Guacamole on NixOS setup

Apr 23, 2024

Introduction

Guacamole on NixOS allows you to access your desktop environment and terminal via a web browser, supporting protocols like VNC, RDP, and SSH.

Setup

Add the RDP settings to configuration.nix

Linux

  # To edit use your text editor application, for example Nano
  services.xserver.enable = true;
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.desktopManager.plasma5.enable = true;

  services.xrdp.enable = true;
  services.xrdp.defaultWindowManager = "startplasma-x11";
  services.xrdp.openFirewall = true;

Then add the Guacamole settings

Linux

# To edit use your text editor application, for example Nano
services.guacamole-server = {
  enable = true;
  host = "127.0.0.1";
  userMappingXml = ./guacamole/user-mapping.xml;
  # package = pkgs.unstable.guacamole-server; # Optional, use only when you want to use the unstable channel
};

services.guacamole-client = {
  enable = true;
  enableWebserver = true;
  settings = {
    guacd-port = 4822;
    guacd-hostname = "127.0.0.1";
  };
  # package = pkgs.unstable.guacamole-client; # Optional, use only when you want to use the unstable channel
};

In this case I am using the Guacamole package from the default channel. But you can also use a newer version from the unstable channel (if available).

Switch NixOS configuration

Now you can switch to the new NixOS configuration. Run the following command:
- Linux
# Open your terminal application sudo nix-collect-garbage # Optional: clean up sudo nixos-rebuild switch
You can view my complete configuration.nix here.
Create the user-mapping.xml

You need to enter the user information with which you can log in to Guacamole. And also the connections you want to use to connect to NixOS.
- Linux
# Open your terminal application echo -n <password> | openssl dgst -sha256 # Or use: # echo -n <password> > file.txt # sha256sum file.txt
Instructions:
- Required Replace <password> with your password, which will be used to log in to Guacamole
Remember the result (the hash after =).

Create the guacamole folder

Linux

# Open your terminal application
sudo mkdir -p /etc/nixos/guacamole

Add the following to /etc/nixos/guacamole/user-mapping.xml

Linux

# To edit use your text editor application, for example Nano
<?xml version="1.0" encoding="UTF-8"?>
<user-mapping>
    <!-- User using SHA-256 to hash the password -->
    <authorize
        username="<username>"
        password="<sha256 hash>"
        encoding="sha256">

        <connection name="NixOS Server SSH">
            <protocol>ssh</protocol>
            <param name="hostname">127.0.0.1</param>
            <param name="port">22</param>
        </connection>

      <connection name="NixOS Server RDP">
          <protocol>rdp</protocol>
          <param name="hostname">127.0.0.1</param>
          <param name="port">3389</param>
          <param name="ignore-cert">true</param>
      </connection>
    </authorize>
</user-mapping>
# IMPORTANT: Please read the instructions below

Instructions:

Required Replace <username> with your username, which will be used to log in to Guacamole
Required Replace <sha256 hash> with the sha256 hash generated earlier (step 4)

Check the results

Now you can browse to Cockpit by opening a web browser and going to: http://localhost:8080/guacamole. Replace localhost with the relevant IP address or FQDN if needed, and adjust the port if you changed it earlier.

Then log in with your username and password. The result:

For an explanation of how to access Guacamole with a local domain name (local reverse proxy), for example guacamole.home.arpa served over HTTPS, please see this note.

Comments

No comments found for this note.

Join the discussion for this note on Github. Comments appear on this page instantly.