Compare commits
2 Commits
262862c1b9
...
75440741b4
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
75440741b4 | ||
|
|
0bd936bf33 |
@ -14,3 +14,20 @@ repo (remote git.bchanot.fr) would leak it. Root cause: key inlined in `write_op
|
||||
Fix: repo copy `bin/claude-provider` reads `${OPENROUTER_API_KEY:?...}` from env; key never in
|
||||
repo. Verified `git grep sk-or` clean. Status: resolved in repo. ACTION user: revoke old key at
|
||||
openrouter.ai (compromised — was in plaintext + exposed in chat).
|
||||
|
||||
## BLK-003 — xrdp block: `systemctl enable xrdb` typo aborted installer — RESOLVED
|
||||
2026-06-23. Uncommitted install.sh xrdp block had `sudo systemctl enable xrdb` (typo: `xrdb` = X
|
||||
resource-DB tool, no such systemd service). Returns non-zero → under `set -euo pipefail` aborts
|
||||
whole installer. Also `apt-get install xrdp` missing `-y` → hangs non-interactive run. Root cause:
|
||||
one-letter typo `xrdp`→`xrdb` + missing -y. Fix: idempotent `install_xrdp()` (apt -y, adduser xrdp
|
||||
ssl-cert, polkit .rules, conditional ufw 3389, enable+restart). shellcheck + bash -n CLEAN.
|
||||
Status: resolved in repo. Not run live / RDP connection not tested.
|
||||
|
||||
## BLK-004 — RDP Win→Linux 0x904/0x7: empty gate creds on g-r-d --system — RESOLVED
|
||||
2026-06-23. After xrdp dropped for gnome-remote-desktop (Wayland), mstsc fails `0x904 / 0x7`
|
||||
despite: daemon LISTEN *:3389, ufw inactive, TLS cert readable, service active. Root cause:
|
||||
`grdctl --system status` → `Username: (empty)` / `Password: (empty)`. System "Remote Login" =
|
||||
2-layer auth: shared gate creds (`grdctl --system rdp set-credentials`) unlock GDM, then per-user
|
||||
PAM login at GDM. Empty gate creds → RDP nego refused before GDM → 0x904. Fix: set-credentials,
|
||||
connect (gate creds → GDM `bchanot`). Connection CONFIRMED live. Automated in install.sh via
|
||||
ensure_rdp_credentials (prompt, TTY-guarded, idempotent). Supersedes BLK-003 (xrdp). Status: resolved.
|
||||
|
||||
@ -12,3 +12,17 @@ Then: install.sh arg dropped → uname OS-detect (Darwin→osx else linux). Dele
|
||||
Added remote-install.sh curl|bash bootstrap (BDR-004). shellcheck CLEAN. Docs synced.
|
||||
Committed in 4 atomic commits (chore claude / refactor install / feat remote-install / docs).
|
||||
Slip: staged deletion swept into commit 1; fixed via soft-reset + restore --staged. Unpushed.
|
||||
|
||||
## 2026-06-23 — xrdp install fix
|
||||
Added/fixed xrdp in install.sh. Found uncommitted block: `enable xrdb` typo (aborts set -e
|
||||
installer, BLK-003) + `apt-get install xrdp` no -y. Built idempotent install_xrdp() — ssl-cert group
|
||||
+ polkit .rules (verified polkit 127) + conditional ufw 3389 + enable/restart (LRN-003). Also fixed
|
||||
adjacent: code-server@"$USER" quoting, broken .profile dtach block (invalid `[ ! grep ]` test +
|
||||
heredoc unterminated indented EOF). shellcheck + bash -n CLEAN. Not run live / RDP untested.
|
||||
|
||||
## 2026-06-23 — RDP pivot xrdp → gnome-remote-desktop
|
||||
xrdp abandoned (Wayland-only GNOME kills Xorg session). Replaced install_xrdp → setup_remote_desktop
|
||||
(g-r-d system Remote Login): TLS cert + rdp enable + service. Live debug mstsc 0x904/0x7 = gate creds
|
||||
empty (BLK-004); 2-layer auth gate→GDM PAM (LRN-004). Added ensure_rdp_credentials (prompt, TTY-guard,
|
||||
idempotent). Connection CONFIRMED live. install.sh committed 0bd936b (bash -n + shellcheck CLEAN);
|
||||
push blocked here (HTTPS remote, no creds in env) → user pushes. TPM GKeyFile-fallback warn harmless.
|
||||
|
||||
@ -11,3 +11,21 @@ dir exists" on second run. Apply to any provisioning script.
