dustin
/
photoframe2
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Compare commits

base: dustin:b2a7b2345cd011d059db81f443fd22aaac4ae43b
Branches Tags
dustin:kiosk
dustin:main
..
compare: dustin:43e1df1a936bb32577db5902a1f30293376a6c10
Branches Tags
dustin:kiosk
dustin:main

10 Commits
b2a7b2345c ... 43e1df1a93

Author SHA1 Message Date
Dustin 43e1df1a93 Update Aimee OS
dustin/photoframe2/pipeline/pr-main This commit looks good Details
2025-01-02 13:15:42 -06:00
Dustin c0158d134d prepare: Never sync Portage repos 
To minimize unexpected changes between builds, I'm going to schedule a
separate task to sync the Portage repositories.  This way, we know that
two runs in a row from the same source will have the same packages,
unless we have specifically updated Portage.
 2025-01-02 13:15:29 -06:00
Dustin bab1684198 overlay: Add authorized SSH keys for root 
Adding my personal keys so I can manage the system remotely.
 2025-01-02 13:15:29 -06:00
Dustin ddf7626283 kernel: Enable user namespaces for Firefox 
Firefox complains about "security features" not working if this is not
enabled.
 2025-01-02 13:15:29 -06:00
Dustin 61f254b594 exclude: Omit systemd-ssh-generator 
This thing is pointless.

Unfortunately, we cannot use Portage's `INSTALL_MASK` feature as it
doesn't work for symbolic links. Since _systemd_ installs symlinks in
`/etc/ssh` that point to files we would mask, those symlinks would point
to nothing, which would cause `sshd` to fail to start as it is unable to
open those files.  Thus, we have to omit these files by excluding them
from the squashfs image.
 2025-01-02 13:15:29 -06:00
Dustin dd89e700b0 kernel: Enable BPF firewall for systemd 
_systemd_ complains if this is not enabled, as it prevents certain
sandbox features from working.
 2025-01-02 13:15:29 -06:00
Dustin 6212c04f6b kernel/firmware: Support RPi GPU, touchscreen 
Getting the Raspberry Pi 4 GPU and 7-inch Touch Display 2 working was
quite challenging.  Several kernel drivers are needed, beyond the
obvious VC4 and V3D, like voltage regulators and backlight controls.
Even with all the drivers enabled, I still had trouble getting
`/dev/dri/card1` (the display device, as opposed to `/dev/dri/card0`,
the 3D rendering device) to appear until I explicitly enabled the
`vc4-kms-dsi-ili9881-7inch` device tree overlay.  I am not entirely sure
why this is necessary, since `display_auto_detect` supposedly should
have added this overlay automatically.  I am also not sure how it would
work if I wanted to use an HDMI monitor instead of the DSI panel, but
fortunately, for this project, that's not necessary.
 2025-01-02 13:15:29 -06:00
Dustin b3fa910a6a Begin implementing kiosk browser 
This commit introduces the _kiosk.service_ unit, which launches `sway`
to start a Wayland session, which in turn launches Firefox.  The
`policies.json` file configures Firefox in a sort of kiosk mode,
disabling most features and blocking all but the desginated sites.
Unfortunately, running `firefox --kiosk` doesn't actually work: Firefox
apparently runs, but doesn't draw anything on the screen.

Note that we have to launch Firefox by its "real" path, since
`/usr/bin/firefox` is a Bash script, and Bash is not installed.
Fortunately, the wrapper script doesn't do anything we really care
about, so bypassing it is fine.
 2025-01-02 12:59:57 -06:00
Dustin 216bdfde50 ci: archive build logs on failure 2025-01-02 12:23:26 -06:00
Dustin 6dfea85036 Install Firefox from Gentoo binpkg 
Unfortunately, even building Firefox with GCC fails:

> 3:30.02 [gecko-profiler 0.1.0] /../lib/gcc/aarch64-unknown-linux-gnu/14/include/g++-v14/cstdlib:79:15: fatal error: 'stdlib.h' file not found
> 3:30.02 [gecko-profiler 0.1.0] thread 'main' panicked at tools/profiler/rust-api/build.rs:104:10:
> 3:30.02 [gecko-profiler 0.1.0] Unable to generate bindings: ClangDiagnostic("/../lib/gcc/aarch64-unknown-linux-gnu/14/include/g++-v14/cstdlib:79:15: fatal error: 'stdlib.h' file not found\n")

Clearly, something is misconfigured, because `stdlib.h` does indeed
exist.  I am not sure what, though, and I am getting tired of messing
with this.

Fortunately, the official Gentoo binary package project has a build of
_www-client/firefox_ for ARM64.  It has a rather different USE flag
configuration than what we did, though, so we have to pull in quite a
few more dependencies.

