Title: A NixOS kiosk | |
Author: Solène | |
Date: 06 October 2022 | |
Tags: linux security nixos | |
Description: In this article, you will learn how to use Cage on NixOS | |
to make kiosk computers | |
# Introduction | |
A kiosk, in the sysadmin jargon, is a computer that is restricted to a | |
single program so anyone can use it for the sole provided purpose. You | |
may have seen kiosk computers here and there, often wrapped in some | |
kind of box with just a touch screen available. ATM are kiosks, most | |
screens showing some information are also kiosks. | |
What if you wanted to build a kiosk yourself? For having done a bunch | |
of kiosk computers a few years ago, it's not an easy task, you need to | |
think about: | |
* how to make boot process bullet proof? | |
* which desktop environment to use? | |
* will the system show notifications you don't want? | |
* can the user escape from the kiosk program? | |
Nowadays, we have more tooling available to ease kiosk making. There | |
is also a distinction that has to be made between kiosks used | |
displaying things, and kiosks used by users. The latter is more | |
complicated and require lot of work, the former is a bit easier, | |
especially with the new tools we will see in this article. | |
# Cage | |
The tool used in this blog post is named Cage, it's a program running a | |
Wayland display that only allow one single window to be shown at once. | |
Cage GitHub project page | |
Using cage, we will be able to start a program in fullscreen, and only | |
it, without having any notification, desktop, title bar etc... | |
In my case, I want to open firefox to open a local file used to display | |
monitoring information. Firefox can still be used "normally" because | |
hardening it would require a lot of work, but it's fine because I'm at | |
home and it's just to display gauges and diagrams. | |
# NixOS configuration | |
Here is the piece of code that will start the firefox window at boot | |
automatically. Note that you need to disable any X server related | |
configuration. | |
``` | |
services.cage = { | |
enable = true; | |
user = "solene"; | |
program = "${pkgs.firefox}/bin/firefox -kiosk -private-window file:///hom… | |
}; | |
``` | |
Firefox has a few special flags, such as `-kiosk` to disable a few | |
components, and `-private-window` to not mix with the current history. | |
This is clearly not enough to prevent someone to use Firefox for | |
whatever they want, but it's fine to handle a display of a single page | |
reliably. | |
# Conclusion | |
I wish I had something like Cage available back in the time I had to | |
make kiosks. I can enjoy my low power netbook just displayin | |
monitoring graphs at home now. | |
a netbook displaying graphs |