m/nixos-kiosk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Michael Smith 2025-05-25 12:23:04 +02:00
parent 70c1e47a69
commit 7f032ce415
9 changed files with 609 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
flake.lock generated Normal file
View File

@ -0,0 +1,65 @@
{
"nodes": {
"devshell": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1741473158,
"narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
"owner": "numtide",
"repo": "devshell",
"rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1747900541,
"narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1748037224,
"narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f09dede81861f3a83f7f06641ead34f02f37597f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"devshell": "devshell",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

80
flake.nix Normal file
View File

@ -0,0 +1,80 @@
{
description = "Manage infrastructure using Nix";
inputs = {
nixpkgs = {
url = "github:nixos/nixpkgs/nixos-24.11";
};
devshell = {
url = "github:numtide/devshell";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-hardware = {
url = "github:NixOS/nixos-hardware/master";
};
};
outputs = {
self,
nixpkgs,
devshell,
nixos-hardware,
} @ inputs: let
forAllSystems = function:
nixpkgs.lib.genAttrs [
"x86_64-linux"
"x86_64-darwin"
"aarch64-linux"
"aarch64-darwin"
] (system:
function (import nixpkgs {
inherit system;
overlays = [
devshell.overlays.default
];
}));
in {
nixosConfigurations = {
pinix = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs;};
modules = [
nixos-hardware.nixosModules.raspberry-pi-4
./modules/common/nix
./modules/server
./machines/pinix
];
};
};
formatter = forAllSystems (pkgs: pkgs.alejandra);
devShells = forAllSystems (pkgs: {
default = pkgs.devshell.mkShell {
name = "NixOS Configuration";
packages = with pkgs; [
nixos-rebuild
];
commands = [
{
name = "config:deploy";
help = ''
Use as `config:deploy HOST {switch|build} EXTRA_ARGS`.
Assumes you have a valid ssh configuration for HOST in ~/.ssh/config
'';
command = ''
host=$1 # Assign first ARGV to host
shift # Remove host from ARGV
nixos-rebuild --flake ".#$host" \
--build-host $host \
--target-host $host \
--use-remote-sudo \
--fast \
"$@"
'';
}
];
};
});
};
}

109
machines/pinix/default.nix Normal file
View File

@ -0,0 +1,109 @@
{
config,
pkgs,
lib,
...
}: {
imports = [
./hardware-configuration.nix
./kiosk.nix
];
hardware.raspberry-pi."4".fkms-3d.enable = true;
boot = {
kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage"];
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
consoleLogLevel = 0;
kernelParams = ["quiet"];
initrd.verbose = false;
plymouth.enable = true;
};
networking = {
usePredictableInterfaceNames = false;
hostName = "kiosk-pi";
wireless = {
enable = true;
interfaces = ["wlan0"];
networks = {
"SSID" = {
pskRaw = "CHANGEME";
};
};
};
interfaces.wlan0.ipv4.addresses = [
{
address = "192.168.1.2";
prefixLength = 24;
}
];
defaultGateway = "192.168.1.1";
nameservers = ["192.168.1.1"];
};
# Set your time zone.
time.timeZone = "Europe/Brussels";
i18n.defaultLocale = "en_US.UTF-8";
# Enable the X11 windowing system.
services.xserver = {
enable = true;
desktopManager.xterm.enable = false;
windowManager.i3 = {
enable = true;
extraPackages = with pkgs; [
dmenu
i3lock
i3status
];
};
# NOTE: This kiosk uses a display in portrait mode
xrandrHeads = [
{
monitorConfig = ''Option "Rotate" "left"'';
output = "HDMI-1";
}
];
};
services.displayManager.defaultSession = "none+i3";
services.displayManager.autoLogin = {
enable = true;
user = "kioskuser";
};
users = {
mutableUsers = true;
users = {
kioskuser = {
isNormalUser = true;
home = "/home/kioskuser";
extraGroups = ["video" "input"];
description = "Kiosk user";
openssh.authorizedKeys.keys = [
"YOUR PUBLIC SSH KEY"
];
};
root = {
openssh.authorizedKeys.keys = [
"YOUR PUBLIC SSH KEY"
];
};
};
};
environment.systemPackages = with pkgs; [
chromium
htop
unclutter
];
system.stateVersion = "24.11";
}

