 |
Title: A NixOS kiosk |
|
Author: Solène |
|
Date: 06 October 2022 |
|
Tags: linux security nixos |
|
Description: In this article, you will learn how to use Cage on NixOS |
|
to make kiosk computers |
|
|
|
# Introduction |
|
|
|
A kiosk, in the sysadmin jargon, is a computer that is restricted to a |
|
single program so anyone can use it for the sole provided purpose. You |
|
may have seen kiosk computers here and there, often wrapped in some |
|
kind of box with just a touch screen available. ATM are kiosks, most |
|
screens showing some information are also kiosks. |
|
|
|
What if you wanted to build a kiosk yourself? For having done a bunch |
|
of kiosk computers a few years ago, it's not an easy task, you need to |
|
think about: |
|
|
|
* how to make boot process bullet proof? |
|
* which desktop environment to use? |
|
* will the system show notifications you don't want? |
|
* can the user escape from the kiosk program? |
|
|
|
Nowadays, we have more tooling available to ease kiosk making. There |
|
is also a distinction that has to be made between kiosks used |
|
displaying things, and kiosks used by users. The latter is more |
|
complicated and require lot of work, the former is a bit easier, |
|
especially with the new tools we will see in this article. |
|
|
|
# Cage |
|
|
|
The tool used in this blog post is named Cage, it's a program running a |
|
Wayland display that only allow one single window to be shown at once. |
|
|
 |
Cage GitHub project page |
|
|
|
Using cage, we will be able to start a program in fullscreen, and only |
|
it, without having any notification, desktop, title bar etc... |
|
|
|
In my case, I want to open firefox to open a local file used to display |
|
monitoring information. Firefox can still be used "normally" because |
|
hardening it would require a lot of work, but it's fine because I'm at |
|
home and it's just to display gauges and diagrams. |
|
|
|
# NixOS configuration |
|
|
|
Here is the piece of code that will start the firefox window at boot |
|
automatically. Note that you need to disable any X server related |
|
configuration. |
|
|
|
``` |
|
services.cage = { |
|
enable = true; |
|
user = "solene"; |
|
program = "${pkgs.firefox}/bin/firefox -kiosk -private-window file:///hom… |
|
}; |
|
``` |
|
|
|
Firefox has a few special flags, such as `-kiosk` to disable a few |
|
components, and `-private-window` to not mix with the current history. |
|
This is clearly not enough to prevent someone to use Firefox for |
|
whatever they want, but it's fine to handle a display of a single page |
|
reliably. |
|
|
|
# Conclusion |
|
|
|
I wish I had something like Cage available back in the time I had to |
|
make kiosks. I can enjoy my low power netbook just displayin |
|
monitoring graphs at home now. |
|
|
 |
a netbook displaying graphs |
