Skip to content

Instantly share code, notes, and snippets.

@usrbinkat

usrbinkat/Pulumi.debian-trixie-13-kde-plasma6-xrdp.yaml

Created October 20, 2025 01:52
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save usrbinkat/b94e87a023800669158654fc27d570b0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save usrbinkat/b94e87a023800669158654fc27d570b0 to your computer and use it in GitHub Desktop.
Download ZIP
VDI Kubevirt Infrastructure
Raw
Pulumi.debian-trixie-13-kde-plasma6-xrdp.yaml
# yaml-language-server: $schema=pulumi-stack-config.schema.json
config:
compliance:
fisma:
compliance_level: low
enforcement_mode: warn
nist:
auxiliary: []
exceptions: []
project:
ato:
authorized: "2025-10-05T00:00:00Z"
eol: "2026-10-05T00:00:00Z"
id: dev-optiplexprime-001
environment: dev
ownership:
operations:
contacts: []
name: homelab
owner:
contacts: []
name: homelab
production: false
environment: dev
developer_mode: true
debug: true
k8s:
enable_metadata_injection: false
components:
namespace:
enabled: true
namespaces:
usrbinkat:
protected: false
enable_resource_quota: false
enable_limit_range: false
enable_network_policy: false
enable_rbac: false
multus:
enabled: true
spec:
deploy_core: false
enable_default_attachments: true
default_bridge_name: br0
bridge_namespace: usrbinkat
bridge_ipam_mode: dhcp
protected: false
virtual_machine:
enabled: true
spec:
name: usrbinkat-kde
running: true
namespace: usrbinkat
cpu:
cores: 2
sockets: 2
threads: 2
dedicated_cpu_placement: false
model: host-passthrough
resources:
memory: 16Gi
machine_type: pc-q35-rhel9.6.0
data_volumes:
- name: usrbinkat-kde-root
storage_class: hostpath-provisioner
size: 64Gi
access_modes:
- ReadWriteOnce
source:
source_type: registry
url: docker://docker.io/containercraft/debian:trixie-dev
disks:
- name: root-disk
boot_order: 1
bus: virtio
source_type: dataVolume
source_name: usrbinkat-kde-root
interfaces:
- name: enp1s0
model: virtio
boot_order: 2
interface_type: bridge
network_name: br0-network-attachment
hostname: usrbinkat-kde
auto_attach_pod_interface: false
firmware:
type: uefi
secure_boot: false
enable_rng: true
enable_serial_console: true
enable_graphics: true
network_multiqueue: true
termination_grace_period: 0
cloud_init:
use_secret: true
network_data: |
version: 2
ethernets:
enp1s0:
dhcp4: false
dhcp6: false
bridges:
br0:
interfaces:
- enp1s0
dhcp4: true
dhcp6: false
parameters:
stp: false
forward-delay: 0
user_data: |
#cloud-config
hostname: usrbinkat-kde
manage_etc_hosts: true
users:
- default
- name: usrbinkat
gecos: usrbinkat
groups:
- sudo
- docker
- ssl-cert
- systemd-journal
- adm
shell: /bin/bash
sudo: ['ALL=(ALL) NOPASSWD:ALL']
lock_passwd: false
plain_text_passwd: usrbinkat
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBatYByJiifh22+XW1bGhwg9FimWMNQ7RNx2rGYGvZXG katmorg@KATMORG-M-2TKW
ssh_import_id:
- gh:usrbinkat
timezone: America/Los_Angeles
locale: en_US.UTF-8
package_update: true
package_upgrade: true
packages:
# KDE Plasma 6 Desktop Environment
- plasma-workspace
- plasma-desktop
- kwin-x11
- kde-plasma-desktop
# X11 and display server components
- xorg
- xserver-xorg-core
- xserver-xorg-input-all
- xserver-xorg-video-dummy
- xserver-xorg-legacy
- dbus-x11
- x11-xserver-utils
# XRDP and remote desktop
- xrdp
- xorgxrdp
# Essential KDE utilities
- dolphin
- konsole
- kate
# Development tools
- build-essential
- git
- vim
- python3
- python3-pip
- python3-venv
# System utilities
- curl
- wget
- htop
- tmux
- tree
- fastfetch
- net-tools
- bridge-utils
- software-properties-common
- apt-transport-https
- ca-certificates
- gnupg
- lsb-release
# Container runtime
- docker.io
- docker-compose
# Virtualization support
- qemu-guest-agent
- spice-vdagent
# Network and security
- openssh-server
- ufw
- rsync
- unzip
- jq
# PolicyKit and system integration
- udisks2
- upower
write_files:
# XRDP configuration script - applied after package installation
- path: /usr/local/bin/configure-xrdp.sh
permissions: '0755'
content: |
#!/bin/bash
set -e
echo "Configuring XRDP for KDE Plasma 6 on Debian Trixie..."
