Title: A NixOS kiosk Author: Solène Date: 06 October 2022 Tags: linux security nixos Description: In this article, you will learn how to use Cage on NixOS to make kiosk computers # Introduction A kiosk, in the sysadmin jargon, is a computer that is restricted to a single program so anyone can use it for the sole provided purpose. You may have seen kiosk computers here and there, often wrapped in some kind of box with just a touch screen available. ATM are kiosks, most screens showing some information are also kiosks. What if you wanted to build a kiosk yourself? For having done a bunch of kiosk computers a few years ago, it's not an easy task, you need to think about: * how to make boot process bullet proof? * which desktop environment to use? * will the system show notifications you don't want? * can the user escape from the kiosk program? Nowadays, we have more tooling available to ease kiosk making. There is also a distinction that has to be made between kiosks used displaying things, and kiosks used by users. The latter is more complicated and require lot of work, the former is a bit easier, especially with the new tools we will see in this article. # Cage The tool used in this blog post is named Cage, it's a program running a Wayland display that only allow one single window to be shown at once. (HTM) Cage GitHub project page Using cage, we will be able to start a program in fullscreen, and only it, without having any notification, desktop, title bar etc... In my case, I want to open firefox to open a local file used to display monitoring information. Firefox can still be used "normally" because hardening it would require a lot of work, but it's fine because I'm at home and it's just to display gauges and diagrams. # NixOS configuration Here is the piece of code that will start the firefox window at boot automatically. Note that you need to disable any X server related configuration. ``` services.cage = { enable = true; user = "solene"; program = "${pkgs.firefox}/bin/firefox -kiosk -private-window file:///home/solene/monitoring.html"; }; ``` Firefox has a few special flags, such as `-kiosk` to disable a few components, and `-private-window` to not mix with the current history. This is clearly not enough to prevent someone to use Firefox for whatever they want, but it's fine to handle a display of a single page reliably. # Conclusion I wish I had something like Cage available back in the time I had to make kiosks. I can enjoy my low power netbook just displayin monitoring graphs at home now. (IMG) a netbook displaying graphs