feat(install): gnome-remote-desktop remote login + code-server; drop wkhtmltopdf
Replace the Wayland-incompatible xrdp approach with gnome-remote-desktop system "Remote Login": idempotent self-signed TLS cert, RDP enable, and an interactive gate-credential prompt (ensure_rdp_credentials) — skipped when already set, never hardcoding the secret, with a non-TTY fallback that prints the manual command. Without gate credentials the RDP server rejects every connection (mstsc 0x904). Also bundle prior uncommitted installer work: install code-server (skip if present), swap wkhtmltopdf -> weasyprint for PDF rendering, and append a login-time dtach auto-router to ~/.profile. Verified: bash -n + shellcheck clean. Not run live; RDP connection untested. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01JSFhCiEgndbRrMf7s8mmth
This commit is contained in:
parent
262862c1b9
commit
0bd936bf33
98
install.sh
98
install.sh
@ -27,6 +27,81 @@ install_docker() {
|
|||||||
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# RDP "gate" credentials: a shared username/password that unlocks the GDM
|
||||||
|
# login screen (each user then logs into GDM with his own account). Required —
|
||||||
|
# without it the RDP server rejects every connection (mstsc error 0x904). It is
|
||||||
|
# a secret, so never stored in this repo: prompted interactively when a terminal
|
||||||
|
# is attached, otherwise the user is told to set it himself. Idempotent: skipped
|
||||||
|
# when already configured.
|
||||||
|
ensure_rdp_credentials() {
|
||||||
|
local hint="set later: sudo grdctl --system rdp set-credentials"
|
||||||
|
|
||||||
|
# A non-empty Username means credentials are already configured — nothing to do.
|
||||||
|
if ! sudo grdctl --system status 2>/dev/null | grep -q 'Username: (empty)'; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -t 0 ]; then
|
||||||
|
echo "RDP gate credentials not set ($hint)" >&2
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
local rdp_user="" rdp_pass=""
|
||||||
|
read -rp "RDP gate username: " rdp_user || true
|
||||||
|
read -rsp "RDP gate password: " rdp_pass || true
|
||||||
|
echo
|
||||||
|
if [ -z "$rdp_user" ] || [ -z "$rdp_pass" ]; then
|
||||||
|
echo "No credentials entered — $hint" >&2
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
sudo grdctl --system rdp set-credentials "$rdp_user" "$rdp_pass"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Remote desktop via gnome-remote-desktop (GNOME's native, Wayland-compatible RDP).
|
||||||
|
# Mode: system "Remote Login". Two-layer auth: the RDP client first authenticates
|
||||||
|
# with shared "gate" credentials (set via ensure_rdp_credentials), then the user logs
|
||||||
|
# into GDM with his own Linux account and a fresh GNOME session starts. xrdp does NOT
|
||||||
|
# work on this GNOME: it is Wayland-only (GNOME Shell asserts XDG_SESSION_TYPE=wayland,
|
||||||
|
# which xrdp's Xorg backend cannot satisfy, so the session dies the instant you log in).
|
||||||
|
# Debian/Ubuntu only. Idempotent.
|
||||||
|
setup_remote_desktop() {
|
||||||
|
local cert="/etc/gnome-remote-desktop/rdp-tls.crt"
|
||||||
|
local key="/etc/gnome-remote-desktop/rdp-tls.key"
|
||||||
|
|
||||||
|
# xrdp and gnome-remote-desktop both bind port 3389 — disable xrdp if present.
|
||||||
|
if systemctl list-unit-files 2>/dev/null | grep -q '^xrdp\.service'; then
|
||||||
|
sudo systemctl disable --now xrdp xrdp-sesman 2>/dev/null || true
|
||||||
|
fi
|
||||||
|
|
||||||
|
sudo apt-get install -y gnome-remote-desktop openssl
|
||||||
|
|
||||||
|
# Self-signed TLS cert for the RDP server, generated once so the fingerprint stays
|
||||||
|
# stable across re-runs (clients accept it on first connect).
|
||||||
|
if [ ! -f "$cert" ]; then
|
||||||
|
sudo install -d -m 0755 /etc/gnome-remote-desktop
|
||||||
|
sudo openssl req -x509 -nodes -newkey rsa:4096 -days 3650 \
|
||||||
|
-subj "/CN=$(hostname)" -out "$cert" -keyout "$key"
|
||||||
|
sudo chown gnome-remote-desktop:gnome-remote-desktop "$cert" "$key"
|
||||||
|
sudo chmod 640 "$key"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Point the system (remote-login) RDP daemon at the cert and turn it on.
