Add kiosk setup and deployment scripts (Phases 5 + 9)
Phase 5 — RPi Kiosk: - setup_kiosk.sh: full RPi OS Lite setup (X11, Chromium kiosk mode, auto-login, DPMS disabled, GPU memory split, screen rotation) - kiosk.service: systemd unit for reliable auto-start - update_kiosk.sh: reconfigure URL/rotation/resolution without re-setup - Handles both Bullseye and Bookworm RPi OS versions Phase 9 — Hardening + Deployment: - install.sh: full server setup (apt/pacman, vigilar user, venv, directories, permissions, mosquitto config, systemd units) - gen_cert.sh: TLS cert via mkcert or openssl fallback - gen_vapid_keys.sh: VAPID keys for Web Push notifications - setup_nut.sh: NUT configuration with USB UPS auto-detection - backup.sh: SQLite snapshot + config archive, cron-ready - uninstall.sh: clean removal with data preservation option - vigilar.service: hardened systemd unit (ProtectSystem, NoNewPrivileges, PrivateTmp, syscall filtering) - vigilar-mosquitto.conf: localhost-only MQTT broker config All scripts idempotent, bash -n validated, support Debian + Arch. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Aaron D. Lee
18
systemd/vigilar-mosquitto.conf
Normal file
18
systemd/vigilar-mosquitto.conf
Normal file
@@ -0,0 +1,18 @@
|
||||
# Mosquitto configuration for Vigilar
|
||||
# Localhost-only, no authentication, no persistence.
|
||||
# Drop this file in /etc/mosquitto/conf.d/
|
||||
|
||||
# Bind to loopback only — no network exposure
|
||||
listener 1883 127.0.0.1
|
||||
# No authentication needed for localhost
|
||||
allow_anonymous true
|
||||
|
||||
# Disable persistence — Vigilar state lives in SQLite
|
||||
persistence false
|
||||
|
||||
# Logging
|
||||
log_dest syslog
|
||||
log_type error
|
||||
log_type warning
|
||||
log_type notice
|
||||
connection_messages true
|
||||
53
systemd/vigilar.service
Normal file
53
systemd/vigilar.service
Normal file
@@ -0,0 +1,53 @@
|
||||
[Unit]
|
||||
Description=Vigilar Home Security System
|
||||
Documentation=https://github.com/vigilar/vigilar
|
||||
After=network.target mosquitto.service
|
||||
Requires=mosquitto.service
|
||||
Wants=nut-monitor.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=vigilar
|
||||
Group=vigilar
|
||||
|
||||
Environment=VIGILAR_CONFIG=/etc/vigilar/vigilar.toml
|
||||
ExecStart=/opt/vigilar/venv/bin/vigilar start --config /etc/vigilar/vigilar.toml
|
||||
|
||||
Restart=on-failure
|
||||
RestartSec=10
|
||||
WatchdogSec=120
|
||||
|
||||
# Security hardening
|
||||
NoNewPrivileges=yes
|
||||
ProtectSystem=strict
|
||||
ProtectHome=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectClock=yes
|
||||
ProtectHostname=yes
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=no
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=~@privileged @resources
|
||||
|
||||
# Allow write to data directories
|
||||
ReadWritePaths=/var/vigilar/data /var/vigilar/recordings /var/vigilar/hls
|
||||
|
||||
# Read-only access to config and secrets
|
||||
ReadOnlyPaths=/etc/vigilar
|
||||
|
||||
# Logging
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
SyslogIdentifier=vigilar
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user