About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(BSD OpenBSD Qubes OS Lisp cmdline gaming security QubesOS internet-stuff). I love percent and lambda characters. Qubes OS core team member, former OpenBSD developer solene@. No AI is involved in this blog.

Contact me: solene at dataswamp dot org or @solene@bsd.network (mastodon).

I'm a freelance OpenBSD, FreeBSD, Linux and Qubes OS consultant, this includes DevOps, DevSecOps, technical writing or documentation work. If you enjoy this blog, you can sponsor my open source work financially so I can write this blog and contribute to Free Software as my daily job.

A NixOS kiosk

Written by Solène, on 06 October 2022.
Tags: #linux #security #nixos

Comments on Fediverse/Mastodon

1. Introduction §

A kiosk, in the sysadmin jargon, is a computer that is restricted to a single program so anyone can use it for the sole provided purpose. You may have seen kiosk computers here and there, often wrapped in some kind of box with just a touch screen available. ATM are kiosks, most screens showing some information are also kiosks.

What if you wanted to build a kiosk yourself? For having done a bunch of kiosk computers a few years ago, it's not an easy task, you need to think about:

  • how to make boot process bullet proof?
  • which desktop environment to use?
  • will the system show notifications you don't want?
  • can the user escape from the kiosk program?

Nowadays, we have more tooling available to ease kiosk making. There is also a distinction that has to be made between kiosks used displaying things, and kiosks used by users. The latter is more complicated and require lot of work, the former is a bit easier, especially with the new tools we will see in this article.

2. Cage §

The tool used in this blog post is named Cage, it's a program running a Wayland display that only allow one single window to be shown at once.

Cage GitHub project page

Using cage, we will be able to start a program in fullscreen, and only it, without having any notification, desktop, title bar etc...

In my case, I want to open firefox to open a local file used to display monitoring information. Firefox can still be used "normally" because hardening it would require a lot of work, but it's fine because I'm at home and it's just to display gauges and diagrams.

3. NixOS configuration §

Here is the piece of code that will start the firefox window at boot automatically. Note that you need to disable any X server related configuration.

  services.cage = {
      enable = true;
      user = "solene";
      program = "${pkgs.firefox}/bin/firefox -kiosk -private-window file:///home/solene/monitoring.html";
  };

Firefox has a few special flags, such as -kiosk to disable a few components, and -private-window to not mix with the current history. This is clearly not enough to prevent someone to use Firefox for whatever they want, but it's fine to handle a display of a single page reliably.

4. Conclusion §

I wish I had something like Cage available back in the time I had to make kiosks. I can enjoy my low power netbook just displayin monitoring graphs at home now.

a netbook displaying graphs
a netbook displaying graphs