About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(Qubes OS BSD OpenBSD Lisp cmdline gaming security QubesOS internet-stuff). I love percent and lambda characters. Qubes OS core team member, former OpenBSD developer solene@. No AI is involved in this blog.

Contact me: solene at dataswamp dot org or @solene@bsd.network (mastodon).

I'm a freelance OpenBSD, FreeBSD, Linux and Qubes OS consultant, this includes DevOps, DevSecOps, technical writing or documentation work.

A NixOS kiosk

Written by Solène, on 06 October 2022.
Tags: #linux #security #nixos

Comments on Fediverse/Mastodon

1. Introduction §

A kiosk, in the sysadmin jargon, is a computer that is restricted to a single program so anyone can use it for the sole provided purpose. You may have seen kiosk computers here and there, often wrapped in some kind of box with just a touch screen available. ATM are kiosks, most screens showing some information are also kiosks.

What if you wanted to build a kiosk yourself? For having done a bunch of kiosk computers a few years ago, it's not an easy task, you need to think about:

  • how to make boot process bullet proof?
  • which desktop environment to use?
  • will the system show notifications you don't want?
  • can the user escape from the kiosk program?

Nowadays, we have more tooling available to ease kiosk making. There is also a distinction that has to be made between kiosks used displaying things, and kiosks used by users. The latter is more complicated and require lot of work, the former is a bit easier, especially with the new tools we will see in this article.

2. Cage §

The tool used in this blog post is named Cage, it's a program running a Wayland display that only allow one single window to be shown at once.

Cage GitHub project page

Using cage, we will be able to start a program in fullscreen, and only it, without having any notification, desktop, title bar etc...

In my case, I want to open firefox to open a local file used to display monitoring information. Firefox can still be used "normally" because hardening it would require a lot of work, but it's fine because I'm at home and it's just to display gauges and diagrams.

3. NixOS configuration §

Here is the piece of code that will start the firefox window at boot automatically. Note that you need to disable any X server related configuration. 

  services.cage = {
      enable = true;
      user = "solene";
      program = "${pkgs.firefox}/bin/firefox -kiosk -private-window file:///home/solene/monitoring.html";
  };

Firefox has a few special flags, such as -kiosk to disable a few components, and -private-window to not mix with the current history. This is clearly not enough to prevent someone to use Firefox for whatever they want, but it's fine to handle a display of a single page reliably.

4. Conclusion §

I wish I had something like Cage available back in the time I had to make kiosks. I can enjoy my low power netbook just displayin monitoring graphs at home now.

a netbook displaying graphs
a netbook displaying graphs