|
||||
2026-05-27. molokai colorscheme committed in `vim/colors/` AND cloned to /tmp then copied.
|
||||
`cp -rupv vim/* ~/.vim/` already deploys it. Dropped the clone. Lesson: check what tracked
|
||||
files already cover before adding external fetch.
|
||||
|
||||
## LRN-003 — GNOME + xrdp working recipe (Ubuntu)
|
||||
2026-06-23. `apt install xrdp` alone = black screen + auth popups. Need: `adduser xrdp ssl-cert`
|
||||
(xrdp reads TLS key, else black screen on login); polkit rule allowing `org.freedesktop.color-manager.*`
|
||||
(else recurring "Authentication required to create a color managed device" popups). Polkit format
|
||||
version-gated: v>=0.106 → `/etc/polkit-1/rules.d/*.rules` (JS); older → `.pkla`. Verified live polkit
|
||||
127 → `.rules` only (`.pkla` backend dropped). Open RDP 3389 only if firewall active. Restart xrdp
|
||||
after group add so daemon reloads ssl-cert membership.
|
||||
|
||||
## LRN-004 — gnome-remote-desktop --system: remote desktop on Wayland-only GNOME
|
||||
2026-06-23. xrdp does NOT work on Wayland-only GNOME (Shell asserts XDG_SESSION_TYPE=wayland, Xorg
|
||||
backend dies instantly on login) → LRN-003 xrdp recipe N/A on such hosts. Use g-r-d system "Remote
|
||||
Login": self-signed TLS cert via `grdctl --system rdp set-tls-cert/set-tls-key`, `rdp enable`,
|
||||
enable+start `gnome-remote-desktop.service`. Auth = 2 layers: shared gate creds via `set-credentials`
|
||||
(unlock GDM) THEN per-user PAM login. Gate creds REQUIRED — empty → mstsc 0x904/0x7 (BLK-004).
|
||||
Listening socket + TLS + enable NOT enough alone. TPM warn `Init TPM credentials failed ... using
|
||||
GKeyFile as fallback` = harmless on TPM-less host (creds → keyfile). Connect: client → ip:3389,
|
||||
accept self-signed cert, gate creds, then GDM user. Supersedes LRN-003 for Wayland GNOME.
|
||||
|
||||
98
install.sh
98
install.sh
@ -27,6 +27,81 @@ install_docker() {
|
||||
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
||||
}
|
||||
|
||||
# RDP "gate" credentials: a shared username/password that unlocks the GDM
|
||||
# login screen (each user then logs into GDM with his own account). Required —
|
||||
# without it the RDP server rejects every connection (mstsc error 0x904). It is
|
||||
# a secret, so never stored in this repo: prompted interactively when a terminal
|
||||
# is attached, otherwise the user is told to set it himself. Idempotent: skipped
|
||||
# when already configured.
|
||||
ensure_rdp_credentials() {
|
||||
local hint="set later: sudo grdctl --system rdp set-credentials"
|
||||
|
||||
# A non-empty Username means credentials are already configured — nothing to do.
|
||||
if ! sudo grdctl --system status 2>/dev/null | grep -q 'Username: (empty)'; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [ ! -t 0 ]; then
|
||||
echo "RDP gate credentials not set ($hint)" >&2
|
||||
return 0
|
||||
fi
|
||||
|
||||
local rdp_user="" rdp_pass=""
|
||||
read -rp "RDP gate username: " rdp_user || true
|
||||
read -rsp "RDP gate password: " rdp_pass || true
|
||||
echo
|
||||
if [ -z "$rdp_user" ] || [ -z "$rdp_pass" ]; then
|
||||
echo "No credentials entered — $hint" >&2
|
||||
return 0
|
||||
fi
|
||||
sudo grdctl --system rdp set-credentials "$rdp_user" "$rdp_pass"