# Stop services to apply configuration
systemctl stop xrdp xrdp-sesman || true
# Configure xrdp.ini with Unix socket triggers and KDE cursor fix
cat > /etc/xrdp/xrdp.ini << 'EOF'
[Globals]
ini_version=1
fork=true
port=3389
tcp_nodelay=true
tcp_keepalive=true
security_layer=negotiate
crypt_level=high
certificate=/etc/xrdp/cert.pem
key_file=/etc/xrdp/key.pem
ssl_protocols=TLSv1.2, TLSv1.3
autorun=xrdp1
allow_channels=true
allow_multimon=true
bitmap_cache=true
bitmap_compression=true
bulk_compression=true
max_bpp=32
use_compression=yes
new_cursors=false
[Logging]
LogFile=/var/log/xrdp.log
LogLevel=INFO
EnableSyslog=true
SyslogLevel=INFO
[Channels]
rdpdr=true
rdpsnd=true
drdynvc=true
cliprdr=true
rail=true
xrdpvr=true
[xrdp1]
name=sesman-Xorg
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
code=20
EOF
# Configure sesman.ini with Unix socket support and critical SessionSockdirGroup
cat > /etc/xrdp/sesman.ini << 'EOF'
[Globals]
ListenPort=sesman.socket
EnableUserWindowManager=true
UserWindowManager=startwm.sh
DefaultWindowManager=/etc/xrdp/startwm.sh
ReconnectScript=/etc/xrdp/reconnectwm.sh
[Logging]
LogFile=/var/log/xrdp-sesman.log
LogLevel=INFO
EnableSyslog=true
SyslogLevel=INFO
EnableProcessId=true
[Sessions]
X11DisplayOffset=10
MaxSessions=50
MaxDisplayNumber=63
KillDisconnected=false
DisconnectedTimeLimit=0
IdleTimeLimit=0
Policy=Default
[Security]
AllowRootLogin=false
MaxLoginRetry=3
AlwaysGroupCheck=false
SessionSockdirGroup=xrdp
RestrictOutboundClipboard=none
XorgNoNewPrivileges=true
[Xorg]
param=/usr/lib/xorg/Xorg
param=-auth
param=.Xauthority
param=-config
param=xrdp/xorg.conf
param=-noreset
param=-nolisten
param=tcp
param=-logfile
param=.xorgxrdp.%s.log
EOF
# Configure startwm.sh for KDE Plasma 6
cat > /etc/xrdp/startwm.sh << 'EOF'
#!/bin/sh
# Unset problematic systemd user session variables
unset DBUS_SESSION_BUS_ADDRESS
unset XDG_RUNTIME_DIR
# Load system environment
if test -r /etc/profile; then
. /etc/profile
fi
# Load user profile
if test -r ~/.profile; then
. ~/.profile
fi
# Set locale
if test -r /etc/default/locale; then
. /etc/default/locale
export LANG LANGUAGE
fi
# Set KDE Plasma environment variables
export XDG_SESSION_DESKTOP=KDE
export XDG_DATA_DIRS=/usr/share/plasma:/usr/local/share:/usr/share
export XDG_CONFIG_DIRS=/etc/xdg/xdg-plasma:/etc/xdg
# Start KDE Plasma X11 session with dbus-launch wrapper
exec dbus-launch --exit-with-session startplasma-x11
EOF
chmod +x /etc/xrdp/startwm.sh
# Create user session file for KDE
cat > /etc/skel/.xsession << 'EOF'
#!/bin/sh
exec dbus-launch --exit-with-session startplasma-x11
EOF
chmod +x /etc/skel/.xsession
# Create user environment file for KDE
cat > /etc/skel/.xsessionrc << 'EOF'
export XDG_SESSION_DESKTOP=KDE
export XDG_DATA_DIRS=/usr/share/plasma:/usr/local/share:/usr/share
export XDG_CONFIG_DIRS=/etc/xdg/xdg-plasma:/etc/xdg
EOF