184
machines/pinix/dotfiles/i3-config Normal file
View File

@ -0,0 +1,184 @@
# This file has been auto-generated by i3-config-wizard(1).
# It will not be overwritten, so edit it as you like.
#
# Should you change your keyboard layout some time, delete
# this file and re-run i3-config-wizard(1).
#
# i3 config file (v4)
#
# Please see https://i3wm.org/docs/userguide.html for a complete reference!
set $mod Mod4
# Font for window titles. Will also be used by the bar unless a different font
# is used in the bar {} block below.
font pango:monospace 8
# This font is widely installed, provides lots of unicode glyphs, right-to-left
# text rendering and scalability on retina/hidpi displays (thanks to pango).
#font pango:DejaVu Sans Mono 8
# The combination of xss-lock, nm-applet and pactl is a popular choice, so
# they are included here as an example. Modify as you see fit.
# xss-lock grabs a logind suspend inhibit lock and will use i3lock to lock the
# screen before suspend. Use loginctl lock-session to lock your screen.
exec --no-startup-id xss-lock --transfer-sleep-lock -- i3lock --nofork
# NetworkManager is the most popular way to manage wireless networks on Linux,
# and nm-applet is a desktop environment-independent system tray GUI for it.
exec --no-startup-id nm-applet
# Use pactl to adjust volume in PulseAudio.
set $refresh_i3status killall -SIGUSR1 i3status
bindsym XF86AudioRaiseVolume exec --no-startup-id pactl set-sink-volume @DEFAULT_SINK@ +10% && $refresh_i3status
bindsym XF86AudioLowerVolume exec --no-startup-id pactl set-sink-volume @DEFAULT_SINK@ -10% && $refresh_i3status
bindsym XF86AudioMute exec --no-startup-id pactl set-sink-mute @DEFAULT_SINK@ toggle && $refresh_i3status
bindsym XF86AudioMicMute exec --no-startup-id pactl set-source-mute @DEFAULT_SOURCE@ toggle && $refresh_i3status
# Use Mouse+$mod to drag floating windows to their wanted position
floating_modifier $mod
# start a terminal
bindsym $mod+Return exec i3-sensible-terminal
# kill focused window
bindsym $mod+Shift+q kill
# start dmenu (a program launcher)
bindsym $mod+d exec --no-startup-id dmenu_run
# A more modern dmenu replacement is rofi:
# bindcode $mod+40 exec "rofi -modi drun,run -show drun"
# There also is i3-dmenu-desktop which only displays applications shipping a
# .desktop file. It is a wrapper around dmenu, so you need that installed.
# bindcode $mod+40 exec --no-startup-id i3-dmenu-desktop
# change focus
bindsym $mod+j focus left
bindsym $mod+k focus down
bindsym $mod+l focus up
bindsym $mod+semicolon focus right
# alternatively, you can use the cursor keys:
bindsym $mod+Left focus left
bindsym $mod+Down focus down
bindsym $mod+Up focus up
bindsym $mod+Right focus right
# move focused window
bindsym $mod+Shift+j move left
bindsym $mod+Shift+k move down
bindsym $mod+Shift+l move up
bindsym $mod+Shift+semicolon move right
# alternatively, you can use the cursor keys:
bindsym $mod+Shift+Left move left
bindsym $mod+Shift+Down move down
bindsym $mod+Shift+Up move up
bindsym $mod+Shift+Right move right
# split in horizontal orientation
bindsym $mod+h split h
# split in vertical orientation
bindsym $mod+v split v
# enter fullscreen mode for the focused container
bindsym $mod+f fullscreen toggle
# change container layout (stacked, tabbed, toggle split)
bindsym $mod+s layout stacking
bindsym $mod+w layout tabbed
bindsym $mod+e layout toggle split
# toggle tiling / floating
bindsym $mod+Shift+space floating toggle
# change focus between tiling / floating windows
bindsym $mod+space focus mode_toggle
# focus the parent container
bindsym $mod+a focus parent
# focus the child container
#bindsym $mod+d focus child
# Define names for default workspaces for which we configure key bindings later on.
# We use variables to avoid repeating the names in multiple places.
set $ws1 "1"
set $ws2 "2"
set $ws3 "3"
set $ws4 "4"
set $ws5 "5"
set $ws6 "6"
set $ws7 "7"
set $ws8 "8"
set $ws9 "9"
set $ws10 "10"
# switch to workspace
bindsym $mod+1 workspace number $ws1
bindsym $mod+2 workspace number $ws2
bindsym $mod+3 workspace number $ws3
bindsym $mod+4 workspace number $ws4
bindsym $mod+5 workspace number $ws5
bindsym $mod+6 workspace number $ws6
bindsym $mod+7 workspace number $ws7
bindsym $mod+8 workspace number $ws8
bindsym $mod+9 workspace number $ws9
bindsym $mod+0 workspace number $ws10
# move focused container to workspace
bindsym $mod+Shift+1 move container to workspace number $ws1
bindsym $mod+Shift+2 move container to workspace number $ws2
bindsym $mod+Shift+3 move container to workspace number $ws3
bindsym $mod+Shift+4 move container to workspace number $ws4
bindsym $mod+Shift+5 move container to workspace number $ws5
bindsym $mod+Shift+6 move container to workspace number $ws6
bindsym $mod+Shift+7 move container to workspace number $ws7
bindsym $mod+Shift+8 move container to workspace number $ws8
bindsym $mod+Shift+9 move container to workspace number $ws9
bindsym $mod+Shift+0 move container to workspace number $ws10
# reload the configuration file
bindsym $mod+Shift+c reload
# restart i3 inplace (preserves your layout/session, can be used to upgrade i3)
bindsym $mod+Shift+r restart
# exit i3 (logs you out of your X session)
bindsym $mod+Shift+e exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -B 'Yes, exit i3' 'i3-msg exit'"
# resize window (you can also use the mouse for that)
mode "resize" {
# These bindings trigger as soon as you enter the resize mode
# Pressing left will shrink the windows width.
# Pressing right will grow the windows width.
# Pressing up will shrink the windows height.
# Pressing down will grow the windows height.
bindsym j resize shrink width 10 px or 10 ppt
bindsym k resize grow height 10 px or 10 ppt
bindsym l resize shrink height 10 px or 10 ppt
bindsym semicolon resize grow width 10 px or 10 ppt
# same bindings, but for the arrow keys
bindsym Left resize shrink width 10 px or 10 ppt
bindsym Down resize grow height 10 px or 10 ppt
bindsym Up resize shrink height 10 px or 10 ppt
bindsym Right resize grow width 10 px or 10 ppt
# back to normal: Enter or Escape or $mod+r
bindsym Return mode "default"
bindsym Escape mode "default"
bindsym $mod+r mode "default"
}
bindsym $mod+r mode "resize"
# Start i3bar to display a workspace bar (plus the system information i3status
# finds out, if available)
bar {
status_command i3status
}
exec_always --no-startup-id kiosk &

