Update Aimee OS

prepare: Never sync Portage repos
To minimize unexpected changes between builds, I'm going to schedule a separate task to sync the Portage repositories. This way, we know that two runs in a row from the same source will have the same packages, unless we have specifically updated Portage.
2025-01-02 13:15:42 -06:00 · 2025-01-02 13:15:29 -06:00 · 2025-01-02 13:15:29 -06:00 · 2025-01-02 13:15:29 -06:00 · 2025-01-02 13:15:29 -06:00 · 2025-01-02 13:15:29 -06:00
15 changed files with 102 additions and 30 deletions
--- a/2
+++ b/2
--- a/2
+++ b/2
@@ -2,5 +2,5 @@ target=aarch64-unknown-linux-gnu
 profile=default/linux/arm64/23.0/systemd
 kernel_pkg=sys-kernel/raspberrypi-sources
 kernel_defconfig=bcm2835
-device_tree=broadcom/*.dtb
+device_tree=broadcom/bcm2711-rpi-4-b.dtb
 rootflags='ro rootwait=4'
--- a/config.txt
+++ b/config.txt
@@ -1,5 +1,3 @@
 # dch: Tested working 2025-01-01 08:28 CST
 arm_64bit=1
 arm_boost=1
--- a/customize.sh
+++ b/customize.sh
@@ -7,13 +7,12 @@ O=$1
 export PORTAGE_CONFIGROOT="$O"/portage
 if [ ! -f /mnt/gentoo/usr/lib64/firefox/firefox ]; then
    ${target}-emerge -vbknuUDj --onlydeps --with-bdeps=n www-client/firefox:esr
    PORTAGE_BINHOST=https://distfiles.gentoo.org/releases/arm64/binpackages/23.0/arm64 \
    ${target}-emerge -vgKnj --root=/mnt/gentoo www-client/firefox:esr
 fi
 passwd -R /mnt/gentoo -d root
-groupadd -R /mnt/gentoo -r kiosk
+systemctl --root=/mnt/gentoo set-default graphical.target
 useradd -R /mnt/gentoo -r -m -d /home/kiosk -g kiosk kiosk
 systemctl --root=/mnt/gentoo enable wpa_supplicant@wlan0
--- a/linux.config
+++ b/linux.config
@@ -46,6 +46,7 @@ CONFIG_IPV6_SIT=m
 CONFIG_IPV6_SIT_6RD=m
 CONFIG_INPUT_TOUCHSCREEN=y
 CONFIG_TOUCHSCREEN_GOODIX=m
 CONFIG_TOUCHSCREEN_EDT_FT5X06=m
 CONFIG_TOUCHSCREEN_RASPBERRYPI_FW=m
@@ -117,7 +118,9 @@ CONFIG_MEMCG=y
 CONFIG_CGROUP_PIDS=y
 CONFIG_CGROUP_BPF=y
 CONFIG_BLK_CGROUP=y
 CONFIG_USER_NS=y
 CONFIG_I2C_HID_OF_GOODIX=m
 CONFIG_USB_DWC2=m
 CONFIG_USB_DWC2_PCI=m
 CONFIG_USB_ACM=m
--- a/overlay/etc/firefox/policies/policies.json
+++ b/overlay/etc/firefox/policies/policies.json
@@ -0,0 +1,54 @@
 {
  "policies": {
    "BlockAboutAddons": true,
    "BlockAboutConfig": true,
    "BlockAboutProfiles": true,
    "CaptivePortal": false,
    "DisableDeveloperTools": true,
    "DisableFeedbackCommands": true,
    "DisableFirefoxScreenshots": true,
    "DisableFirefoxSutudies": true,
    "DisableFormHistory": true,
    "DisableMasterPasswordCreation": true,
    "DisablePasswordReveal": true,
    "DisablePocket": true,
    "DisablePrivateBrowsing": true,
    "DisableProfileImport": true,
    "DisableProfileRefresh": true,
    "DisableSecurityBypass": true,
    "DisableSetDesktopBackground": true,
    "DNSOverHTTPS": {
      "Enabled": false,
      "Locked": true
    },
    "DontCheckDefaultBrowser": true,
    "Homepage": {
      "URL": "https://homeassistant.pyrocufflink.blue/dashboard-rosalina",
      "Locked": true,
      "StartPage": "homepage-locked"
    },
    "NewTabPage": false,
    "NoDefaultBookmarks": true,
    "OfferToSaveLogins": false,
    "OverrideFirstRunPage": "",
    "OverridePostUpdatePage": "",
    "PasswordManagerEnabled": false,
    "Preferences": {
      "browser.sessionstore.resume_from_crash": {
        "Value": false
      },
      "datareporting.policy.dataSubmissionPolicyBypassNotification": {
        "Value": true
      },
      "extensions.activeThemeID": {
        "Value": "firefox-compact-dark@mozilla.org"
      }
    },
    "WebsiteFilter": {
      "Block": ["<all_urls>"],
      "Exceptions": [
        "https://*.pyrocufflink.blue/*"
      ]
    }
  }
 }
--- a/overlay/etc/pam.d/kiosk
+++ b/overlay/etc/pam.d/kiosk
@@ -4,5 +4,4 @@ session optional pam_loginuid.so
 session required pam_env.so envfile=/etc/profile.env
 session required pam_limits.so
 session required pam_env.so
 session required pam_unix.so
 session required pam_systemd.so
--- a/overlay/etc/sway/kiosk.conf
+++ b/overlay/etc/sway/kiosk.conf
@@ -0,0 +1,14 @@
