Created
October 20, 2025 01:52
-
-
Save usrbinkat/b94e87a023800669158654fc27d570b0 to your computer and use it in GitHub Desktop.
Revisions
-
usrbinkat created this gist
Oct 20, 2025 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,554 @@ # yaml-language-server: $schema=pulumi-stack-config.schema.json config: compliance: fisma: compliance_level: low enforcement_mode: warn nist: auxiliary: [] exceptions: [] project: ato: authorized: "2025-10-05T00:00:00Z" eol: "2026-10-05T00:00:00Z" id: dev-optiplexprime-001 environment: dev ownership: operations: contacts: [] name: homelab owner: contacts: [] name: homelab production: false environment: dev developer_mode: true debug: true k8s: enable_metadata_injection: false components: namespace: enabled: true namespaces: usrbinkat: protected: false enable_resource_quota: false enable_limit_range: false enable_network_policy: false enable_rbac: false multus: enabled: true spec: deploy_core: false enable_default_attachments: true default_bridge_name: br0 bridge_namespace: usrbinkat bridge_ipam_mode: dhcp protected: false virtual_machine: enabled: true spec: name: usrbinkat-kde running: true namespace: usrbinkat cpu: cores: 2 sockets: 2 threads: 2 dedicated_cpu_placement: false model: host-passthrough resources: memory: 16Gi machine_type: pc-q35-rhel9.6.0 data_volumes: - name: usrbinkat-kde-root storage_class: hostpath-provisioner size: 64Gi access_modes: - ReadWriteOnce source: source_type: registry url: docker://docker.io/containercraft/debian:trixie-dev disks: - name: root-disk boot_order: 1 bus: virtio source_type: dataVolume source_name: usrbinkat-kde-root interfaces: - name: enp1s0 model: virtio boot_order: 2 interface_type: bridge network_name: br0-network-attachment hostname: usrbinkat-kde auto_attach_pod_interface: false firmware: type: uefi secure_boot: false enable_rng: true enable_serial_console: true enable_graphics: true network_multiqueue: true termination_grace_period: 0 cloud_init: use_secret: true network_data: | version: 2 ethernets: enp1s0: dhcp4: false dhcp6: false bridges: br0: interfaces: - enp1s0 dhcp4: true dhcp6: false parameters: stp: false forward-delay: 0 user_data: | #cloud-config hostname: usrbinkat-kde manage_etc_hosts: true users: - default - name: usrbinkat gecos: usrbinkat groups: - sudo - docker - ssl-cert - systemd-journal - adm shell: /bin/bash sudo: ['ALL=(ALL) NOPASSWD:ALL'] lock_passwd: false plain_text_passwd: usrbinkat ssh_authorized_keys: - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBatYByJiifh22+XW1bGhwg9FimWMNQ7RNx2rGYGvZXG katmorg@KATMORG-M-2TKW ssh_import_id: - gh:usrbinkat timezone: America/Los_Angeles locale: en_US.UTF-8 package_update: true package_upgrade: true packages: # KDE Plasma 6 Desktop Environment - plasma-workspace - plasma-desktop - kwin-x11 - kde-plasma-desktop # X11 and display server components - xorg - xserver-xorg-core - xserver-xorg-input-all - xserver-xorg-video-dummy - xserver-xorg-legacy - dbus-x11 - x11-xserver-utils # XRDP and remote desktop - xrdp - xorgxrdp # Essential KDE utilities - dolphin - konsole - kate # Development tools - build-essential - git - vim - python3 - python3-pip - python3-venv # System utilities - curl - wget - htop - tmux - tree - fastfetch - net-tools - bridge-utils - software-properties-common - apt-transport-https - ca-certificates - gnupg - lsb-release # Container runtime - docker.io - docker-compose # Virtualization support - qemu-guest-agent - spice-vdagent # Network and security - openssh-server - ufw - rsync - unzip - jq # PolicyKit and system integration - udisks2 - upower write_files: # XRDP configuration script - applied after package installation - path: /usr/local/bin/configure-xrdp.sh permissions: '0755' content: | #!/bin/bash set -e echo "Configuring XRDP for KDE Plasma 6 on Debian Trixie..." # Stop services to apply configuration systemctl stop xrdp xrdp-sesman || true # Configure xrdp.ini with Unix socket triggers and KDE cursor fix cat > /etc/xrdp/xrdp.ini << 'EOF' [Globals] ini_version=1 fork=true port=3389 tcp_nodelay=true tcp_keepalive=true security_layer=negotiate crypt_level=high certificate=/etc/xrdp/cert.pem key_file=/etc/xrdp/key.pem ssl_protocols=TLSv1.2, TLSv1.3 autorun=xrdp1 allow_channels=true allow_multimon=true bitmap_cache=true bitmap_compression=true bulk_compression=true max_bpp=32 use_compression=yes new_cursors=false [Logging] LogFile=/var/log/xrdp.log LogLevel=INFO EnableSyslog=true SyslogLevel=INFO [Channels] rdpdr=true rdpsnd=true drdynvc=true cliprdr=true rail=true xrdpvr=true [xrdp1] name=sesman-Xorg lib=libxup.so username=ask password=ask ip=127.0.0.1 port=-1 code=20 EOF # Configure sesman.ini with Unix socket support and critical SessionSockdirGroup cat > /etc/xrdp/sesman.ini << 'EOF' [Globals] ListenPort=sesman.socket EnableUserWindowManager=true UserWindowManager=startwm.sh DefaultWindowManager=/etc/xrdp/startwm.sh ReconnectScript=/etc/xrdp/reconnectwm.sh [Logging] LogFile=/var/log/xrdp-sesman.log LogLevel=INFO EnableSyslog=true SyslogLevel=INFO EnableProcessId=true [Sessions] X11DisplayOffset=10 MaxSessions=50 MaxDisplayNumber=63 KillDisconnected=false DisconnectedTimeLimit=0 IdleTimeLimit=0 Policy=Default [Security] AllowRootLogin=false MaxLoginRetry=3 AlwaysGroupCheck=false SessionSockdirGroup=xrdp RestrictOutboundClipboard=none XorgNoNewPrivileges=true [Xorg] param=/usr/lib/xorg/Xorg param=-auth param=.Xauthority param=-config param=xrdp/xorg.conf param=-noreset param=-nolisten param=tcp param=-logfile param=.xorgxrdp.%s.log EOF # Configure startwm.sh for KDE Plasma 6 cat > /etc/xrdp/startwm.sh << 'EOF' #!/bin/sh # Unset problematic systemd user session variables unset DBUS_SESSION_BUS_ADDRESS unset XDG_RUNTIME_DIR # Load system environment if test -r /etc/profile; then . /etc/profile fi # Load user profile if test -r ~/.profile; then . ~/.profile fi # Set locale if test -r /etc/default/locale; then . /etc/default/locale export LANG LANGUAGE fi # Set KDE Plasma environment variables export XDG_SESSION_DESKTOP=KDE export XDG_DATA_DIRS=/usr/share/plasma:/usr/local/share:/usr/share export XDG_CONFIG_DIRS=/etc/xdg/xdg-plasma:/etc/xdg # Start KDE Plasma X11 session with dbus-launch wrapper exec dbus-launch --exit-with-session startplasma-x11 EOF chmod +x /etc/xrdp/startwm.sh # Create user session file for KDE cat > /etc/skel/.xsession << 'EOF' #!/bin/sh exec dbus-launch --exit-with-session startplasma-x11 EOF chmod +x /etc/skel/.xsession # Create user environment file for KDE cat > /etc/skel/.xsessionrc << 'EOF' export XDG_SESSION_DESKTOP=KDE export XDG_DATA_DIRS=/usr/share/plasma:/usr/local/share:/usr/share export XDG_CONFIG_DIRS=/etc/xdg/xdg-plasma:/etc/xdg EOF # Copy to existing user if [ -d /home/usrbinkat ]; then cp /etc/skel/.xsession /home/usrbinkat/.xsession cp /etc/skel/.xsessionrc /home/usrbinkat/.xsessionrc chown usrbinkat:usrbinkat /home/usrbinkat/.xsession /home/usrbinkat/.xsessionrc chmod +x /home/usrbinkat/.xsession fi echo "KDE Plasma 6 XRDP configuration completed successfully" # X wrapper configuration - path: /etc/X11/Xwrapper.config permissions: '0644' content: | allowed_users=anybody needs_root_rights=yes # Polkit configuration to prevent authentication prompts - path: /etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla permissions: '0644' content: | [Allow Colord all Users] Identity=unix-user:* Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile ResultAny=no ResultInactive=no ResultActive=yes # Additional PolicyKit rules for KDE - path: /etc/polkit-1/localauthority/50-local.d/xrdp-allow.pkla permissions: '0644' content: | [Allow XRDP Users] Identity=unix-group:sudo Action=* ResultAny=yes ResultInactive=yes ResultActive=yes # Docker daemon configuration - path: /etc/docker/daemon.json permissions: '0644' content: | { "log-driver": "json-file", "log-opts": { "max-size": "10m", "max-file": "3" }, "storage-driver": "overlay2", "live-restore": true, "userland-proxy": false } # Systemd override for XRDP with proper dependencies - path: /etc/systemd/system/xrdp.service.d/override.conf permissions: '0644' content: | [Unit] After=multi-user.target network-online.target xrdp-sesman.service [Service] Restart=on-failure RestartSec=5s StartLimitBurst=5 # Systemd tmpfiles configuration for persistent socket directory - path: /etc/tmpfiles.d/xrdp.conf permissions: '0644' content: | d /run/xrdp 0755 xrdp xrdp - d /run/xrdp/sockdir 3777 root xrdp - runcmd: # Create required directories - mkdir -p /home/usrbinkat/.ssh - mkdir -p /home/usrbinkat/.kube - mkdir -p /home/usrbinkat/.docker - mkdir -p /etc/X11/xrdp - mkdir -p /etc/systemd/system/xrdp.service.d - mkdir -p /etc/polkit-1/localauthority/50-local.d # Set user directory ownership - chown -R usrbinkat:usrbinkat /home/usrbinkat/.ssh - chown -R usrbinkat:usrbinkat /home/usrbinkat/.kube - chown -R usrbinkat:usrbinkat /home/usrbinkat/.docker - chmod 700 /home/usrbinkat/.ssh # Wait for package installation to complete - sleep 10 # Configure XRDP with Unix socket support for KDE Plasma 6 - /usr/local/bin/configure-xrdp.sh # Set up socket directory with proper permissions (3777 with sticky bit) - rm -rf /run/xrdp/sockdir - mkdir -p /run/xrdp/sockdir - chown root:xrdp /run/xrdp/sockdir - chmod 3777 /run/xrdp/sockdir # Apply tmpfiles configuration - systemd-tmpfiles --create /etc/tmpfiles.d/xrdp.conf # Add xrdp user to necessary groups - usermod -a -G ssl-cert xrdp - usermod -a -G xrdp xrdp # Generate TLS certificates for XRDP - openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout /etc/xrdp/key.pem -out /etc/xrdp/cert.pem -subj "/CN=xrdp-kde-server" - chown xrdp:xrdp /etc/xrdp/cert.pem /etc/xrdp/key.pem - chmod 640 /etc/xrdp/key.pem # Reload systemd configuration - systemctl daemon-reload # Enable and start services with --no-block to prevent cloud-init deadlock - systemctl enable xrdp xrdp-sesman --no-block - systemctl start xrdp-sesman --no-block - sleep 2 - systemctl start xrdp --no-block # Configure QEMU guest agent - systemctl enable qemu-guest-agent --no-block - systemctl start qemu-guest-agent --no-block # Configure Docker - systemctl enable docker --no-block - systemctl start docker --no-block - usermod -aG docker usrbinkat # Configure firewall - ufw --force enable - ufw allow 22/tcp - ufw allow 3389/tcp - ufw reload # Set graphical target as default - systemctl set-default graphical.target # Disable unnecessary services for better performance - systemctl disable bluetooth.service || true - systemctl disable cups.service || true - systemctl disable ModemManager.service || true # Reapply configuration to ensure persistence - sleep 5 - /usr/local/bin/configure-xrdp.sh - systemctl restart xrdp-sesman --no-block - systemctl restart xrdp --no-block # Clean up - apt-get autoremove -y - apt-get clean # Log configuration details - | echo "=== KDE Plasma 6 XRDP Configuration Summary ===" | tee -a /var/log/xrdp-setup.log echo "Date: $(date)" | tee -a /var/log/xrdp-setup.log echo "XRDP Version: $(xrdp --version 2>&1 | head -n 1)" | tee -a /var/log/xrdp-setup.log echo "Plasma Version: $(plasmashell --version 2>&1 | head -n 1)" | tee -a /var/log/xrdp-setup.log echo "Socket Directory: /run/xrdp/sockdir" | tee -a /var/log/xrdp-setup.log echo "Configuration: Unix domain socket (port=-1 trigger)" | tee -a /var/log/xrdp-setup.log echo "Desktop Environment: KDE Plasma 6" | tee -a /var/log/xrdp-setup.log echo "Socket Permissions: 3777 (sticky bit set)" | tee -a /var/log/xrdp-setup.log echo "Critical Parameters: SessionSockdirGroup=xrdp, new_cursors=false" | tee -a /var/log/xrdp-setup.log ls -la /run/xrdp/sockdir/ 2>/dev/null | tee -a /var/log/xrdp-setup.log groups xrdp | tee -a /var/log/xrdp-setup.log ss -lnp | grep sesman | tee -a /var/log/xrdp-setup.log # Display system info - fastfetch || echo "System information tool not available" final_message: | Debian Trixie 13 with KDE Plasma 6 XRDP deployment completed! System ready in $UPTIME seconds RDP Access: Connect to port 3389 Username: usrbinkat Password: usrbinkat Desktop Environment: KDE Plasma 6.3.6 XRDP Configuration: Unix domain socket mode (port=-1) Cursor Fix: new_cursors=false applied Check logs: /var/log/xrdp-setup.log node_selector: null protected: false components_deployment_order: - namespace - multus - virtual_machine is_enabled: true k8s_config_file_path: /tmp/esc-55171837 k8s_context_name: usrbinkat-optiplexprime