Add kiosk setup and deployment scripts (Phases 5 + 9)
Phase 5 — RPi Kiosk: - setup_kiosk.sh: full RPi OS Lite setup (X11, Chromium kiosk mode, auto-login, DPMS disabled, GPU memory split, screen rotation) - kiosk.service: systemd unit for reliable auto-start - update_kiosk.sh: reconfigure URL/rotation/resolution without re-setup - Handles both Bullseye and Bookworm RPi OS versions Phase 9 — Hardening + Deployment: - install.sh: full server setup (apt/pacman, vigilar user, venv, directories, permissions, mosquitto config, systemd units) - gen_cert.sh: TLS cert via mkcert or openssl fallback - gen_vapid_keys.sh: VAPID keys for Web Push notifications - setup_nut.sh: NUT configuration with USB UPS auto-detection - backup.sh: SQLite snapshot + config archive, cron-ready - uninstall.sh: clean removal with data preservation option - vigilar.service: hardened systemd unit (ProtectSystem, NoNewPrivileges, PrivateTmp, syscall filtering) - vigilar-mosquitto.conf: localhost-only MQTT broker config All scripts idempotent, bash -n validated, support Debian + Arch. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Aaron D. Lee
53
systemd/vigilar.service
Normal file
53
systemd/vigilar.service
Normal file
@@ -0,0 +1,53 @@
|
||||
[Unit]
|
||||
Description=Vigilar Home Security System
|
||||
Documentation=https://github.com/vigilar/vigilar
|
||||
After=network.target mosquitto.service
|
||||
Requires=mosquitto.service
|
||||
Wants=nut-monitor.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=vigilar
|
||||
Group=vigilar
|
||||
|
||||
Environment=VIGILAR_CONFIG=/etc/vigilar/vigilar.toml
|
||||
ExecStart=/opt/vigilar/venv/bin/vigilar start --config /etc/vigilar/vigilar.toml
|
||||
|
||||
Restart=on-failure
|
||||
RestartSec=10
|
||||
WatchdogSec=120
|
||||
|
||||
# Security hardening
|
||||
NoNewPrivileges=yes
|
||||
ProtectSystem=strict
|
||||
ProtectHome=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectClock=yes
|
||||
ProtectHostname=yes
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=no
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=~@privileged @resources
|
||||
|
||||
# Allow write to data directories
|
||||
ReadWritePaths=/var/vigilar/data /var/vigilar/recordings /var/vigilar/hls
|
||||
|
||||
# Read-only access to config and secrets
|
||||
ReadOnlyPaths=/etc/vigilar
|
||||
|
||||
# Logging
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
SyslogIdentifier=vigilar
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user