 # vim: set ft=swayconfig :
 output DSI-1 resolution 720x1280 transform 90
 input * {
    map_to_output DSI-1
 }
 exec gsettings set org.gnome.desktop.interface gtk-theme Adwaita-dark
 exec gsettings set org.gnome.desktop.interface color-scheme prefer-dark
 exec /usr/lib64/firefox/firefox
 for_window [title="Mozilla Firefox"] fullscreen
--- a/overlay/root/.ssh/authorized_keys
+++ b/overlay/root/.ssh/authorized_keys
@@ -0,0 +1,4 @@
 sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINZCN2cxMDwedJ1Ke23Z3CZRcOYjqW8fFqsooRus7RK0AAAABHNzaDo= dustin@rosalina.p
 yrocufflink.blue
 sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAB6xTCSNz+AcQCWcyVKs84tThXN4wpLgCo2Lc48L6EsAAAABHNzaDo= dustin@luma.pyroc
 ufflink.blue
--- a/overlay/usr/lib/systemd/system-preset/70-kiosk.preset
+++ b/overlay/usr/lib/systemd/system-preset/70-kiosk.preset
@@ -0,0 +1,3 @@
 enable wpa_supplicant@.service wlan0
 enable kiosk.service
--- a/overlay/usr/lib/systemd/system/kiosk.service
+++ b/overlay/usr/lib/systemd/system/kiosk.service
@@ -10,9 +10,11 @@ Wants=time-sync.target
 After=time-sync.target
 [Service]
-ExecStart=/usr/bin/sway -d
+StateDirectory=%N
 CacheDirectory=%N
 Environment=XDG_CACHE_HOME=%C/%N
 ExecStart=/usr/bin/sway -c /etc/sway/kiosk.conf
 User=kiosk
 Environment=WLR_LIBINPUT_NO_DEVICES=1
 StandardInput=tty
 StandardOutput=tty
 StandardError=journal
@@ -23,3 +25,7 @@ TTYVTDisallocate=yes
 PAMName=kiosk
 UtmpMode=user
 UtmpIdentifier=tty1
 [Install]
 WantedBy=graphical.target
 Alias=display-manager.service
--- a/overlay/usr/lib/sysusers.d/kiosk.conf
+++ b/overlay/usr/lib/sysusers.d/kiosk.conf
@@ -0,0 +1,2 @@
 g kiosk -
 u kiosk - "Kiosk User" /var/lib/kiosk /bin/sh
--- a/portage/make.conf/systemd.conf
+++ b/portage/make.conf/systemd.conf
@@ -1,9 +1 @@
-INSTALL_MASK="
+INSTALL_MASK="${INSTALL_MASK} /usr/lib/systemd/systemd-nsresourced* /usr/lib/systemd/system/systemd-nsresourced.*"
 ${INSTALL_MASK}
 /etc/ssh/ssh*_config.d/*systemd*
 /usr/lib/systemd/ssh_config.d
 /usr/lib/systemd/sshd_config.d
 /usr/lib/systemd/system-generators/systemd-ssh-generator
 /usr/lib/systemd/system/systemd-nsresourced.*
 /usr/lib/systemd/systemd-nsresourced*
 "
--- a/prepare.sh
+++ b/prepare.sh
@@ -2,13 +2,6 @@
 . "${CONFIGDIR:=${PWD}}"/config
 if [ ! -f /var/db/repos/gentoo/metadata/timestamp ]; then
    emerge-webrsync
 fi
 if [ "$(find /var/db/repos/gentoo/metadata -newermt '-24 hours' | wc -l)" -eq 0 ]; then
    emaint sync
 fi
 mkdir -p /etc/portage/package.use
 mkdir -p /etc/portage/make.conf
 echo 'virtual/libudev systemd' >> /etc/portage/package.use/systemd
--- a/squashfs.exclude
+++ b/squashfs.exclude
@@ -0,0 +1,5 @@
 etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
 etc/ssh/sshd_config.d/20-systemd-userdb.conf
 usr/lib/systemd/ssh_config.d
 usr/lib/systemd/sshd_config.d
 usr/lib/systemd/system-generators/systemd-ssh-generator
Author	SHA1	Message	Date
Dustin C. Hatch	43e1df1a93	Update Aimee OS All checks were successful dustin/photoframe2/pipeline/pr-main This commit looks good Details	2025-01-02 13:15:42 -06:00
Dustin C. Hatch	c0158d134d	prepare: Never sync Portage repos To minimize unexpected changes between builds, I'm going to schedule a separate task to sync the Portage repositories. This way, we know that two runs in a row from the same source will have the same packages, unless we have specifically updated Portage.	2025-01-02 13:15:29 -06:00
Dustin C. Hatch	bab1684198	overlay: Add authorized SSH keys for root Adding my personal keys so I can manage the system remotely.	2025-01-02 13:15:29 -06:00
Dustin C. Hatch	ddf7626283	kernel: Enable user namespaces for Firefox Firefox complains about "security features" not working if this is not enabled.	2025-01-02 13:15:29 -06:00
Dustin C. Hatch	61f254b594	exclude: Omit systemd-ssh-generator This thing is pointless. Unfortunately, we cannot use Portage's `INSTALL_MASK` feature as it doesn't work for symbolic links. Since _systemd_ installs symlinks in `/etc/ssh` that point to files we would mask, those symlinks would point to nothing, which would cause `sshd` to fail to start as it is unable to open those files. Thus, we have to omit these files by excluding them from the squashfs image.	2025-01-02 13:15:29 -06:00
