{ pkgs, lib, ... }: let dashboardUrl = "https://night.purduehackers.com"; in { # Create user to host kiosk users.users.kiosk = { isNormalUser = true; group = "kiosk"; home = "/tmp/kiosk"; }; users.groups.kiosk = { }; # Setup caged kiosk, with kiosk firefox services.cage = { enable = true; user = "kiosk"; program = '' ${lib.getExe pkgs.firefox} \ --kiosk \ --private-window "${dashboardUrl}" ''; extraArguments = [ "-d" ]; }; # Set firefox autoplay policy to always allow autoplay for dashboard # and disable checking for default browser programs.firefox.policies = { Permissions.Autoplay.Default = "allow-audio-video"; Preferences."browser.shell.checkDefaultBrowser".Value = false; DontCheckDefaultBrowser = true; }; # Enable pipewire/pipewire-pulse for audio security.rtkit.enable = true; services.pipewire = { enable = true; pulse.enable = true; }; systemd.services.cage-tty1.requires = [ "network-online.target" ]; systemd.services.clone-config = { wantedBy = [ "multi-user.target" ]; requires = [ "network-online.target" ]; path = with pkgs; [ git git-crypt ]; script = '' [ -d /etc/nixos/.git ] && exit 0 git clone https://git.inx.moe/Infinidoge/kiosk.git /etc/nixos cd /etc/nixos git-crypt unlock /etc/decryption.key ''; serviceConfig.Type = "oneshot"; }; environment.etc."decryption.key".source = ./decryption.key; services.tailscale = { enable = true; extraUpFlags = [ "--advertise-tags" "tag:kiosk" ]; authKeyFile = ./tailscale-client-secret.key; authKeyParameters.ephemeral = true; openFirewall = true; }; networking.firewall.trustedInterfaces = [ "tailscale0" ]; services.openssh = { enable = true; settings = { PermitRootLogin = "yes"; }; }; }