From 0bd936bf33094a98ce85d92bbd07fde01735aec3 Mon Sep 17 00:00:00 2001 From: Bastien Chanot Date: Tue, 23 Jun 2026 17:13:21 +0200 Subject: [PATCH] feat(install): gnome-remote-desktop remote login + code-server; drop wkhtmltopdf MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace the Wayland-incompatible xrdp approach with gnome-remote-desktop system "Remote Login": idempotent self-signed TLS cert, RDP enable, and an interactive gate-credential prompt (ensure_rdp_credentials) — skipped when already set, never hardcoding the secret, with a non-TTY fallback that prints the manual command. Without gate credentials the RDP server rejects every connection (mstsc 0x904). Also bundle prior uncommitted installer work: install code-server (skip if present), swap wkhtmltopdf -> weasyprint for PDF rendering, and append a login-time dtach auto-router to ~/.profile. Verified: bash -n + shellcheck clean. Not run live; RDP connection untested. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01JSFhCiEgndbRrMf7s8mmth --- install.sh | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 97 insertions(+), 1 deletion(-) diff --git a/install.sh b/install.sh index fe862da..ca444d8 100755 --- a/install.sh +++ b/install.sh @@ -27,6 +27,81 @@ install_docker() { sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin } +# RDP "gate" credentials: a shared username/password that unlocks the GDM +# login screen (each user then logs into GDM with his own account). Required — +# without it the RDP server rejects every connection (mstsc error 0x904). It is +# a secret, so never stored in this repo: prompted interactively when a terminal +# is attached, otherwise the user is told to set it himself. Idempotent: skipped +# when already configured. +ensure_rdp_credentials() { + local hint="set later: sudo grdctl --system rdp set-credentials" + + # A non-empty Username means credentials are already configured — nothing to do. + if ! sudo grdctl --system status 2>/dev/null | grep -q 'Username: (empty)'; then + return 0 + fi + + if [ ! -t 0 ]; then + echo "RDP gate credentials not set ($hint)" >&2 + return 0 + fi + + local rdp_user="" rdp_pass="" + read -rp "RDP gate username: " rdp_user || true + read -rsp "RDP gate password: " rdp_pass || true + echo + if [ -z "$rdp_user" ] || [ -z "$rdp_pass" ]; then + echo "No credentials entered — $hint" >&2 + return 0 + fi + sudo grdctl --system rdp set-credentials "$rdp_user" "$rdp_pass" +} + +# Remote desktop via gnome-remote-desktop (GNOME's native, Wayland-compatible RDP). +# Mode: system "Remote Login". Two-layer auth: the RDP client first authenticates +# with shared "gate" credentials (set via ensure_rdp_credentials), then the user logs +# into GDM with his own Linux account and a fresh GNOME session starts. xrdp does NOT +# work on this GNOME: it is Wayland-only (GNOME Shell asserts XDG_SESSION_TYPE=wayland, +# which xrdp's Xorg backend cannot satisfy, so the session dies the instant you log in). +# Debian/Ubuntu only. Idempotent. +setup_remote_desktop() { + local cert="/etc/gnome-remote-desktop/rdp-tls.crt" + local key="/etc/gnome-remote-desktop/rdp-tls.key" + + # xrdp and gnome-remote-desktop both bind port 3389 — disable xrdp if present. + if systemctl list-unit-files 2>/dev/null | grep -q '^xrdp\.service'; then + sudo systemctl disable --now xrdp xrdp-sesman 2>/dev/null || true + fi + + sudo apt-get install -y gnome-remote-desktop openssl + + # Self-signed TLS cert for the RDP server, generated once so the fingerprint stays + # stable across re-runs (clients accept it on first connect). + if [ ! -f "$cert" ]; then + sudo install -d -m 0755 /etc/gnome-remote-desktop + sudo openssl req -x509 -nodes -newkey rsa:4096 -days 3650 \ + -subj "/CN=$(hostname)" -out "$cert" -keyout "$key" + sudo chown gnome-remote-desktop:gnome-remote-desktop "$cert" "$key" + sudo chmod 640 "$key" + fi + + # Point the system (remote-login) RDP daemon at the cert and turn it on. + sudo grdctl --system rdp set-tls-cert "$cert" + sudo grdctl --system rdp set-tls-key "$key" + sudo grdctl --system rdp enable + + # Gate credentials: prompted at install, never hardcoded. + ensure_rdp_credentials + + # Open the RDP port only when a firewall is already active — never force ufw on. + if command -v ufw >/dev/null 2>&1 && sudo ufw status 2>/dev/null | grep -q "Status: active"; then + sudo ufw allow 3389/tcp + fi + + sudo systemctl enable gnome-remote-desktop.service + sudo systemctl restart gnome-remote-desktop.service +} + # System packages: Debian/Ubuntu only. Skipped where apt-get is absent (e.g. macOS). if command -v apt-get >/dev/null 2>&1; then sudo apt-get update @@ -39,10 +114,19 @@ if command -v apt-get >/dev/null 2>&1; then unzip tree tmux fzf dtach net-tools \ openssh-server cifs-utils lftp ftp \ nodejs python3-pip pipx php-cli \ - ffmpeg wkhtmltopdf poppler-utils qpdf webp libavif-bin + ffmpeg weasyprint poppler-utils qpdf webp libavif-bin # Docker (separate repo). install_docker + + # code-server (VS Code in the browser) — skip the download if already installed. + if ! command -v code-server >/dev/null 2>&1; then + curl -fsSL https://code-server.dev/install.sh | sh + fi + sudo systemctl enable --now "code-server@$USER" + + # Remote desktop (gnome-remote-desktop — see the function header for why not xrdp). + setup_remote_desktop else echo "apt-get not found — skipping system packages (install vim/git manually)." fi @@ -97,6 +181,18 @@ mkdir -p "$HOME/.local/bin" cp "$SCRIPT_DIR"/bin/* "$HOME/.local/bin/" chmod +x "$HOME"/.local/bin/dt "$HOME"/.local/bin/dtach-router "$HOME"/.local/bin/claude-provider + +# Append the dtach auto-router to ~/.profile once, so each login resumes sessions. +if ! grep -q "Aucune session dtach." "$HOME/.profile" 2>/dev/null; then + cat >> "$HOME/.profile" << 'EOF' + +DT=$(dt ls) +if [ "$DT" != "Aucune session dtach." ]; then + dtach-router +fi +EOF +fi + echo "Done. Restart your shell or run: source ~/.bashrc" echo "If you use zsh, switch to bash to enjoy these settings =)" echo "Note: the deployed bashrc puts ~/.local/bin on PATH — re-login or run: source ~/.bashrc"