We can't just add _www-client/firefox_ to `install.packages` because
Aimee OS runs `emerge` with `--getbinpkgonly`, which implies
`--binpkg-changed-deps=y`.  This since we want to build everything
_except_ Firefox locally, the dependency graph is quite a bit different,
so Portage ignores the binary package and will try to build
_www-client/firefox_ from source.

To work around this limitation, we need to install Firefox manually in
the `customize.sh` script in two phases.  First, we install all of its
dependencies in the build root (`/usr/aarch64-…`), but not Firefox
itself, to get binpkgs for them.  Then, we install _www-client/firefox_
in the target root (`/mnt/gentoo`) with the `--getbinpkg` and
`--usepkgonly` flags.

Hopefully, one day I can figure out how to cross-compile Firefox (and it
doesn't take days to build once I do), and we can remove this hackery.
 2025-01-02 12:23:26 -06:00
15 changed files with 102 additions and 30 deletions
Show Stats Expand all files Collapse all files

2
aimee-os

@ -1 +1 @@
Subproject commit 36429459e1f40de0989189d2b8296e73be81a602
Subproject commit b43e8319f4655ccef463100f198e45c30401c27b

2
config
View File

@ -2,5 +2,5 @@ target=aarch64-unknown-linux-gnu
profile=default/linux/arm64/23.0/systemd
kernel_pkg=sys-kernel/raspberrypi-sources
kernel_defconfig=bcm2835
device_tree=broadcom/*.dtb
device_tree=broadcom/bcm2711-rpi-4-b.dtb
rootflags='ro rootwait=4'

2
config.txt
View File

@ -1,5 +1,3 @@
# dch: Tested working 2025-01-01 08:28 CST
arm_64bit=1
arm_boost=1

13
customize.sh
View File

@ -7,13 +7,12 @@ O=$1
export PORTAGE_CONFIGROOT="$O"/portage
${target}-emerge -vbknuUDj --onlydeps --with-bdeps=n www-client/firefox:esr
PORTAGE_BINHOST=https://distfiles.gentoo.org/releases/arm64/binpackages/23.0/arm64 \
${target}-emerge -vgKnj --root=/mnt/gentoo www-client/firefox:esr
if [ ! -f /mnt/gentoo/usr/lib64/firefox/firefox ]; then
${target}-emerge -vbknuUDj --onlydeps --with-bdeps=n www-client/firefox:esr
PORTAGE_BINHOST=https://distfiles.gentoo.org/releases/arm64/binpackages/23.0/arm64 \
${target}-emerge -vgKnj --root=/mnt/gentoo www-client/firefox:esr
fi
passwd -R /mnt/gentoo -d root
groupadd -R /mnt/gentoo -r kiosk
useradd -R /mnt/gentoo -r -m -d /home/kiosk -g kiosk kiosk
systemctl --root=/mnt/gentoo enable wpa_supplicant@wlan0
systemctl --root=/mnt/gentoo set-default graphical.target

3
linux.config
View File

@ -46,6 +46,7 @@ CONFIG_IPV6_SIT=m
CONFIG_IPV6_SIT_6RD=m
CONFIG_INPUT_TOUCHSCREEN=y
CONFIG_TOUCHSCREEN_GOODIX=m
CONFIG_TOUCHSCREEN_EDT_FT5X06=m
CONFIG_TOUCHSCREEN_RASPBERRYPI_FW=m
@ -117,7 +118,9 @@ CONFIG_MEMCG=y
CONFIG_CGROUP_PIDS=y
CONFIG_CGROUP_BPF=y
CONFIG_BLK_CGROUP=y
CONFIG_USER_NS=y
CONFIG_I2C_HID_OF_GOODIX=m
CONFIG_USB_DWC2=m
CONFIG_USB_DWC2_PCI=m
CONFIG_USB_ACM=m

54
overlay/etc/firefox/policies/policies.json Normal file
View File

@ -0,0 +1,54 @@
{
"policies": {
"BlockAboutAddons": true,
"BlockAboutConfig": true,
"BlockAboutProfiles": true,
"CaptivePortal": false,
"DisableDeveloperTools": true,
"DisableFeedbackCommands": true,
"DisableFirefoxScreenshots": true,
"DisableFirefoxSutudies": true,
"DisableFormHistory": true,
"DisableMasterPasswordCreation": true,
"DisablePasswordReveal": true,
"DisablePocket": true,
"DisablePrivateBrowsing": true,
"DisableProfileImport": true,
"DisableProfileRefresh": true,
"DisableSecurityBypass": true,
"DisableSetDesktopBackground": true,
"DNSOverHTTPS": {
"Enabled": false,
"Locked": true
},
"DontCheckDefaultBrowser": true,
"Homepage": {
"URL": "https://homeassistant.pyrocufflink.blue/dashboard-rosalina",
"Locked": true,
"StartPage": "homepage-locked"
},
"NewTabPage": false,
"NoDefaultBookmarks": true,
"OfferToSaveLogins": false,
"OverrideFirstRunPage": "",
"OverridePostUpdatePage": "",
"PasswordManagerEnabled": false,
"Preferences": {
"browser.sessionstore.resume_from_crash": {
"Value": false
},
"datareporting.policy.dataSubmissionPolicyBypassNotification": {
"Value": true
},
"extensions.activeThemeID": {
"Value": "firefox-compact-dark@mozilla.org"
}
},
"WebsiteFilter": {
"Block": ["<all_urls>"],
"Exceptions": [
"https://*.pyrocufflink.blue/*"
]
}
}
}

