Begin implementing kiosk browser

This commit introduces the _kiosk.service_ unit, which launches `sway`
to start a Wayland session, which in turn launches Firefox.  The
`policies.json` file configures Firefox in a sort of kiosk mode,
disabling most features and blocking all but the desginated sites.
Unfortunately, running `firefox --kiosk` doesn't actually work: Firefox
apparently runs, but doesn't draw anything on the screen.

Note that we have to launch Firefox by its "real" path, since
`/usr/bin/firefox` is a Bash script, and Bash is not installed.
Fortunately, the wrapper script doesn't do anything we really care
about, so bypassing it is fine.

customize.sh

@@ -15,4 +15,4 @@ fi
 
 passwd -R /mnt/gentoo -d root
 
-systemctl --root=/mnt/gentoo enable wpa_supplicant@wlan0
+systemctl --root=/mnt/gentoo set-default graphical.target

install.packages

@@ -1,2 +1,3 @@
+gui-wm/sway
 net-wireless/wpa_supplicant
 media-video/pipewire

overlay/etc/firefox/policies/policies.json

@@ -0,0 +1,54 @@
+{
+  "policies": {
+    "BlockAboutAddons": true,
+    "BlockAboutConfig": true,
+    "BlockAboutProfiles": true,
+    "CaptivePortal": false,
+    "DisableDeveloperTools": true,
+    "DisableFeedbackCommands": true,
+    "DisableFirefoxScreenshots": true,
+    "DisableFirefoxSutudies": true,
+    "DisableFormHistory": true,
+    "DisableMasterPasswordCreation": true,
+    "DisablePasswordReveal": true,
+    "DisablePocket": true,
+    "DisablePrivateBrowsing": true,
+    "DisableProfileImport": true,
+    "DisableProfileRefresh": true,
+    "DisableSecurityBypass": true,
+    "DisableSetDesktopBackground": true,
+    "DNSOverHTTPS": {
+      "Enabled": false,
+      "Locked": true
+    },
+    "DontCheckDefaultBrowser": true,
+    "Homepage": {
+      "URL": "https://homeassistant.pyrocufflink.blue/dashboard-rosalina",
+      "Locked": true,
+      "StartPage": "homepage-locked"
+    },
+    "NewTabPage": false,
+    "NoDefaultBookmarks": true,
+    "OfferToSaveLogins": false,
+    "OverrideFirstRunPage": "",
+    "OverridePostUpdatePage": "",
+    "PasswordManagerEnabled": false,
+    "Preferences": {
+      "browser.sessionstore.resume_from_crash": {
+        "Value": false
+      },
+      "datareporting.policy.dataSubmissionPolicyBypassNotification": {
+        "Value": true
+      },
+      "extensions.activeThemeID": {
+        "Value": "firefox-compact-dark@mozilla.org"
+      }
+    },
+    "WebsiteFilter": {
+      "Block": ["<all_urls>"],
+      "Exceptions": [
+        "https://*.pyrocufflink.blue/*"
+      ]
+    }
+  }
+}

overlay/etc/pam.d/kiosk

@@ -0,0 +1,7 @@
+account required pam_localuser.so
+
+session optional pam_loginuid.so
+session required pam_env.so envfile=/etc/profile.env
+session required pam_limits.so
+session required pam_env.so
+session required pam_systemd.so

overlay/etc/sway/kiosk.conf

@@ -0,0 +1,14 @@
+# vim: set ft=swayconfig :
+
+output DSI-1 resolution 720x1280 transform 90
+
+input * {
+    map_to_output DSI-1
+}
+
+exec gsettings set org.gnome.desktop.interface gtk-theme Adwaita-dark
+exec gsettings set org.gnome.desktop.interface color-scheme prefer-dark
+
+exec /usr/lib64/firefox/firefox
+
+for_window [title="Mozilla Firefox"] fullscreen

overlay/usr/lib/systemd/system-preset/70-kiosk.preset

@@ -0,0 +1,3 @@
+enable wpa_supplicant@.service wlan0
+
+enable kiosk.service

overlay/usr/lib/systemd/system/kiosk.service

@@ -0,0 +1,31 @@
+[Unit]
+After=systemd-user-sessions.service plymouth-quit-wait.service
+Before=graphical.target
+ConditionPathExists=/dev/tty1
+Wants=dbus.socket systemd-logind.service
+After=dbus.socket systemd-logind.service
+Conflicts=getty@tty1.service
+After=getty@tty1.service
+Wants=time-sync.target
+After=time-sync.target
+
+[Service]
+StateDirectory=%N
+CacheDirectory=%N
+Environment=XDG_CACHE_HOME=%C/%N
+ExecStart=/usr/bin/sway -c /etc/sway/kiosk.conf
+User=kiosk
+StandardInput=tty
+StandardOutput=tty
+StandardError=journal
+TTYPath=/dev/tty1
+TTYReset=yes
+TTYVHangup=yes
+TTYVTDisallocate=yes
+PAMName=kiosk
+UtmpMode=user
+UtmpIdentifier=tty1
+
+[Install]
+WantedBy=graphical.target
+Alias=display-manager.service

overlay/usr/lib/sysusers.d/kiosk.conf

@@ -0,0 +1,2 @@
+g kiosk -
+u kiosk - "Kiosk User" /var/lib/kiosk /bin/sh