diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 018139b..667fce2 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -73,6 +73,10 @@ ssh_host_key_types: backend_smtp_port: 12891 backend_imap_port: 12892 +# System configuration + +global_users_directory: "/home" + # Application configurations global_ansible_facts_directory: "/etc/ansible/facts.d" @@ -90,6 +94,9 @@ global_certbot_configuration_directory: "/etc/letsencrypt" global_certbot_configuration_file: "{{ global_certbot_configuration_directory }}/cli.ini" global_certbot_certificates_directory: "/etc/letsencrypt/live" +global_chromium_configuration_directory: "/etc/chromium" +global_chromium_managed_policies_file: "{{ global_chromium_configuration_directory }}/policies/managed" + global_dns_upstream_servers: - "9.9.9.11" - "149.112.112.11" @@ -111,6 +118,8 @@ global_ip_discover_register_pass: "{{ lookup('password', 'credentials/ip_discove global_interfaces_directory: "/etc/network/interfaces.d" +global_lightdm_configuration_directory: "/etc/lightdm" + global_log_directory: "/var/log" global_mysql_socket_path: "/var/run/mysqld/mysqld.sock" diff --git a/roles/kiosk/website/defaults/main.yml b/roles/kiosk/website/defaults/main.yml new file mode 100644 index 0000000..cf6e1d2 --- /dev/null +++ b/roles/kiosk/website/defaults/main.yml @@ -0,0 +1,26 @@ +--- + +kiosk_user: kiosk +kiosk_user_directory: "{{ global_users_directory }}/{{ kiosk_user }}" +kiosk_user_pass: "{{ lookup('password', 'credentials/' + inventory_hostname + '/user/kiosk chars=digits,ascii_letters length=80') }}" + +i3_xkbmap: en +i3_autostart: >- + /usr/bin/chromium + --user-data-dir={{ kiosk_user_directory | quote }}/chromium + --start-fullscreen + --force-device-scale-factor={{ zoom_factor | quote }} + {{ kiosk_website | quote }} +i3_background: "#000000" + +chromium_policies: + HomepageIsNewTabPage: no + HomepageLocation: "{{ kiosk_website }}" + NewTabPageLocation: "{{ kiosk_website }}" + RestoreOnStartup: 5 # Show new tab page i.e. ignore restorable sessions + ShowHomeButton: yes + +autostart_script: "{{ kiosk_user_directory }}/autostart.sh" + +# kiosk_website: "https://example.com" +zoom_factor: 1 diff --git a/roles/kiosk/website/tasks/main.yml b/roles/kiosk/website/tasks/main.yml new file mode 100644 index 0000000..f93b66f --- /dev/null +++ b/roles/kiosk/website/tasks/main.yml @@ -0,0 +1,86 @@ +--- + +- name: Install packages for Web UI + apt: + state: present + name: + # main packages + - chromium # Webbrowser + - i3 # Window Manager + - lightdm # Login Manager with Autologin + # tools + - xdotool # simulate keyboard inputs on X11 + +- name: Create autologin group for LightDM + group: + state: present + name: autologin + +- name: Configure kiosk user + user: + state: present + name: "{{ kiosk_user }}" + home: "{{ kiosk_user_directory }}" + create_home: yes + move_home: yes + shell: /usr/bin/bash + groups: + - audio + - autologin + - video + append: yes + password: "{{ kiosk_user_pass | password_hash('sha512', LOCAL_SALT) }}" + update_password: on_create + +- name: Configure lightdm + template: + src: "{{ item }}" + dest: "{{ global_lightdm_configuration_directory }}/{{ item }}" + owner: root + group: root + mode: u=rw,g=r,o=r + loop: + - lightdm.conf + - lightdm-gtk-greeter.conf + +- name: Store autostart script + template: + src: autostart.sh + dest: "{{ autostart_script }}" + owner: root + group: root + mode: u=rwx,g=rx,o=rx + +- name: Create configuration directories for kiosk user + file: + state: directory + path: "{{ kiosk_user_directory }}/{{ item }}" + owner: root + group: "{{ kiosk_user }}" + mode: u=rwx,g=rx,o= + loop: + - .config/i3 + +- name: Configure i3 for kiosk user + template: + src: "i3.cfg" + dest: "{{ kiosk_user_directory }}/.config/i3/config" + owner: root + group: "{{ kiosk_user }}" + mode: u=rw,g=r,o= + +- name: Create policy directory for chromium globally + file: + state: directory + path: "{{ global_chromium_managed_policies_file | dirname }}" + owner: root + group: root + mode: u=rwx,g=rx,o=rx + +- name: Configure policies for chromium globally + copy: + content: "{{ chromium_policies | to_nice_json }}" + dest: "{{ chromium_policies_file }}" + owner: root + group: root + mode: u=rw,g=r,o=r diff --git a/roles/kiosk/website/templates/autostart.sh b/roles/kiosk/website/templates/autostart.sh new file mode 100644 index 0000000..d4482ac --- /dev/null +++ b/roles/kiosk/website/templates/autostart.