From 5d44bc607576b620cd78a1fd7384c2262a9647db Mon Sep 17 00:00:00 2001 From: Vincent Mahnke Date: Thu, 25 Dec 2025 18:13:46 +0100 Subject: [PATCH 1/2] Add NixOS kiosk flake and config --- flake.nix | 29 ++++++++++ nixos/kiosk.nix | 140 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 169 insertions(+) create mode 100644 flake.nix create mode 100644 nixos/kiosk.nix diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..27086ff --- /dev/null +++ b/flake.nix @@ -0,0 +1,29 @@ +{ + description = "Kiosk NixOS ISO with Firefox in kiosk mode"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + flake-utils.url = "github:numtide/flake-utils"; + nixos-generators.url = "github:nix-community/nixos-generators"; + }; + + outputs = { self, nixpkgs, flake-utils, nixos-generators }: + flake-utils.lib.eachDefaultSystem (system: let + pkgs = import nixpkgs { inherit system; }; + in { + # Build a bootable ISO image using nixos-generators + packages.iso = nixos-generators.nixosGenerate { + inherit pkgs; + format = "iso"; + modules = [ ./nixos/kiosk.nix ]; + }; + + # Expose the NixOS configuration for direct use if desired + nixosConfigurations.kiosk = let + lib = nixpkgs.lib; + in lib.nixosSystem { + system = "x86_64-linux"; + modules = [ ./nixos/kiosk.nix ]; + }; + }); +} diff --git a/nixos/kiosk.nix b/nixos/kiosk.nix new file mode 100644 index 0000000..dad68b9 --- /dev/null +++ b/nixos/kiosk.nix @@ -0,0 +1,140 @@ +{ config, pkgs, lib, ... }: + +{ + ############################################ + # Base system + ############################################ + nixpkgs.hostPlatform = "x86_64-linux"; + system.stateVersion = "24.11"; + + # Simple console-based kiosk using cage (Wayland single-app compositor) + services.xserver.enable = false; # Not using an X11 display manager + + # Autologin to TTY1 as kiosk user + services.getty.autologinUser = "kiosk"; + + # Kiosk user + users.users.kiosk = { + isNormalUser = true; + description = "Kiosk User"; + home = "/home/kiosk"; + extraGroups = [ "wheel" ]; + initialPassword = "kiosk"; + }; + + # Packages required (aligning with the Debian preseed intent) + environment.systemPackages = with pkgs; [ + firefox + cage + curl + unzip + # chromium # available if you want it in addition to Firefox + ]; + + ############################################ + # Firefox policies (preconfigured profile settings) + ############################################ + programs.firefox = { + enable = true; + policies = { + DisableDeveloperTools = true; + BlockAboutAddons = true; + BlockAboutConfig = true; + BlockAboutProfiles = true; + BlockAboutSupport = true; + DisableFirefoxAccounts = true; + DisablePrivateBrowsing = true; + DisableProfileImport = true; + DisableProfileRefresh = true; + DisableSafeMode = true; + DisablePocket = true; + DisableFirefoxScreenshots = true; + DisableSetDesktopBackground = true; + + Homepage = { + URL = "https://mahn.ke"; + Locked = true; + }; + + NewTabPage = { Enabled = false; }; + + # Use a Linux path for downloads in kiosk + DownloadDirectory = { + Path = "/home/kiosk/Downloads"; + Locked = true; + }; + + PromptForDownloadLocation = false; + StartDownloadsInTempDirectory = false; + DisableAppUpdate = true; + + Permissions = { + Camera = "deny"; + Microphone = "deny"; + Location = "deny"; + Notifications = "deny"; + }; + + ShowHomeButton = false; + DisplayMenuBar = false; + DisplayBookmarksToolbar = false; + + # Extension & user messaging controls (per your Debian policy JSON) + UserMessaging = { + ExtensionRecommendations = false; + FeatureRecommendations = false; + UrlbarInterventions = false; + SkipOnboarding = false; + MoreFromMozilla = false; + FirefoxLabs = false; + Locked = false; + }; + + # Install Tampermonkey automatically (Firefox will fetch at runtime). + # Note: AMO URL may change; this is the typical latest channel. + Extensions = { + Install = [ + "https://addons.mozilla.org/firefox/downloads/latest/tampermonkey/latest.xpi" + ]; + }; + }; + + # Helpful preferences to keep Firefox minimal + preferences = { + "browser.fullscreen.autohide" = true; + "browser.shell.checkDefaultBrowser" = false; + "browser.startup.page" = 1; # Start with homepage + }; + }; + + ############################################ + # Kiosk launch behavior (replicates your bash_profile approach) + ############################################ + # Create a bash_profile for the kiosk user that launches cage + firefox + system.activationScripts.kioskBashProfile = lib.stringAfter ["users"] '' + mkdir -p /home/kiosk + chown kiosk:kiosk /home/kiosk + sudo -u kiosk mkdir -p /home/kiosk/.config + cat > /home/kiosk/.bash_profile <<'EOF' +if [ -z "$WAYLAND_DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then + exec ${pkgs.cage}/bin/cage ${pkgs.firefox}/bin/firefox --kiosk https://c3nav.de +fi +EOF + chown kiosk:kiosk /home/kiosk/.bash_profile + ''; + + ############################################ + # Include your userscripts in the image for easy import + ############################################ + environment.etc."kiosk/tampermonkey".source = ./../tampermonkey; + + ############################################ + # Networking & basic services + ############################################ + networking.hostName = "kiosk"; + time.timeZone = "UTC"; + services.openssh.enable = true; # optional, mirrors preseed tasksel ssh-server + + # Keep system simple, disable unneeded DM + services.displayManager.enable = false; +} From f4efd87aa564ab7dca59cd4eab064e794bc15c26 Mon Sep 17 00:00:00 2001 From: Vincent Mahnke Date: Thu, 25 Dec 2025 20:46:06 +0100 Subject: [PATCH 2/2] feat: Adds workflow for NixOS build --- .github/workflows/kiosk-iso.yml | 43 +++++++++++++++++++++++ flake.lock | 61 +++++++++++++++++++++++++++++++++ flake.nix | 29 ++++++++-------- nixos/kiosk.nix | 11 ++++++ 4 files changed, 129 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/kiosk-iso.yml create mode 100644 flake.lock diff --git a/.github/workflows/kiosk-iso.yml b/.github/workflows/kiosk-iso.yml new file mode 100644 index 0000000..3171b4d --- /dev/null +++ b/.github/workflows/kiosk-iso.yml @@ -0,0 +1,43 @@ +name: Build NixOS Kiosk ISO + +on: + push: + branches: [ main, profile-install ] + workflow_dispatch: + +jobs: + flake-check: + runs-on: ubuntu-latest + container: + image: nixos/nix:2.33.0 + env: + NIX_CONFIG: extra-experimental-features = nix-command flakes + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Flake check + run: nix flake check -L + + build-iso: + runs-on: ubuntu-latest + needs: [ flake-check ] + container: + image: nixos/nix:2.33.0 + env: + NIX_CONFIG: extra-experimental-features = nix-command flakes + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Build ISO + run: | + nix --version + nix build .#iso -L --system x86_64-linux + ls -la result + mkdir -p artifacts + cp -v result/iso/*.iso artifacts/ + - name: Upload ISO artifact + uses: actions/upload-artifact@v4 + with: + name: kiosk-iso + path: artifacts/*.iso + if-no-files-found: error diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..032fb8b --- /dev/null +++ b/flake.lock @@ -0,0 +1,61 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1751274312, + "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 27086ff..b991131 100644 --- a/flake.nix +++ b/flake.nix @@ -4,26 +4,25 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; flake-utils.url = "github:numtide/flake-utils"; - nixos-generators.url = "github:nix-community/nixos-generators"; }; - outputs = { self, nixpkgs, flake-utils, nixos-generators }: - flake-utils.lib.eachDefaultSystem (system: let - pkgs = import nixpkgs { inherit system; }; - in { - # Build a bootable ISO image using nixos-generators - packages.iso = nixos-generators.nixosGenerate { - inherit pkgs; - format = "iso"; - modules = [ ./nixos/kiosk.nix ]; - }; + outputs = { self, nixpkgs, flake-utils }: + flake-utils.lib.eachDefaultSystem (system: { + # Build a bootable ISO image using the built-in NixOS iso module + packages.iso = ( + (nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./nixos/kiosk.nix + (import "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix") + ]; + }).config.system.build.isoImage + ); # Expose the NixOS configuration for direct use if desired - nixosConfigurations.kiosk = let - lib = nixpkgs.lib; - in lib.nixosSystem { + nixosConfigurations.kiosk = (nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./nixos/kiosk.nix ]; - }; + }); }); } diff --git a/nixos/kiosk.nix b/nixos/kiosk.nix index dad68b9..e2688f7 100644 --- a/nixos/kiosk.nix +++ b/nixos/kiosk.nix @@ -123,6 +123,16 @@ EOF chown kiosk:kiosk /home/kiosk/.bash_profile ''; + # Unpack preconfigured Firefox profile from the repository into kiosk's home + system.activationScripts.kioskFirefoxProfile = lib.stringAfter ["users"] '' + mkdir -p /home/kiosk/.mozilla/firefox + # Only unzip if directory is empty (first activation) + if [ -z "$(ls -A /home/kiosk/.mozilla/firefox 2>/dev/null)" ]; then + ${pkgs.unzip}/bin/unzip -o ${../Firefox.zip} -d /home/kiosk/.mozilla/firefox + chown -R kiosk:kiosk /home/kiosk/.mozilla/firefox + fi + ''; + ############################################ # Include your userscripts in the image for easy import ############################################ @@ -135,6 +145,7 @@ EOF time.timeZone = "UTC"; services.openssh.enable = true; # optional, mirrors preseed tasksel ssh-server + # Keep system simple, disable unneeded DM services.displayManager.enable = false; }