Manage tigervnc now that it expects systemd-logind support.
- Description
- Setup - The basics of getting started with vnc
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
This module manages VNC servers utilizing the new tigervnc scripts from tigervnc 1.11 and later.
Users can optionally be given rights to restart their own servers.
This will impact your VNC sessions, configs in /etc/tigervnc (parameter), and PolicyKit for systemd (if user restart is granted via the params).
If requested the vnc::client::novnc
will try to setup the non-webserver
parts of a noVNC site.
If you wish to use the novnc client, you must setup a webserver to point at the websocket.
If the defaults are workable for you, basic usage is:
class { 'vnc::server':
manage_services => true,
vnc_servers => {
'userA' => {
'comment' => 'Optional comment',
'displaynumber' => 1,
'user_can_manage' => true,
}
}
Or via hiera
vnc::server::manage_services: true
vnc::server::vnc_servers:
userA:
comment: Optional comment
displaynumber: 1
user_can_manage: true
The most interesting parameter is vnc::server::vnc_servers
.
It has a structure of:
username:
comment: (optional) comment
displaynumber: The VNC screen, like 1, 2, 3, etc
ensure: service ensure, default is 'running'
enable: service enable, default is 'true'
seed_home_vnc: make ~${username}/.vnc/config, default is `vnc::server::seed_user_vnc_config`
extra_users_can_manage: [ usera, userb]
user_can_manage: Boolean value to permit a user to run `systemctl restart vncserver@:#.service`
where the `#` is their listed displaynumber.
default value is from $vnc::server::user_can_manage
For hosts where a users's home is on a kerberos protected volume, you'll
probably want to set seed_home_vnc = false
as the puppet process will
not have access. Or globally via vnc::server::seed_home_vnc
.
The extra_users_can_manage
grants systemctl restart vncserver@:#.service
to these users too. The user_can_manage
boolean must be true
for this
to work.
Similarly, when "user home" is not accessible to unauthenticated systemd,
you'll probably want to set vnc::server::manage_services = false
.
You can directly export these sessions to noVNC via include vnc::server::export::novnc
.
Similarly, VNC clients can be loaded with:
class { 'vnc::client::gui': }
or
class { 'vnc::client::novnc': }
The noVNC client takes a parameter vnc_sessions
with a format of:
vnc::client::novnc::vnc_servers:
session_name: server:port
other_session_name: server:otherport
By default token based configuration is used to let the webserver multiplex to a single websockify
instance.
An example HTML list of configured sessions is written out to vnc::client::novnc::webserver_vnc_index
.
This requires the systemd units from tigervnc 1.11+.
You must manage you own firewall settings.
There are too may ways folks may want to setup the webserver, so no attempt
is made here to provide hooks for the websockets proxy via httpd
or nginx
.
If you want to use the SSL wrapper for websockify
you are responsible to
depoy the cert, key, CA, and set the parameters you need.
See the linked repo in metadata.json