enableWebserver = true;
+    enable = true;
-        settings = {
+    enableWebserver = true;
-            guacd-port = 4822;
+    settings = {
-            guacd-hostname = "localhost";
+        guacd-port = 4822;
-        };
+        guacd-hostname = "localhost";
      };
+};
+</syntaxhighlight>
 This creates a <code>tomcat.service</code> systemd unit.
@@ Line 139: / Line 149: @@
 This example has a virtual host available as <code>https://remote.mydomain.net</code>. It uses the [https://search.nixos.org/options?type=packages&query=services.nginx nginx] service, and [https://letsencrypt.org/ LetsEncrypt] for SSL. Configuration of a DNS domain and records is outside the scope of this document.
-    services.nginx = {
+<syntaxhighlight lang="nix">
- <nowiki> </nowiki>      enable = true;
+services.nginx = {
- <nowiki> </nowiki>      upstreams."guacamole_server" = {
+  enable = true;
- <nowiki> </nowiki>          extraConfig = <nowiki>''</nowiki>
+  upstreams."guacamole_server" = {
- <nowiki> </nowiki>              keepalive 4;
+    extraConfig = ''
- <nowiki> </nowiki>          <nowiki>''</nowiki>'';
+      keepalive 4;
- <nowiki> </nowiki>          servers = {
+    '';
- <nowiki> </nowiki>              "127.0.0.1:8080" = {};
+    servers = {
- <nowiki> </nowiki>          };
+      "127.0.0.1:8080" = { };
- <nowiki> </nowiki>      };
+    };
- <nowiki> </nowiki>      virtualHosts."remote.mydomain.net" = {
+};
- <nowiki> </nowiki>          forceSSL = true; # redirect http to https
- <nowiki> </nowiki>          enableACME = true;
+virtualHosts."remote.mydomain.net" = {
- <nowiki> </nowiki>          locations."/" = {
+  forceSSL = true; # redirect http to https
- <nowiki> </nowiki>              extraConfig = <nowiki>''</nowiki>
+  enableACME = true;
- <nowiki> </nowiki>                  proxy_buffering off;
+  locations."/" = {
- <nowiki> </nowiki>                  proxy_set_header Upgrade $http_upgrade;
+    extraConfig = ''
- <nowiki> </nowiki>                  proxy_set_header Connection $http_connection;
+      proxy_buffering off;
- <nowiki> </nowiki>                  proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header Upgrade $http_upgrade;
- <nowiki> </nowiki>                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Connection $http_connection;
- <nowiki> </nowiki>                  proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
- <nowiki> </nowiki>                  proxy_set_header X-NginX-Proxy true;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- <nowiki> </nowiki>                  proxy_pass http://guacamole_server/guacamole$request_uri;
+      proxy_set_header Host $host;
-                    proxy_redirect http://guacamole_server/ https://$server_name/;
+      proxy_set_header X-NginX-Proxy true;
- <nowiki> </nowiki>              <nowiki>''</nowiki>'';
+      proxy_pass http://guacamole_server/guacamole$request_uri;
-            };
+      proxy_redirect http://guacamole_server/ https://$server_name/;
-        };
+    '';
-    };
+  };
-    # this sets up the letsencrypt service to get ssl certs for the above
-    security.acme = {
+# this sets up the letsencrypt service to get ssl certs for the above
-        acceptTerms = true;
+security.acme = {
-        defaults.email = "your.email@server.name";
+  acceptTerms = true;
-    };
+  defaults.email = "your.email@server.name";
+};
+</syntaxhighlight>
 The <code>upstreams."guacamole_server".servers</code> setting points the to IP:port where the <code>guacamole-client</code> webportal is hosted. In this example <code>nginx</code> and <code>guacamole</code> are on the same host.
@@ Line 187: / Line 199: @@
 In the case of the above reverse proxy example, the correct firewall ports will also need to be opened on the server hosting the <code>nginx</code> proxy.
-    networking.firewall = {
+<syntaxhighlight lang="nix">
-        enable = true;
+networking.firewall = {
-        allowedTCPPorts = [
+  enable = true;
-# http
+  allowedTCPPorts = [
-# https
+# http
-# guacamole
+# https
 # guacamole
-        ];
+# guacamole
-    };
+  ];
+};
+</syntaxhighlight>
 For any systems that will be reached from the guacamole service, the corresponding ports will need to be opened. The below example opens ports that match the connection settings in the above <code>user-mapping.xml</code>.
-    networking.firewall = {
+<syntaxhighlight lang="nix">
-        enable = true;
+networking.firewall = {
-        allowedTCPPorts = [
+  enable = true;
-# ssh
+  allowedTCPPorts = [
 # rdp
-        ];
+  ];
-    };
+};
+</syntaxhighlight>
 ==== References ====
@@ Line 222: / Line 236: @@
 <syntaxhighlight lang="nix">
-services.xserver.enable = true;
+services.xserver = {
-services.xserver.displayManager.sddm.enable = true;
+  enable = true;
-services.xserver.desktopManager.plasma5.enable = true;
+  displayManager.sddm.enable = true;
+  desktopManager.plasma5.enable = true;
+};
-services.xrdp.enable = true;
+services.xrdp = {
-services.xrdp.defaultWindowManager = "startplasma-x11";
+  enable = true;
-services.xrdp.openFirewall = true;
+  defaultWindowManager = "startplasma-x11";
+  openFirewall = true;
+};
 </syntaxhighlight>
@@ Line 254: / Line 272: @@
 To fix this we need to enable and start the systemd unit at boot using <code>wantedBy = [ "graphical.target" ];</code> as shown below:
-<syntaxhighlight lang="nix">services.gnome.gnome-remote-desktop.enable = true; # 'true' does not make the unit start automatically at boot
+<syntaxhighlight lang="nix">services.gnome.gnome-remote-desktop.enable = true;
 systemd.services.gnome-remote-desktop = {
    wantedBy = [ "graphical.target" ]; # for starting the unit automatically at boot
 };
 services.displayManager.autoLogin.enable = false;
-services.getty.autologinUser = null;
 networking.firewall.allowedTCPPorts = [ 3389 ];</syntaxhighlight>
@@ Line 268: / Line 285: @@
 <code>services.meshcentral.enable = true;</code>
-However, the agent (client) is not available. ([https://github.com/NixOS/nixpkgs/issues/167527 Request])
 [[Category:Applications]]
 [[Category:Desktop]]
 [[Category:Server]]