46
machines/pinix/dotfiles/i3status-config Normal file
View File

@ -0,0 +1,46 @@
# i3status configuration file.
# see "man i3status" for documentation.
# It is important that this file is edited as UTF-8.
# The following line should contain a sharp s:
# ß
# If the above line is not correctly displayed, fix your editor first!
general {
colors = true
interval = 5
}
order += "wireless _first_"
order += "disk /"
order += "load"
order += "memory"
order += "tztime local"
wireless _first_ {
format_up = "W: (%quality at %essid) %ip"
format_down = "W: down"
}
ethernet _first_ {
format_up = "E: %ip (%speed)"
format_down = "E: down"
}
disk "/" {
format = "%avail"
}
load {
format = "%1min"
}
memory {
format = "%used"
threshold_degraded = "1G"
format_degraded = "MEMORY < %available"
}
tztime local {
format = "%d-%m-%Y %H:%M"
}

35
machines/pinix/hardware-configuration.nix Normal file
View File

@ -0,0 +1,35 @@
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "uas" "usbhid" "usb_storage"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
options = ["noatime"];
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp1s0u1u1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

20
machines/pinix/kiosk.nix Normal file
View File

@ -0,0 +1,20 @@
{
config,
pkgs,
lib,
...
}: let
kiosk-command = pkgs.writeShellScriptBin "kiosk" ''
# Disable screen blanking and standby
${pkgs.xorg.xset}/bin/xset s noblank
${pkgs.xorg.xset}/bin/xset s off
${pkgs.xorg.xset}/bin/xset -dpms
# Hide mouse
${pkgs.unclutter}/bin/unclutter -idle 0.5 -root &
${pkgs.chromium}/bin/chromium-browser --noerrdialogs --disable-infobars --kiosk https://example.com/dashboard
'';
in {
environment.systemPackages = [kiosk-command];
}

4
modules/common/nix/default.nix Normal file
View File

@ -0,0 +1,4 @@
{inputs, ...}: {
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = ["nix-command" "flakes"];
}

66
modules/server/default.nix Normal file
View File

@ -0,0 +1,66 @@
{
inputs,
config,
pkgs,
...
}: {
# See https://linux.die.net/man/8/pam_ssh_agent_auth
security.pam.sshAgentAuth.enable = true;
system.autoUpgrade = {
enable = true;
allowReboot = true;
rebootWindow = {
lower = "01:00";
upper = "05:00";
};
flake = "git+ssh://user@git.example.com/user/nixos-config.git";
};
nix = {
# Automatic garbage collection
gc = {
automatic = true;
dates = "daily";
options = "--delete-older-than 7d";
};
};
environment.systemPackages = with pkgs; [
git
molly-guard
vim
];
boot.tmp.cleanOnBoot = true;
# Use more aggressive OOM
services.earlyoom = {
enable = true;
};
# Limit journal size
services.journald.extraConfig = ''
SystemMaxUse=500M
'';
# I18n
time.timeZone = "Europe/Brussels";
i18n.defaultLocale = "en_US.UTF-8";
# Networking
networking.firewall.logRefusedConnections = false;
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
};
};
services.fail2ban = {
enable = true;
bantime = "10m";
};
}