added xrdp, added example configs, removing main ones

5 files changed, 188 insertions, 0 deletions

diff --git a/roles/xrdp/defaults/main.yaml b/roles/xrdp/defaults/main.yaml
new file mode 100644
index 0000000..bb60448
--- /dev/null
+++ b/roles/xrdp/defaults/main.yaml
@@ -0,0 +1 @@
+xrdp_listen_local: false
diff --git a/roles/xrdp/files/logo.bmp b/roles/xrdp/files/logo.bmp
new file mode 100644
index 0000000..b26c0eb
--- /dev/null
+++ b/roles/xrdp/files/logo.bmp
diff --git a/roles/xrdp/files/xrdp_polkit.rules b/roles/xrdp/files/xrdp_polkit.rules
new file mode 100644
index 0000000..c1fecde
--- /dev/null
+++ b/roles/xrdp/files/xrdp_polkit.rules
@@ -0,0 +1,31 @@
+polkit.addRule(function(action, subject) {
+    if (subject.user && subject.user !== "root" &&
+        (action.id == "org.freedesktop.color-manager.create-device" ||
+         action.id == "org.freedesktop.color-manager.create-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-device" ||
+         action.id == "org.freedesktop.color-manager.delete-profile" ||
+         action.id == "org.freedesktop.color-manager.modify-device" ||
+         action.id == "org.freedesktop.color-manager.modify-profile" ||
+         action.id == "org.debian.apt.update-cache")) {
+        return polkit.Result.YES;
+    }
+});
+
+polkit.addRule(function(action, subject) {
+    if (subject.user && subject.user !== "root" &&
+        (action.id == "org.freedesktop.NetworkManager.settings.modify.system" ||
+         action.id == "org.freedesktop.NetworkManager.network-control")) {
+        return polkit.Result.YES;
+    }
+});
+
+polkit.addRule(function(action, subject) {
+    if (subject.user && subject.user !== "root" &&
+        action.id.match(/^org\.freedesktop\.login1\.(reboot|power-off|suspend)/)) {
+        if (subject.active) {
+            return polkit.Result.YES;
+        } else {
+            return polkit.Result.NO;
+        }
+    }
+});
diff --git a/roles/xrdp/tasks/main.yaml b/roles/xrdp/tasks/main.yaml
new file mode 100644
index 0000000..d0708c2
--- /dev/null
+++ b/roles/xrdp/tasks/main.yaml
@@ -0,0 +1,69 @@
+- name: ensure xrdp and dependencies are installed
+  apt:
+    name:
+      - xrdp
+      - xorg
+      - tigervnc-xorg-extension
+      - tigervnc-standalone-server
+    state: present
+    update_cache: yes
+
+- name: backup sesman.ini
+  copy:
+    src: /etc/xrdp/sesman.ini
+    dest: /etc/xrdp/sesman.ini.bak
+    remote_src: yes
+
+- name: disable root login in sesman.ini
+  lineinfile:
+    path: /etc/xrdp/sesman.ini
+    regexp: '^AllowRootLogin='
+    line: 'AllowRootLogin=false'
+
+- name: deploy custom xrdp.ini from template
+  template:
+    src: xrdp.ini.j2
+    dest: /etc/xrdp/xrdp.ini
+    mode: '0644'
+
+- name: install xrdp logo
+  copy:
+    src: logo.bmp
+    dest: /etc/xrdp/logo.bmp
+    mode: '0644'
+
+- name: configure polkit rules for xrdp sessions
+  copy:
+    src: xrdp_polkit.rules
+    dest: /etc/polkit-1/rules.d/50-xrdp-session.rules
+    mode: '0644'
+
+- name: apply sysctl optimizations for rdp
+  blockinfile:
+    path: /etc/sysctl.conf
+    block: |
+      net.ipv4.tcp_wmem = 4096 262144 33554432
+      net.ipv4.tcp_rmem = 4096 262144 33554432
+      net.core.wmem_max = 33554432
+      net.core.rmem_max = 33554432
+      net.ipv4.tcp_window_scaling = 1
+      net.ipv4.tcp_fastopen = 3
+      net.core.netdev_max_backlog = 3000
+      net.core.somaxconn = 2048
+      net.ipv4.tcp_slow_start_after_idle = 0
+      net.ipv4.tcp_adv_win_scale = 1
+      net.core.default_qdisc = fq
+      net.ipv4.tcp_congestion_control = bbr
+
+- name: apply sysctl settings
+  command: sysctl -p
+  changed_when: false
+
+- name: ensure xrdp services are enabled and started
+  systemd:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  loop:
+    - xrdp
+    - xrdp-sesman
diff --git a/roles/xrdp/templates/xrdp.ini.j2 b/roles/xrdp/templates/xrdp.ini.j2
new file mode 100644
index 0000000..2afb769
--- /dev/null
+++ b/roles/xrdp/templates/xrdp.ini.j2
@@ -0,0 +1,87 @@
+[Globals]
+tcp_send_buffer_bytes=33554432
+tcp_recv_buffer_bytes=33554432
+ini_version=1
+fork=true
+port={{ 'tcp://.:3389' if xrdp_listen_local else 'tcp://:3389' }}
+use_vsock=false
+tcp_nodelay=true
+tcp_keepalive=true
+security_layer=negotiate
+crypt_level=medium
+key_file=
+ssl_protocols=TLSv1.2, TLSv1.3
+autorun=
+allow_channels=true
+allow_multimon=true
+bitmap_cache=true
+bitmap_compression=true
+bulk_compression=true
+max_bpp=32
+new_cursors=true
+use_fastpath=both
+grey=ffffff
+black=555555
+dark_grey=ffffff
+blue=19315a
+dark_blue=2777ff
+white=eeeeee
+ls_title=Remote Desktop Protocol (xRDP)
+ls_top_window_bg_color=2f2f2f
+ls_width=350
+ls_height=180
+ls_bg_color=dedede
+ls_logo_filename=/etc/xrdp/logo.bmp
+ls_logo_x_pos=0
+ls_logo_y_pos=0
+ls_label_x_pos=30
+ls_label_width=65
+ls_input_x_pos=110
+ls_input_y_pos=50
+ls_input_width=210
+ls_btn_ok_x_pos=142
+ls_btn_ok_y_pos=135
+ls_btn_ok_width=85
+ls_btn_ok_height=30
+ls_btn_cancel_x_pos=235
+ls_btn_cancel_y_pos=135
+ls_btn_cancel_width=85
+ls_btn_cancel_height=30
+
+[Logging]
+LogFile=xrdp.log
+LogLevel=INFO
+EnableSyslog=true
+
+[LoggingPerLogger]
+#xrdp.c=INFO
+#main()=INFO
+
+[Channels]
+rdpdr=true
+drdynvc=true
+cliprdr=true
+rdpsnd=false
+rail=false
+xrdpvr=false
+tcutils=false
+
+[Xorg]
+name=Xorg
+lib=libxup.so
+username=ask
+password=ask
+ip=127.0.0.1
+port=-1
+code=20
+
+#[Xvnc]
+#name=Xvnc
+#lib=libvnc.so
+#username=ask
+#password=ask
+#ip=127.0.0.1
+#port=-1
+#xserverbpp=24
+#delay_ms=2000
+#disabled_encodings_mask=0