Title: A NixOS kiosk
       Author: Solène
       Date: 06 October 2022
       Tags: linux security nixos
       Description: In this article, you will learn how to use Cage on NixOS
       to make kiosk computers
       
       # Introduction
       
       A kiosk, in the sysadmin jargon, is a computer that is restricted to a
       single program so anyone can use it for the sole provided purpose.  You
       may have seen kiosk computers here and there, often wrapped in some
       kind of box with just a touch screen available.  ATM are kiosks, most
       screens showing some information are also kiosks.
       
       What if you wanted to build a kiosk yourself?  For having done a bunch
       of kiosk computers a few years ago, it's not an easy task, you need to
       think about:
       
       * how to make boot process bullet proof?
       * which desktop environment to use?
       * will the system show notifications you don't want?
       * can the user escape from the kiosk program?
       
       Nowadays, we have more tooling available to ease kiosk making.  There
       is also a distinction that has to be made between kiosks used
       displaying things, and kiosks used by users.  The latter is more
       complicated and require lot of work, the former is a bit easier,
       especially with the new tools we will see in this article.
       
       # Cage
       
       The tool used in this blog post is named Cage, it's a program running a
       Wayland display that only allow one single window to be shown at once.
       
 (HTM) Cage GitHub project page
       
       Using cage, we will be able to start a program in fullscreen, and only
       it, without having any notification, desktop, title bar etc...
       
       In my case, I want to open firefox to open a local file used to display
       monitoring information.  Firefox can still be used "normally" because
       hardening it would require a lot of work, but it's fine because I'm at
       home and it's just to display gauges and diagrams.
       
       # NixOS configuration
       
       Here is the piece of code that will start the firefox window at boot
       automatically.  Note that you need to disable any X server related
       configuration.
       
       ```
         services.cage = {
             enable = true;
             user = "solene";
             program = "${pkgs.firefox}/bin/firefox -kiosk -private-window file:///home/solene/monitoring.html";
         };
       ```
       
       Firefox has a few special flags, such as `-kiosk` to disable a few
       components, and `-private-window` to not mix with the current history. 
       This is clearly not enough to prevent someone to use Firefox for
       whatever they want, but it's fine to handle a display of a single page
       reliably.
       
       # Conclusion
       
       I wish I had something like Cage available back in the time I had to
       make kiosks.  I can enjoy my low power netbook just displayin
       monitoring graphs at home now.
       
 (IMG) a netbook displaying graphs