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env sh +exec {{ i3_autostart }} diff --git a/roles/kiosk/website/templates/i3.cfg b/roles/kiosk/website/templates/i3.cfg new file mode 100644 index 0000000..7ba0699 --- /dev/null +++ b/roles/kiosk/website/templates/i3.cfg @@ -0,0 +1,93 @@ +# German keyboard layout +exec --no-startup-id setxkbmap {{ i3_xkbmap }} + +# i3 config file (v4) +# +# Please see https://i3wm.org/docs/userguide.html for a complete reference! + +# Meta key as modifier +set $mod Mod4 + +# Font for window titles. Will also be used by the bar unless a different font +# is used in the bar {} block below. +#font pango:monospace 8 + +# This font is widely installed, provides lots of unicode glyphs, right-to-left +# text rendering and scalability on retina/hidpi displays (thanks to pango). +font pango:DejaVu Sans 12 + +# Before i3 v4.8, we used to recommend this one as the default: +# font -misc-fixed-medium-r-normal--13-120-75-75-C-70-iso10646-1 +# The font above is very space-efficient, that is, it looks good, sharp and +# clear in small sizes. However, its unicode glyph coverage is limited, the old +# X core fonts rendering does not support right-to-left and this being a bitmap +# font, it doesn’t scale on retina/hidpi displays. + +# change focus +bindsym $mod+j focus left +bindsym $mod+k focus down +bindsym $mod+l focus up +bindsym $mod+semicolon focus right + +# alternatively, you can use the cursor keys: +bindsym $mod+Left focus left +bindsym $mod+Down focus down +bindsym $mod+Up focus up +bindsym $mod+Right focus right + +# move focused window +bindsym $mod+Shift+j move left +bindsym $mod+Shift+k move down +bindsym $mod+Shift+l move up +bindsym $mod+Shift+semicolon move right + +# alternatively, you can use the cursor keys: +bindsym $mod+Shift+Left move left +bindsym $mod+Shift+Down move down +bindsym $mod+Shift+Up move up +bindsym $mod+Shift+Right move right + +# split in horizontal orientation +bindsym $mod+h split h + +# split in vertical orientation +bindsym $mod+v split v + +# enter fullscreen mode for the focused container +bindsym $mod+f fullscreen toggle + +# change container layout (stacked, tabbed, toggle split) +bindsym $mod+s layout stacking +bindsym $mod+w layout tabbed +bindsym $mod+e layout toggle split + +# change focus between tiling / floating windows +bindsym $mod+space focus mode_toggle + +# focus the parent container +bindsym $mod+a focus parent + +# reload the configuration file +bindsym $mod+Shift+c reload +# restart i3 inplace (preserves your layout/session, can be used to upgrade i3) +bindsym $mod+Shift+r restart +# exit i3 (logs you out of your X session) +bindsym $mod+Shift+e exec "i3-msg exit" + +# poweroff computer +bindsym $mod+Control+s exec "systemctl poweroff" +# reboot computer +bindsym $mod+Control+r exec "systemctl reboot" + +# open homepage on windows button +bindsym $mod exec "xdotool key Alt_L+Home" + +exec --no-startup-id xsetroot -solid {{ i3_background | quote }} + +exec --no-startup-id {{ autostart_script | quote }} + +# Disable screensaver / power saving functions turning display off after a certain timeout +exec xset s off +exec xset -dpms + +bindsym $mod+t exec --no-startup-id "xterm" diff --git a/roles/kiosk/website/templates/lightdm-gtk-greeter.conf b/roles/kiosk/website/templates/lightdm-gtk-greeter.conf new file mode 100644 index 0000000..3d6fea8 --- /dev/null +++ b/roles/kiosk/website/templates/lightdm-gtk-greeter.conf @@ -0,0 +1,66 @@ +# LightDM GTK+ Configuration +# Available configuration options listed below. +# +# Appearance: +# theme-name = GTK+ theme to use +# icon-theme-name = Icon theme to use +# cursor-theme-name = Cursor theme to use +# cursor-theme-size = Cursor size to use +# background = Background file to use, either an image path or a color (e.g. #772953) +# user-background = false|true ("true" by default) Display user background (if available) +# transition-duration = Length of time (in milliseconds) to transition between background images ("500" by default) +# transition-type = ease-in-out|linear|none ("ease-in-out" by default) +# +# Fonts: +# font-name = Font to use +# xft-antialias = false|true Whether to antialias Xft fonts +# xft-dpi = Resolution for Xft in dots per inch (e.g. 96) +# xft-hintstyle = none|slight|medium|hintfull What degree of hinting to use +# xft-rgba = none|rgb|bgr|vrgb|vbgr Type of subpixel antialiasing +# +# Login window: +# active-monitor = Monitor to display greeter window (name or number). Use #cursor value to display greeter at monitor with cursor. Can be a semicolon separated list +# position = x y ("50% 50%" by default) Login window position +# default-user-image = Image used as default user icon, path or #icon-name +# hide-user-image = false|true ("false" by default) +# +# Panel: +# panel-position = top|bottom ("top" by default) +# clock-format = strftime-format string, e.g. %H:%M +# indicators = semi-colon ";" separated list of allowed indicator modules. Built-in indicators include "~a11y", "~language", "~session", "~power", "~clock", "~host", "~spacer". Unity indicators can be represented by short name (e.g. "sound", "power"), service file name, or absolute path +# +# Accessibility: +# a11y-states = states of accessibility features: "name" - save state on exit, "-name" - disabled at start (default value for unlisted), "+name" - enabled at start. Allowed names: contrast, font, keyboard, reader. +# keyboard = command to launch on-screen keyboard (e.g. "onboard") +# keyboard-position = x y[;width height] ("50%,center -0;50% 25%" by default) Works only for "onboard" +# reader = command to launch screen reader (e.g. "orca") +# at-spi-enabled = false|true ("true" by default) Enables accessibility at-spi-command if the greeter is built with it enabled +# +# Security: +# allow-debugging = false|true ("false" by default) +# screensaver-timeout = Timeout (in seconds) until the screen blanks when the greeter is called as lockscreen +# +# Template for per-monitor configuration: +# [monitor: name] +# background = overrides default value +# user-background = overrides default value +# laptop = false|true ("false" by default) Marks monitor as laptop display +# transition-duration = overrides default value +# +[greeter] +#background="#002244" # TODO Fix +user-background=false +hide-user-image=true +#theme-name= +#icon-theme-name= +#font-name= +#xft-antialias= +#xft-dpi= +#xft-hintstyle= +#xft-rgba= +#indicators= +#clock-format= +#keyboard= +#reader= +#position= +#screensaver-timeout= diff --git a/roles/kiosk/website/templates/lightdm.conf b/roles/kiosk/website/templates/lightdm.conf new file mode 100644 index 0000000..65c333b --- /dev/null +++ b/roles/kiosk/website/templates/lightdm.conf @@ -0,0 +1,169 @@ +# +# General configuration +# +# start-default-seat = True to always start one seat if none are defined in the configuration +# greeter-user = User to run greeter as +# minimum-display-number = Minimum display number to use for X servers +# minimum-vt = First VT to run displays on +# lock-memory = True to prevent memory from being paged to disk +# user-authority-in-system-dir = True if session authority should be in the system location +# guest-account-script = Script to be run to setup guest account +# logind-check-graphical = True to on start seats that are marked as graphical by logind +# log-directory = Directory to log information to +# run-directory = Directory to put running state in +# cache-directory = Directory to cache to +# sessions-directory = Directory to find sessions +# remote-sessions-directory = Directory to find remote sessions +# greeters-directory = Directory to find greeters +# backup-logs = True to move add a .old suffix to old log files when opening new ones +# dbus-service = True if LightDM provides a D-Bus service to control it +# +[LightDM] +#start-default-seat=true +#greeter-user=lightdm +#minimum-display-number=0 +#minimum-vt=7 +#lock-memory=true +#user-authority-in-system-dir=false +#guest-account-script=guest-account +#logind-check-graphical=false +#log-directory=/var/log/lightdm +#run-directory=/var/run/lightdm +#cache-directory=/var/cache/lightdm +#sessions-directory=/usr/share/lightdm/sessions:/usr/share/xsessions:/usr/share/wayland-sessions +#remote-sessions-directory=/usr/share/lightdm/remote-sessions +#greeters-directory=$XDG_DATA_DIRS/lightdm/greeters:$XDG_DATA_DIRS/xgreeters +#backup-logs=true +#dbus-service=true + +# +# Seat configuration +# +# Seat configuration is matched against the seat name glob in the section, for example: +# [Seat:*] matches all seats and is applied first. +# [Seat:seat0] matches the seat named "seat0". +# [Seat:seat-thin-client*] matches all seats that have names that start with "seat-thin-client". +# +# type = Seat type (local, xremote, unity) +# pam-service = PAM service to use for login +# pam-autologin-service = PAM service to use for autologin +# pam-greeter-service = PAM service to use for greeters +# xserver-backend = X backend to use (mir) +# xserver-command = X server command to run (can also contain arguments e.g. X -special-option) +# xmir-command = Xmir server command to run (can also contain arguments e.g. Xmir -special-option) +# xserver-config = Config file to pass to X server +# xserver-layout = Layout to pass to X server +# xserver-allow-tcp = True if TCP/IP