Dustin C. Hatch	dd89e700b0	kernel: Enable BPF firewall for systemd _systemd_ complains if this is not enabled, as it prevents certain sandbox features from working.	2025-01-02 13:15:29 -06:00
Dustin C. Hatch	6212c04f6b	kernel/firmware: Support RPi GPU, touchscreen Getting the Raspberry Pi 4 GPU and 7-inch Touch Display 2 working was quite challenging. Several kernel drivers are needed, beyond the obvious VC4 and V3D, like voltage regulators and backlight controls. Even with all the drivers enabled, I still had trouble getting `/dev/dri/card1` (the display device, as opposed to `/dev/dri/card0`, the 3D rendering device) to appear until I explicitly enabled the `vc4-kms-dsi-ili9881-7inch` device tree overlay. I am not entirely sure why this is necessary, since `display_auto_detect` supposedly should have added this overlay automatically. I am also not sure how it would work if I wanted to use an HDMI monitor instead of the DSI panel, but fortunately, for this project, that's not necessary.	2025-01-02 13:15:29 -06:00
Dustin C. Hatch	b3fa910a6a	Begin implementing kiosk browser This commit introduces the _kiosk.service_ unit, which launches `sway` to start a Wayland session, which in turn launches Firefox. The `policies.json` file configures Firefox in a sort of kiosk mode, disabling most features and blocking all but the desginated sites. Unfortunately, running `firefox --kiosk` doesn't actually work: Firefox apparently runs, but doesn't draw anything on the screen. Note that we have to launch Firefox by its "real" path, since `/usr/bin/firefox` is a Bash script, and Bash is not installed. Fortunately, the wrapper script doesn't do anything we really care about, so bypassing it is fine.	2025-01-02 12:59:57 -06:00
Dustin C. Hatch	216bdfde50	ci: archive build logs on failure	2025-01-02 12:23:26 -06:00
Dustin C. Hatch	6dfea85036	Install Firefox from Gentoo binpkg Unfortunately, even building Firefox with GCC fails: > 3:30.02 [gecko-profiler 0.1.0] /../lib/gcc/aarch64-unknown-linux-gnu/14/include/g++-v14/cstdlib:79:15: fatal error: 'stdlib.h' file not found > 3:30.02 [gecko-profiler 0.1.0] thread 'main' panicked at tools/profiler/rust-api/build.rs:104:10: > 3:30.02 [gecko-profiler 0.1.0] Unable to generate bindings: ClangDiagnostic("/../lib/gcc/aarch64-unknown-linux-gnu/14/include/g++-v14/cstdlib:79:15: fatal error: 'stdlib.h' file not found\n") Clearly, something is misconfigured, because `stdlib.h` does indeed exist. I am not sure what, though, and I am getting tired of messing with this. Fortunately, the official Gentoo binary package project has a build of _www-client/firefox_ for ARM64. It has a rather different USE flag configuration than what we did, though, so we have to pull in quite a few more dependencies. We can't just add _www-client/firefox_ to `install.packages` because Aimee OS runs `emerge` with `--getbinpkgonly`, which implies `--binpkg-changed-deps=y`. This since we want to build everything _except_ Firefox locally, the dependency graph is quite a bit different, so Portage ignores the binary package and will try to build _www-client/firefox_ from source. To work around this limitation, we need to install Firefox manually in the `customize.sh` script in two phases. First, we install all of its dependencies in the build root (`/usr/aarch64-…`), but not Firefox itself, to get binpkgs for them. Then, we install _www-client/firefox_ in the target root (`/mnt/gentoo`) with the `--getbinpkg` and `--usepkgonly` flags. Hopefully, one day I can figure out how to cross-compile Firefox (and it doesn't take days to build once I do), and we can remove this hackery.	2025-01-02 12:23:26 -06:00
		`@@ -0,0 +1,3 @@`
							`enable wpa_supplicant@.service wlan0`

							`enable kiosk.service`
		`@@ -0,0 +1,2 @@`
							`g kiosk -`
							`u kiosk - "Kiosk User" /var/lib/kiosk /bin/sh`