Official NixOS Wiki

Remote Desktop: Difference between revisions

← Older edit
Sandro (talk | contribs)
78 edits
VisualWikitext
Sandro (talk | contribs)
78 edits
Sandro (talk | contribs)
78 edits
Fix syntax highlighting
 
Line 64: Line 64:


A basic server setup service entry would look like this:  
A basic server setup service entry would look like this:  
    services.guacamole-server = {
 
        enable = true;
<syntaxhighlight lang="nix">
        host = "127.0.0.1";
services.guacamole-server = {
        port = 4822;
    enable = true;
        userMappingXml = ./user-mapping.xml;
    host = "127.0.0.1";
    };
    port = 4822;
    userMappingXml = ./user-mapping.xml;
};
</syntaxhighlight>
 
This creates the <code>guacamole-server.service</code> systemd unit.
This creates the <code>guacamole-server.service</code> systemd unit.


Line 114: Line 118:
A basic client setup service entry would look like this:
A basic client setup service entry would look like this:


    services.guacamole-client = {
<syntaxhighlight lang="nix">
        enable = true;
services.guacamole-client = {
        enableWebserver = true;
    enable = true;
        settings = {
    enableWebserver = true;
            guacd-port = 4822;
    settings = {
            guacd-hostname = "localhost";
        guacd-port = 4822;
        };
        guacd-hostname = "localhost";
     };
     };
};
</syntaxhighlight>


This creates a <code>tomcat.service</code> systemd unit.
This creates a <code>tomcat.service</code> systemd unit.
Line 139: Line 145:
This example has a virtual host available as <code>https://remote.mydomain.net</code>. It uses the [https://search.nixos.org/options?type=packages&query=services.nginx nginx] service, and [https://letsencrypt.org/ LetsEncrypt] for SSL. Configuration of a DNS domain and records is outside the scope of this document.
This example has a virtual host available as <code>https://remote.mydomain.net</code>. It uses the [https://search.nixos.org/options?type=packages&query=services.nginx nginx] service, and [https://letsencrypt.org/ LetsEncrypt] for SSL. Configuration of a DNS domain and records is outside the scope of this document.


    services.nginx = {
<syntaxhighlight lang="nix">
<nowiki> </nowiki>      enable = true;
services.nginx = {
<nowiki> </nowiki>      upstreams."guacamole_server" = {
  enable = true;
<nowiki> </nowiki>          extraConfig = <nowiki>''</nowiki>
  upstreams."guacamole_server" = {
<nowiki> </nowiki>              keepalive 4;
    extraConfig = ''
<nowiki> </nowiki>          <nowiki>''</nowiki>'';
      keepalive 4;
<nowiki> </nowiki>          servers = {
    '';
<nowiki> </nowiki>              "127.0.0.1:8080" = {};
    servers = {
<nowiki> </nowiki>          };
      "127.0.0.1:8080" = { };
<nowiki> </nowiki>      };
    };
<nowiki> </nowiki>      virtualHosts."remote.mydomain.net" = {
};
<nowiki> </nowiki>          forceSSL = true; # redirect http to https
 
<nowiki> </nowiki>          enableACME = true;
virtualHosts."remote.mydomain.net" = {
<nowiki> </nowiki>          locations."/" = {
  forceSSL = true; # redirect http to https
<nowiki> </nowiki>              extraConfig = <nowiki>''</nowiki>
  enableACME = true;
<nowiki> </nowiki>                  proxy_buffering off;
  locations."/" = {
<nowiki> </nowiki>                  proxy_set_header Upgrade $http_upgrade;
    extraConfig = ''
<nowiki> </nowiki>                  proxy_set_header Connection $http_connection;
      proxy_buffering off;
<nowiki> </nowiki>                  proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Upgrade $http_upgrade;
<nowiki> </nowiki>                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Connection $http_connection;
<nowiki> </nowiki>                  proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
<nowiki> </nowiki>                  proxy_set_header X-NginX-Proxy true;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
<nowiki> </nowiki>                  proxy_pass http://guacamole_server/guacamole$request_uri;
      proxy_set_header Host $host;
                    proxy_redirect http://guacamole_server/ https://$server_name/;
      proxy_set_header X-NginX-Proxy true;
<nowiki> </nowiki>              <nowiki>''</nowiki>'';
      proxy_pass http://guacamole_server/guacamole$request_uri;
            };
      proxy_redirect http://guacamole_server/ https://$server_name/;
        };
    '';
    };       
  };
    # this sets up the letsencrypt service to get ssl certs for the above
     
    security.acme = {
# this sets up the letsencrypt service to get ssl certs for the above
        acceptTerms = true;
security.acme = {
        defaults.email = "your.email@server.name";
  acceptTerms = true;
    };     
  defaults.email = "your.email@server.name";
};     
</syntaxhighlight>


The <code>upstreams."guacamole_server".servers</code> setting points the to IP:port where the <code>guacamole-client</code> webportal is hosted. In this example <code>nginx</code> and <code>guacamole</code> are on the same host.
The <code>upstreams."guacamole_server".servers</code> setting points the to IP:port where the <code>guacamole-client</code> webportal is hosted. In this example <code>nginx</code> and <code>guacamole</code> are on the same host.
Line 187: Line 195:
In the case of the above reverse proxy example, the correct firewall ports will also need to be opened on the server hosting the <code>nginx</code> proxy.
In the case of the above reverse proxy example, the correct firewall ports will also need to be opened on the server hosting the <code>nginx</code> proxy.


    networking.firewall = {
<syntaxhighlight lang="nix">
        enable = true;
networking.firewall = {
        allowedTCPPorts = [
  enable = true;
            80 # http
  allowedTCPPorts = [
            443 # https
    80 # http
            8080 # guacamole
    443 # https
            4822 # guacamole
    8080 # guacamole
        ];
    4822 # guacamole
    };                                         
  ];
 
};                                         
</syntaxhighlight>


For any systems that will be reached from the guacamole service, the corresponding ports will need to be opened. The below example opens ports that match the connection settings in the above <code>user-mapping.xml</code>.
For any systems that will be reached from the guacamole service, the corresponding ports will need to be opened. The below example opens ports that match the connection settings in the above <code>user-mapping.xml</code>.


    networking.firewall = {
<syntaxhighlight lang="nix">
        enable = true;
networking.firewall = {
        allowedTCPPorts = [
  enable = true;
            22 # ssh
  allowedTCPPorts = [
            3389 # rdp
    3389 # rdp
        ];
  ];
    };                                         
};                                         
</syntaxhighlight>


==== References ====
==== References ====
Line 222: Line 232:
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">


services.xserver.enable = true;
services.xserver = {
services.xserver.displayManager.sddm.enable = true;
  enable = true;
services.xserver.desktopManager.plasma5.enable = true;
  displayManager.sddm.enable = true;
  desktopManager.plasma5.enable = true;
};


services.xrdp.enable = true;
services.xrdp = {
services.xrdp.defaultWindowManager = "startplasma-x11";
  enable = true;
services.xrdp.openFirewall = true;
  defaultWindowManager = "startplasma-x11";
  openFirewall = true;
};
</syntaxhighlight>
</syntaxhighlight>


Retrieved from "https://wiki.nixos.org/wiki/Remote_Desktop"