# vmix.nix Project Memory

## Build Preferences
- Always use VNC display (`:1` / port 5901) when building Windows images so progress can be monitored
- Pass `vncDisplay = ":1"` to customizeImage templates for build monitoring
- Use `gvnccapture localhost:1 /tmp/screenshot.png` to take VNC screenshots (package: gtk-vnc)
- For VNC inside vmix namespace: `ip netns exec windows.vmix nix-shell -p gtk-vnc --run 'gvnccapture 127.0.0.1:1 /tmp/screenshot.png'`

## Key Architecture
- Offline registry uses `ControlSet001` (not `CurrentControlSet`) for virt-win-reg merges
- Sysprep resets offline registry changes — RDP must be re-enabled in post-OOBE script
- TermService won't listen on port 3389 in Audit Mode without a password on Administrator
- `LimitBlankPasswordUse=0` alone is NOT sufficient for RDP in Audit Mode — password required
- OOBE AutoLogon `<Password>` in unattend XML is unreliable — set via `reg add` in post-oobe.cmd instead
- OOBE creates user with blank password regardless of unattend — set real password via `net user` in post-oobe.cmd
- `sc config` can fail silently for some services — use `reg add` to set `Start` value directly

## RDP on Win10 IoT Enterprise LTSC 2021
- **CRITICAL**: `rdpwd.sys` and `tdtcp.sys` don't exist in this Windows build (removed in 19041+)
- `termsrv.dll` version is `10.0.19041.1202` — not supported by RDPWrap v1.6.2 or community INI files
- TermService runs but never creates the `rdp-tcp` WinStation listener — no port 3389
- The ISO (`en-us_windows_10_iot_enterprise_ltsc_2021_x64_dvd_257ad90f.iso`) has 2 indexes:
  - Index 1: Windows 10 Enterprise LTSC 2021
  - Index 2: Windows 10 IoT Enterprise LTSC 2021
- Product key `M7XTQ-FN8P6-TTKYV-9D4CC-J462D` = Enterprise LTSC (not IoT)
- MAS HWID activation switches edition to IoT Enterprise S (partial key YY74H)
- **TODO**: Either generate custom RDPWrap config for termsrv 10.0.19041.1202, use a different ISO, or use third-party RDP server

## generalize.nix Changes
- `enableRDP` flag added — applies RDP settings in post-oobe.cmd (survives sysprep)
- AutoLogon fix: blank password in unattend, real password + AutoAdminLogon registry in post-oobe.cmd
- `LogonCount=999` for persistent AutoLogon
- SessionEnv + UmRdpService set to auto-start via `reg add` (Start=2)
- Firewall: `Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'` + `Set-NetFirewallRule -Profile Any`

## labv2.nix junto Deployment
- vmix flake input rev is pinned in `flake.nix` — must update the URL to change versions
- Use `path:/storage/gitrepos/vmix.nix` for local dev, `git+https://...?rev=<hash>` for production
- `colmena apply-local` doesn't support `--override-input`
- DNS: `dns.resolver.useHostResolvConf = true` breaks when host uses systemd-resolved (127.0.0.53) — use explicit upstream like `1.1.1.1`
- QEMU Guest Agent socket at `/tmp/qga-win10.sock` — use from inside namespace