Infinidoge/kiosk
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kiosk/kiosk.nix

72 lines
1.8 KiB
Nix
Raw Blame History

{ pkgs, lib, ... }:
let
dashboardUrl = "https://night.purduehackers.com";
in
{
# Create user to host kiosk
users.users.kiosk = {
isNormalUser = true;
group = "kiosk";
home = "/tmp/kiosk";
};
users.groups.kiosk = { };
# Setup caged kiosk, with kiosk firefox
services.cage = {
enable = true;
user = "kiosk";
program = ''
${lib.getExe pkgs.firefox} \
--kiosk \
--private-window "${dashboardUrl}"
'';
extraArguments = [ "-d" ];
};
# Set firefox autoplay policy to always allow autoplay for dashboard
# and disable checking for default browser
programs.firefox.policies = {
Permissions.Autoplay.Default = "allow-audio-video";
Preferences."browser.shell.checkDefaultBrowser".Value = false;
DontCheckDefaultBrowser = true;
};
# Enable pipewire/pipewire-pulse for audio
security.rtkit.enable = true;
services.pipewire = {
enable = true;
pulse.enable = true;
};
systemd.services.cage-tty1.requires = [ "network-online.target" ];
systemd.services.clone-config = {
wantedBy = [ "multi-user.target" ];
requires = [ "network-online.target" ];
path = with pkgs; [ git git-crypt ];
script = ''
git clone https://git.inx.moe/Infinidoge/kiosk.git /etc/nixos
cd /etc/nixos
git-crypt unlock /etc/decryption.key
'';
serviceConfig.Type = "oneshot";
};
environment.etc."decryption.key".source = ./decryption.key;
services.tailscale = {
enable = true;
extraUpFlags = [ "--advertise-tags" "tag:kiosk" ];
authKeyFile = ./tailscale-client-secret.key;
authKeyParameters.ephemeral = true;
openFirewall = true;
};
networking.firewall.trustedInterfaces = [ "tailscale0" ];
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
};
};
}
Reference in a new issue View git blame Copy permalink