|
||||
}
|
||||
|
||||
# Remote desktop via gnome-remote-desktop (GNOME's native, Wayland-compatible RDP).
|
||||
# Mode: system "Remote Login". Two-layer auth: the RDP client first authenticates
|
||||
# with shared "gate" credentials (set via ensure_rdp_credentials), then the user logs
|
||||
# into GDM with his own Linux account and a fresh GNOME session starts. xrdp does NOT
|
||||
# work on this GNOME: it is Wayland-only (GNOME Shell asserts XDG_SESSION_TYPE=wayland,
|
||||
# which xrdp's Xorg backend cannot satisfy, so the session dies the instant you log in).
|
||||
# Debian/Ubuntu only. Idempotent.
|
||||
setup_remote_desktop() {
|
||||
local cert="/etc/gnome-remote-desktop/rdp-tls.crt"
|
||||
local key="/etc/gnome-remote-desktop/rdp-tls.key"
|
||||
|
||||
# xrdp and gnome-remote-desktop both bind port 3389 — disable xrdp if present.
|
||||
if systemctl list-unit-files 2>/dev/null | grep -q '^xrdp\.service'; then
|
||||
sudo systemctl disable --now xrdp xrdp-sesman 2>/dev/null || true
|
||||
fi
|
||||
|
||||
sudo apt-get install -y gnome-remote-desktop openssl
|
||||
|
||||
# Self-signed TLS cert for the RDP server, generated once so the fingerprint stays
|
||||
# stable across re-runs (clients accept it on first connect).
|
||||
if [ ! -f "$cert" ]; then
|
||||
sudo install -d -m 0755 /etc/gnome-remote-desktop
|
||||
sudo openssl req -x509 -nodes -newkey rsa:4096 -days 3650 \
|
||||
-subj "/CN=$(hostname)" -out "$cert" -keyout "$key"
|
||||
sudo chown gnome-remote-desktop:gnome-remote-desktop "$cert" "$key"
|
||||
sudo chmod 640 "$key"
|
||||
fi
|
||||
|
||||
# Point the system (remote-login) RDP daemon at the cert and turn it on.
|
||||
sudo grdctl --system rdp set-tls-cert "$cert"
|
||||
sudo grdctl --system rdp set-tls-key "$key"
|
||||
sudo grdctl --system rdp enable
|
||||
|
||||
# Gate credentials: prompted at install, never hardcoded.
|
||||
ensure_rdp_credentials
|
||||
|
||||
# Open the RDP port only when a firewall is already active — never force ufw on.
|
||||
if command -v ufw >/dev/null 2>&1 && sudo ufw status 2>/dev/null | grep -q "Status: active"; then
|
||||
sudo ufw allow 3389/tcp
|
||||
fi
|
||||
|
||||
sudo systemctl enable gnome-remote-desktop.service
|
||||
sudo systemctl restart gnome-remote-desktop.service
|
||||
}
|
||||
|
||||
# System packages: Debian/Ubuntu only. Skipped where apt-get is absent (e.g. macOS).
|
||||
if command -v apt-get >/dev/null 2>&1; then
|
||||
sudo apt-get update
|
||||
@ -39,10 +114,19 @@ if command -v apt-get >/dev/null 2>&1; then
|
||||
unzip tree tmux fzf dtach net-tools \
|
||||
openssh-server cifs-utils lftp ftp \
|
||||
nodejs python3-pip pipx php-cli \
|
||||
ffmpeg wkhtmltopdf poppler-utils qpdf webp libavif-bin
|
||||
ffmpeg weasyprint poppler-utils qpdf webp libavif-bin
|
||||
|
||||
# Docker (separate repo).
|
||||
install_docker
|
||||
|
||||
# code-server (VS Code in the browser) — skip the download if already installed.
|
||||
if ! command -v code-server >/dev/null 2>&1; then
|
||||
curl -fsSL https://code-server.dev/install.sh | sh
|
||||
fi
|
||||
sudo systemctl enable --now "code-server@$USER"
|
||||
|
||||
# Remote desktop (gnome-remote-desktop — see the function header for why not xrdp).
|
||||
setup_remote_desktop
|
||||
else
|
||||
echo "apt-get not found — skipping system packages (install vim/git manually)."
|
||||
fi
|
||||
@ -97,6 +181,18 @@ mkdir -p "$HOME/.local/bin"
|
||||
cp "$SCRIPT_DIR"/bin/* "$HOME/.local/bin/"
|
||||
chmod +x "$HOME"/.local/bin/dt "$HOME"/.local/bin/dtach-router "$HOME"/.local/bin/claude-provider
|
||||
|
||||
|
||||
# Append the dtach auto-router to ~/.profile once, so each login resumes sessions.
|
||||
if ! grep -q "Aucune session dtach." "$HOME/.profile" 2>/dev/null; then
|
||||
cat >> "$HOME/.profile" << 'EOF'
|
||||
|
||||
DT=$(dt ls)
|
||||
if [ "$DT" != "Aucune session dtach." ]; then
|
||||
dtach-router
|
||||
fi
|
||||
EOF
|
||||
fi
|
||||
|
||||
echo "Done. Restart your shell or run: source ~/.bashrc"
|
||||
echo "If you use zsh, switch to bash to enjoy these settings =)"
|
||||
echo "Note: the deployed bashrc puts ~/.local/bin on PATH — re-login or run: source ~/.bashrc"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user