|
||||||
|
sudo grdctl --system rdp set-tls-cert "$cert"
|
||||||
|
sudo grdctl --system rdp set-tls-key "$key"
|
||||||
|
sudo grdctl --system rdp enable
|
||||||
|
|
||||||
|
# Gate credentials: prompted at install, never hardcoded.
|
||||||
|
ensure_rdp_credentials
|
||||||
|
|
||||||
|
# Open the RDP port only when a firewall is already active — never force ufw on.
|
||||||
|
if command -v ufw >/dev/null 2>&1 && sudo ufw status 2>/dev/null | grep -q "Status: active"; then
|
||||||
|
sudo ufw allow 3389/tcp
|
||||||
|
fi
|
||||||
|
|
||||||
|
sudo systemctl enable gnome-remote-desktop.service
|
||||||
|
sudo systemctl restart gnome-remote-desktop.service
|
||||||
|
}
|
||||||
|
|
||||||
# System packages: Debian/Ubuntu only. Skipped where apt-get is absent (e.g. macOS).
|
# System packages: Debian/Ubuntu only. Skipped where apt-get is absent (e.g. macOS).
|
||||||
if command -v apt-get >/dev/null 2>&1; then
|
if command -v apt-get >/dev/null 2>&1; then
|
||||||
sudo apt-get update
|
sudo apt-get update
|
||||||
@ -39,10 +114,19 @@ if command -v apt-get >/dev/null 2>&1; then
|
|||||||
unzip tree tmux fzf dtach net-tools \
|
unzip tree tmux fzf dtach net-tools \
|
||||||
openssh-server cifs-utils lftp ftp \
|
openssh-server cifs-utils lftp ftp \
|
||||||
nodejs python3-pip pipx php-cli \
|
nodejs python3-pip pipx php-cli \
|
||||||
ffmpeg wkhtmltopdf poppler-utils qpdf webp libavif-bin
|
ffmpeg weasyprint poppler-utils qpdf webp libavif-bin
|
||||||
|
|
||||||
# Docker (separate repo).
|
# Docker (separate repo).
|
||||||
install_docker
|
install_docker
|
||||||
|
|
||||||
|
# code-server (VS Code in the browser) — skip the download if already installed.
|
||||||
|
if ! command -v code-server >/dev/null 2>&1; then
|
||||||
|
curl -fsSL https://code-server.dev/install.sh | sh
|
||||||
|
fi
|
||||||
|
sudo systemctl enable --now "code-server@$USER"
|
||||||
|
|
||||||
|
# Remote desktop (gnome-remote-desktop — see the function header for why not xrdp).
|
||||||
|
setup_remote_desktop
|
||||||
else
|
else
|
||||||
echo "apt-get not found — skipping system packages (install vim/git manually)."
|
echo "apt-get not found — skipping system packages (install vim/git manually)."
|
||||||
fi
|
fi
|
||||||
@ -97,6 +181,18 @@ mkdir -p "$HOME/.local/bin"
|
|||||||
cp "$SCRIPT_DIR"/bin/* "$HOME/.local/bin/"
|
cp "$SCRIPT_DIR"/bin/* "$HOME/.local/bin/"
|
||||||
chmod +x "$HOME"/.local/bin/dt "$HOME"/.local/bin/dtach-router "$HOME"/.local/bin/claude-provider
|
chmod +x "$HOME"/.local/bin/dt "$HOME"/.local/bin/dtach-router "$HOME"/.local/bin/claude-provider
|
||||||
|
|
||||||
|
|
||||||
|
# Append the dtach auto-router to ~/.profile once, so each login resumes sessions.
|
||||||
|
if ! grep -q "Aucune session dtach." "$HOME/.profile" 2>/dev/null; then
|
||||||
|
cat >> "$HOME/.profile" << 'EOF'
|
||||||
|
|
||||||
|
DT=$(dt ls)
|
||||||
|
if [ "$DT" != "Aucune session dtach." ]; then
|
||||||
|
dtach-router
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Done. Restart your shell or run: source ~/.bashrc"
|
echo "Done. Restart your shell or run: source ~/.bashrc"
|
||||||
echo "If you use zsh, switch to bash to enjoy these settings =)"
|
echo "If you use zsh, switch to bash to enjoy these settings =)"
|
||||||
echo "Note: the deployed bashrc puts ~/.local/bin on PATH — re-login or run: source ~/.bashrc"
|
echo "Note: the deployed bashrc puts ~/.local/bin on PATH — re-login or run: source ~/.bashrc"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user