1
overlay/etc/pam.d/kiosk
View File

@ -4,5 +4,4 @@ session optional pam_loginuid.so
session required pam_env.so envfile=/etc/profile.env
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session required pam_systemd.so

14
overlay/etc/sway/kiosk.conf Normal file
View File

@ -0,0 +1,14 @@
# vim: set ft=swayconfig :
output DSI-1 resolution 720x1280 transform 90
input * {
map_to_output DSI-1
}
exec gsettings set org.gnome.desktop.interface gtk-theme Adwaita-dark
exec gsettings set org.gnome.desktop.interface color-scheme prefer-dark
exec /usr/lib64/firefox/firefox
for_window [title="Mozilla Firefox"] fullscreen

4
overlay/root/.ssh/authorized_keys Normal file
View File

@ -0,0 +1,4 @@
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINZCN2cxMDwedJ1Ke23Z3CZRcOYjqW8fFqsooRus7RK0AAAABHNzaDo= dustin@rosalina.p
yrocufflink.blue
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAB6xTCSNz+AcQCWcyVKs84tThXN4wpLgCo2Lc48L6EsAAAABHNzaDo= dustin@luma.pyroc
ufflink.blue

3
overlay/usr/lib/systemd/system-preset/70-kiosk.preset Normal file
View File

@ -0,0 +1,3 @@
enable wpa_supplicant@.service wlan0
enable kiosk.service

10
overlay/usr/lib/systemd/system/kiosk.service
View File

@ -10,9 +10,11 @@ Wants=time-sync.target
After=time-sync.target
[Service]
ExecStart=/usr/bin/sway -d
StateDirectory=%N
CacheDirectory=%N
Environment=XDG_CACHE_HOME=%C/%N
ExecStart=/usr/bin/sway -c /etc/sway/kiosk.conf
User=kiosk
Environment=WLR_LIBINPUT_NO_DEVICES=1
StandardInput=tty
StandardOutput=tty
StandardError=journal
@ -23,3 +25,7 @@ TTYVTDisallocate=yes
PAMName=kiosk
UtmpMode=user
UtmpIdentifier=tty1
[Install]
WantedBy=graphical.target
Alias=display-manager.service

2
overlay/usr/lib/sysusers.d/kiosk.conf Normal file
View File

@ -0,0 +1,2 @@
g kiosk -
u kiosk - "Kiosk User" /var/lib/kiosk /bin/sh

10
portage/make.conf/systemd.conf
View File

@ -1,9 +1 @@
INSTALL_MASK="
${INSTALL_MASK}
/etc/ssh/ssh*_config.d/*systemd*
/usr/lib/systemd/ssh_config.d
/usr/lib/systemd/sshd_config.d
/usr/lib/systemd/system-generators/systemd-ssh-generator
/usr/lib/systemd/system/systemd-nsresourced.*
/usr/lib/systemd/systemd-nsresourced*
"
INSTALL_MASK="${INSTALL_MASK} /usr/lib/systemd/systemd-nsresourced* /usr/lib/systemd/system/systemd-nsresourced.*"

7
prepare.sh
View File

@ -2,13 +2,6 @@
. "${CONFIGDIR:=${PWD}}"/config
if [ ! -f /var/db/repos/gentoo/metadata/timestamp ]; then
emerge-webrsync
fi
if [ "$(find /var/db/repos/gentoo/metadata -newermt '-24 hours' | wc -l)" -eq 0 ]; then
emaint sync
fi
mkdir -p /etc/portage/package.use
mkdir -p /etc/portage/make.conf
echo 'virtual/libudev systemd' >> /etc/portage/package.use/systemd

5
squashfs.exclude Normal file
View File

@ -0,0 +1,5 @@
etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
etc/ssh/sshd_config.d/20-systemd-userdb.conf
usr/lib/systemd/ssh_config.d
usr/lib/systemd/sshd_config.d
usr/lib/systemd/system-generators/systemd-ssh-generator