connections are allowed to this X server +# xserver-share = True if the X server is shared for both greeter and session +# xserver-hostname = Hostname of X server (only for type=xremote) +# xserver-display-number = Display number of X server (only for type=xremote) +# xdmcp-manager = XDMCP manager to connect to (implies xserver-allow-tcp=true) +# xdmcp-port = XDMCP UDP/IP port to communicate on +# xdmcp-key = Authentication key to use for XDM-AUTHENTICATION-1 (stored in keys.conf) +# unity-compositor-command = Unity compositor command to run (can also contain arguments e.g. unity-system-compositor -special-option) +# unity-compositor-timeout = Number of seconds to wait for compositor to start +# greeter-session = Session to load for greeter +# greeter-hide-users = True to hide the user list +# greeter-allow-guest = True if the greeter should show a guest login option +# greeter-show-manual-login = True if the greeter should offer a manual login option +# greeter-show-remote-login = True if the greeter should offer a remote login option +# user-session = Session to load for users +# allow-user-switching = True if allowed to switch users +# allow-guest = True if guest login is allowed +# guest-session = Session to load for guests (overrides user-session) +# session-wrapper = Wrapper script to run session with +# greeter-wrapper = Wrapper script to run greeter with +# guest-wrapper = Wrapper script to run guest sessions with +# display-setup-script = Script to run when starting a greeter session (runs as root) +# display-stopped-script = Script to run after stopping the display server (runs as root) +# greeter-setup-script = Script to run when starting a greeter (runs as root) +# session-setup-script = Script to run when starting a user session (runs as root) +# session-cleanup-script = Script to run when quitting a user session (runs as root) +# autologin-guest = True to log in as guest by default +# autologin-user = User to log in with by default (overrides autologin-guest) +# autologin-user-timeout = Number of seconds to wait before loading default user +# autologin-session = Session to load for automatic login (overrides user-session) +# autologin-in-background = True if autologin session should not be immediately activated +# exit-on-failure = True if the daemon should exit if this seat fails +# +[Seat:*] +#type=local +#pam-service=lightdm +#pam-autologin-service=lightdm-autologin +#pam-greeter-service=lightdm-greeter +#xserver-backend= +#xserver-command=X +#xmir-command=Xmir +#xserver-config= +#xserver-layout= +#xserver-allow-tcp=false +#xserver-share=true +#xserver-hostname= +#xserver-display-number= +#xdmcp-manager= +#xdmcp-port=177 +#xdmcp-key= +#unity-compositor-command=unity-system-compositor +#unity-compositor-timeout=60 +#greeter-session=example-gtk-gnome +#greeter-hide-users=false +#greeter-allow-guest=true +#greeter-show-manual-login=false +#greeter-show-remote-login=true +#user-session=default +#allow-user-switching=true +#allow-guest=true +#guest-session= +#session-wrapper=lightdm-session +#greeter-wrapper= +#guest-wrapper= +#display-setup-script= +#display-stopped-script= +#greeter-setup-script= +#session-setup-script= +#session-cleanup-script= +#autologin-guest=false +autologin-user={{ kiosk_user }} +#autologin-user-timeout=0 +#autologin-in-background=false +autologin-session=i3 +#exit-on-failure=false + +# +# XDMCP Server configuration +# +# enabled = True if XDMCP connections should be allowed +# port = UDP/IP port to listen for connections on +# listen-address = Host/address to listen for XDMCP connections (use all addresses if not present) +# key = Authentication key to use for XDM-AUTHENTICATION-1 or blank to not use authentication (stored in keys.conf) +# hostname = Hostname to report to XDMCP clients (defaults to system hostname if unset) +# +# The authentication key is a 56 bit DES key specified in hex as 0xnnnnnnnnnnnnnn. Alternatively +# it can be a word and the first 7 characters are used as the key. +# +[XDMCPServer] +#enabled=false +#port=177 +#listen-address= +#key= +#hostname= + +# +# VNC Server configuration +# +# enabled = True if VNC connections should be allowed +# command = Command to run Xvnc server with +# port = TCP/IP port to listen for connections on +# listen-address = Host/address to listen for VNC connections (use all addresses if not present) +# width = Width of display to use +# height = Height of display to use +# depth = Color depth of display to use +# +[VNCServer] +#enabled=false +#command=Xvnc +#port=5900 +#listen-address= +#width=1024 +#height=768 +#depth=8