# Copy to existing user
if [ -d /home/usrbinkat ]; then
cp /etc/skel/.xsession /home/usrbinkat/.xsession
cp /etc/skel/.xsessionrc /home/usrbinkat/.xsessionrc
chown usrbinkat:usrbinkat /home/usrbinkat/.xsession /home/usrbinkat/.xsessionrc
chmod +x /home/usrbinkat/.xsession
fi
echo "KDE Plasma 6 XRDP configuration completed successfully"
# X wrapper configuration
- path: /etc/X11/Xwrapper.config
permissions: '0644'
content: |
allowed_users=anybody
needs_root_rights=yes
# Polkit configuration to prevent authentication prompts
- path: /etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla
permissions: '0644'
content: |
[Allow Colord all Users]
Identity=unix-user:*
Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile
ResultAny=no
ResultInactive=no
ResultActive=yes
# Additional PolicyKit rules for KDE
- path: /etc/polkit-1/localauthority/50-local.d/xrdp-allow.pkla
permissions: '0644'
content: |
[Allow XRDP Users]
Identity=unix-group:sudo
Action=*
ResultAny=yes
ResultInactive=yes
ResultActive=yes
# Docker daemon configuration
- path: /etc/docker/daemon.json
permissions: '0644'
content: |
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"storage-driver": "overlay2",
"live-restore": true,
"userland-proxy": false
}
# Systemd override for XRDP with proper dependencies
- path: /etc/systemd/system/xrdp.service.d/override.conf
permissions: '0644'
content: |
[Unit]
After=multi-user.target network-online.target xrdp-sesman.service
[Service]
Restart=on-failure
RestartSec=5s
StartLimitBurst=5
# Systemd tmpfiles configuration for persistent socket directory
- path: /etc/tmpfiles.d/xrdp.conf
permissions: '0644'
content: |
d /run/xrdp 0755 xrdp xrdp -
d /run/xrdp/sockdir 3777 root xrdp -
runcmd:
# Create required directories
- mkdir -p /home/usrbinkat/.ssh
- mkdir -p /home/usrbinkat/.kube
- mkdir -p /home/usrbinkat/.docker
- mkdir -p /etc/X11/xrdp
- mkdir -p /etc/systemd/system/xrdp.service.d
- mkdir -p /etc/polkit-1/localauthority/50-local.d
# Set user directory ownership
- chown -R usrbinkat:usrbinkat /home/usrbinkat/.ssh
- chown -R usrbinkat:usrbinkat /home/usrbinkat/.kube
- chown -R usrbinkat:usrbinkat /home/usrbinkat/.docker
- chmod 700 /home/usrbinkat/.ssh
# Wait for package installation to complete
- sleep 10
# Configure XRDP with Unix socket support for KDE Plasma 6
- /usr/local/bin/configure-xrdp.sh
# Set up socket directory with proper permissions (3777 with sticky bit)
- rm -rf /run/xrdp/sockdir
- mkdir -p /run/xrdp/sockdir
- chown root:xrdp /run/xrdp/sockdir
- chmod 3777 /run/xrdp/sockdir
# Apply tmpfiles configuration
- systemd-tmpfiles --create /etc/tmpfiles.d/xrdp.conf
# Add xrdp user to necessary groups
- usermod -a -G ssl-cert xrdp
- usermod -a -G xrdp xrdp
# Generate TLS certificates for XRDP
- openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout /etc/xrdp/key.pem -out /etc/xrdp/cert.pem -subj "/CN=xrdp-kde-server"
- chown xrdp:xrdp /etc/xrdp/cert.pem /etc/xrdp/key.pem
- chmod 640 /etc/xrdp/key.pem
# Reload systemd configuration
- systemctl daemon-reload
# Enable and start services with --no-block to prevent cloud-init deadlock
- systemctl enable xrdp xrdp-sesman --no-block
- systemctl start xrdp-sesman --no-block
- sleep 2
- systemctl start xrdp --no-block
# Configure QEMU guest agent
- systemctl enable qemu-guest-agent --no-block
- systemctl start qemu-guest-agent --no-block
# Configure Docker
- systemctl enable docker --no-block
- systemctl start docker --no-block
- usermod -aG docker usrbinkat
# Configure firewall
- ufw --force enable
- ufw allow 22/tcp
- ufw allow 3389/tcp
- ufw reload
# Set graphical target as default
- systemctl set-default graphical.target
# Disable unnecessary services for better performance
- systemctl disable bluetooth.service || true
- systemctl disable cups.service || true
- systemctl disable ModemManager.service || true
# Reapply configuration to ensure persistence
- sleep 5
- /usr/local/bin/configure-xrdp.sh
- systemctl restart xrdp-sesman --no-block
- systemctl restart xrdp --no-block
# Clean up
- apt-get autoremove -y
- apt-get clean
# Log configuration details
- |
echo "=== KDE Plasma 6 XRDP Configuration Summary ===" | tee -a /var/log/xrdp-setup.log
echo "Date: $(date)" | tee -a /var/log/xrdp-setup.log
echo "XRDP Version: $(xrdp --version 2>&1 | head -n 1)" | tee -a /var/log/xrdp-setup.log
echo "Plasma Version: $(plasmashell --version 2>&1 | head -n 1)" | tee -a /var/log/xrdp-setup.log
echo "Socket Directory: /run/xrdp/sockdir" | tee -a /var/log/xrdp-setup.log
echo "Configuration: Unix domain socket (port=-1 trigger)" | tee -a /var/log/xrdp-setup.log
echo "Desktop Environment: KDE Plasma 6" | tee -a /var/log/xrdp-setup.log
echo "Socket Permissions: 3777 (sticky bit set)" | tee -a /var/log/xrdp-setup.log
echo "Critical Parameters: SessionSockdirGroup=xrdp, new_cursors=false" | tee -a /var/log/xrdp-setup.log
ls -la /run/xrdp/sockdir/ 2>/dev/null | tee -a /var/log/xrdp-setup.log
groups xrdp | tee -a /var/log/xrdp-setup.log
ss -lnp | grep sesman | tee -a /var/log/xrdp-setup.log
# Display system info
- fastfetch || echo "System information tool not available"
final_message: |
Debian Trixie 13 with KDE Plasma 6 XRDP deployment completed!
System ready in $UPTIME seconds
RDP Access: Connect to port 3389
Username: usrbinkat
Password: usrbinkat
Desktop Environment: KDE Plasma 6.3.6
XRDP Configuration: Unix domain socket mode (port=-1)
Cursor Fix: new_cursors=false applied
Check logs: /var/log/xrdp-setup.log
node_selector: null
protected: false
components_deployment_order:
- namespace
- multus
- virtual_machine
is_enabled: true
k8s_config_file_path: /tmp/esc-55171837
k8s_context_name: usrbinkat-optiplexprime
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment