alee/vigilar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a5dd15d0a1
vigilar/kiosk/setup_kiosk.sh
Aaron D. Lee ebcc49b474 Add kiosk setup and deployment scripts (Phases 5 + 9) 
Phase 5 — RPi Kiosk:
- setup_kiosk.sh: full RPi OS Lite setup (X11, Chromium kiosk mode,
  auto-login, DPMS disabled, GPU memory split, screen rotation)
- kiosk.service: systemd unit for reliable auto-start
- update_kiosk.sh: reconfigure URL/rotation/resolution without re-setup
- Handles both Bullseye and Bookworm RPi OS versions

Phase 9 — Hardening + Deployment:
- install.sh: full server setup (apt/pacman, vigilar user, venv,
  directories, permissions, mosquitto config, systemd units)
- gen_cert.sh: TLS cert via mkcert or openssl fallback
- gen_vapid_keys.sh: VAPID keys for Web Push notifications
- setup_nut.sh: NUT configuration with USB UPS auto-detection
- backup.sh: SQLite snapshot + config archive, cron-ready
- uninstall.sh: clean removal with data preservation option
- vigilar.service: hardened systemd unit (ProtectSystem, NoNewPrivileges,
  PrivateTmp, syscall filtering)
- vigilar-mosquitto.conf: localhost-only MQTT broker config

All scripts idempotent, bash -n validated, support Debian + Arch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-02 23:25:03 -04:00

386 lines
13 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Vigilar Kiosk — Full Raspberry Pi setup script
# Run on a fresh Raspberry Pi OS Lite (64-bit, no desktop).
# Safe to re-run (idempotent).
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
KIOSK_USER="vigilar"
KIOSK_HOME="/home/${KIOSK_USER}"
CONFIG_FILE="${KIOSK_HOME}/kiosk_config.txt"
# ---------------------------------------------------------------------------
# Helpers
# ---------------------------------------------------------------------------
info() { printf '\n\033[1;34m>>> %s\033[0m\n' "$*"; }
warn() { printf '\033[1;33mWARN: %s\033[0m\n' "$*"; }
error() { printf '\033[1;31mERROR: %s\033[0m\n' "$*" >&2; exit 1; }
need_root() {
if [[ $EUID -ne 0 ]]; then
error "This script must be run as root (use sudo)."
fi
}
# ---------------------------------------------------------------------------
# Pre-flight
# ---------------------------------------------------------------------------
need_root
info "Vigilar Kiosk Setup"
echo "This script turns a Raspberry Pi into a dedicated security-camera display."
echo ""
# Detect Debian version
if [[ -f /etc/os-release ]]; then
# shellcheck source=/dev/null
. /etc/os-release
DEBIAN_VERSION="${VERSION_ID:-11}"
else
DEBIAN_VERSION="11"
fi
info "Detected Debian version: ${DEBIAN_VERSION} (${PRETTY_NAME:-unknown})"
# ---------------------------------------------------------------------------
# 1. Ask for Vigilar server URL
# ---------------------------------------------------------------------------
DEFAULT_URL="https://vigilar.local:49735/kiosk/"
read -r -p "Vigilar server URL [${DEFAULT_URL}]: " USER_URL
VIGILAR_URL="${USER_URL:-$DEFAULT_URL}"
# ---------------------------------------------------------------------------
# 2. Ask for display settings
# ---------------------------------------------------------------------------
read -r -p "Screen rotation (0/90/180/270) [0]: " USER_ROTATION
ROTATION="${USER_ROTATION:-0}"
read -r -p "Screen resolution (e.g. 1920x1080, 1280x720) [1920x1080]: " USER_RES
RESOLUTION="${USER_RES:-1920x1080}"
echo ""
info "Configuration summary"
echo " URL: ${VIGILAR_URL}"
echo " Rotation: ${ROTATION}"
echo " Resolution: ${RESOLUTION}"
echo ""
read -r -p "Continue? [Y/n]: " CONFIRM
if [[ "${CONFIRM,,}" == "n" ]]; then
echo "Aborted."
exit 0
fi
# ---------------------------------------------------------------------------
# 3. Install packages
# ---------------------------------------------------------------------------
info "Updating package lists"
apt-get update -qq
info "Installing X11, Chromium, and utilities"
PACKAGES=(
xserver-xorg
xinit
x11-xserver-utils
chromium-browser
unclutter
)
# On Bookworm the package may just be 'chromium'
if [[ "${DEBIAN_VERSION}" -ge 12 ]]; then
# Try chromium-browser first; fall back to chromium
if ! apt-cache show chromium-browser &>/dev/null; then
PACKAGES=("${PACKAGES[@]/chromium-browser/chromium}")
fi
fi
apt-get install -y -qq "${PACKAGES[@]}"
# ---------------------------------------------------------------------------
# 4. Create kiosk user
# ---------------------------------------------------------------------------
if id "${KIOSK_USER}" &>/dev/null; then
info "User '${KIOSK_USER}' already exists"
else
info "Creating user '${KIOSK_USER}'"
useradd -m -s /bin/bash -G video,input,render,tty "${KIOSK_USER}"
fi
# Ensure group memberships even if user existed
usermod -aG video,input,render,tty "${KIOSK_USER}"
# ---------------------------------------------------------------------------
# 5. Write config file
# ---------------------------------------------------------------------------
info "Writing ${CONFIG_FILE}"
cat > "${CONFIG_FILE}" <<CFGEOF
VIGILAR_URL=${VIGILAR_URL}
ROTATION=${ROTATION}
RESOLUTION=${RESOLUTION}
CFGEOF
chown "${KIOSK_USER}:${KIOSK_USER}" "${CONFIG_FILE}"
# ---------------------------------------------------------------------------
# 6. Write .xinitrc
# ---------------------------------------------------------------------------
info "Writing ${KIOSK_HOME}/.xinitrc"
cat > "${KIOSK_HOME}/.xinitrc" <<'XINITEOF'
#!/usr/bin/env bash
# Vigilar kiosk X session
set -euo pipefail
CONFIG="$HOME/kiosk_config.txt"
if [[ -f "$CONFIG" ]]; then
# shellcheck source=/dev/null
source "$CONFIG"
fi
URL="${VIGILAR_URL:-https://vigilar.local:49735/kiosk/}"
# Disable screen blanking and DPMS
xset s off
xset s noblank
xset -dpms
# Hide cursor after 0.5 s of inactivity
unclutter -idle 0.5 -root &
# Handle rotation
ROTATION="${ROTATION:-0}"
case "${ROTATION}" in
90) xrandr --output "$(xrandr | grep ' connected' | head -1 | awk '{print $1}')" --rotate left ;;
180) xrandr --output "$(xrandr | grep ' connected' | head -1 | awk '{print $1}')" --rotate inverted ;;
270) xrandr --output "$(xrandr | grep ' connected' | head -1 | awk '{print $1}')" --rotate right ;;
*) ;; # 0 = normal, no action needed
esac
# Determine chromium binary
CHROMIUM=""
for candidate in chromium-browser chromium; do
if command -v "$candidate" &>/dev/null; then
CHROMIUM="$candidate"
break
fi
done
if [[ -z "$CHROMIUM" ]]; then
echo "ERROR: No chromium binary found" >&2
exit 1
fi
# Launch Chromium in kiosk mode
# --ignore-certificate-errors is needed for self-signed TLS certs on vigilar.local
exec "$CHROMIUM" \
--noerrdialogs \
--disable-infobars \
--kiosk \
--incognito \
--disable-translate \
--no-first-run \
--fast \
--fast-start \
--disable-features=TranslateUI \
--disk-cache-dir=/dev/null \
--check-for-update-interval=31536000 \
--ignore-certificate-errors \
--disable-component-update \
--disable-background-networking \
--disable-sync \
--autoplay-policy=no-user-gesture-required \
"$URL"
XINITEOF
chmod +x "${KIOSK_HOME}/.xinitrc"
chown "${KIOSK_USER}:${KIOSK_USER}" "${KIOSK_HOME}/.xinitrc"
# ---------------------------------------------------------------------------
# 7. Write .bash_profile for auto-start (fallback method)
# ---------------------------------------------------------------------------
info "Writing ${KIOSK_HOME}/.bash_profile (auto-start X on tty1)"
# Preserve existing content if any
BASH_PROFILE="${KIOSK_HOME}/.bash_profile"
MARKER="# --- Vigilar kiosk auto-start ---"
# Remove old block if present
if [[ -f "${BASH_PROFILE}" ]]; then
sed -i "/${MARKER}/,/# --- end Vigilar kiosk ---/d" "${BASH_PROFILE}"
fi
cat >> "${BASH_PROFILE}" <<'BPEOF'
# --- Vigilar kiosk auto-start ---
if [[ -z "${DISPLAY:-}" ]] && [[ "$(tty)" == "/dev/tty1" ]]; then
exec startx -- -nocursor
fi
# --- end Vigilar kiosk ---
BPEOF
chown "${KIOSK_USER}:${KIOSK_USER}" "${BASH_PROFILE}"
# ---------------------------------------------------------------------------
# 8. Install systemd service (default method)
# ---------------------------------------------------------------------------
info "Installing systemd service"
SERVICE_SRC="${SCRIPT_DIR}/kiosk.service"
SERVICE_DEST="/etc/systemd/system/vigilar-kiosk.service"
if [[ -f "${SERVICE_SRC}" ]]; then
cp "${SERVICE_SRC}" "${SERVICE_DEST}"
else
# Generate inline if source file not found
cat > "${SERVICE_DEST}" <<SVCEOF
[Unit]
Description=Vigilar Kiosk (X11 + Chromium)
After=network-online.target systemd-user-sessions.service
Wants=network-online.target
[Service]
Type=simple
User=${KIOSK_USER}
Group=${KIOSK_USER}
PAMName=login
TTYPath=/dev/tty1
StandardInput=tty
StandardOutput=journal
StandardError=journal
SupplementaryGroups=video input render
Environment=HOME=${KIOSK_HOME}
WorkingDirectory=${KIOSK_HOME}
ExecStart=/usr/bin/xinit ${KIOSK_HOME}/.xinitrc -- /usr/bin/X :0 vt1 -keeptty -nocursor
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
SVCEOF
fi
systemctl daemon-reload
systemctl enable vigilar-kiosk.service
info "systemd service enabled (vigilar-kiosk.service)"
# Disable .bash_profile auto-start when using systemd (comment it out)
sed -i "s/^ exec startx/# exec startx/" "${BASH_PROFILE}"
info "Disabled .bash_profile auto-start (systemd is the default)"
# ---------------------------------------------------------------------------
# 9. Configure auto-login on tty1
# ---------------------------------------------------------------------------
info "Configuring auto-login on tty1 for '${KIOSK_USER}'"
AUTOLOGIN_DIR="/etc/systemd/system/getty@tty1.service.d"
mkdir -p "${AUTOLOGIN_DIR}"
cat > "${AUTOLOGIN_DIR}/autologin.conf" <<ALEOF
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin ${KIOSK_USER} --noclear %I \$TERM
ALEOF
systemctl daemon-reload
# ---------------------------------------------------------------------------
# 10. Disable console blanking
# ---------------------------------------------------------------------------
info "Disabling console screen blanking"
# Kernel cmdline approach — add consoleblank=0
CMDLINE="/boot/cmdline.txt"
# On Bookworm, firmware cmdline may be at /boot/firmware/cmdline.txt
if [[ -f /boot/firmware/cmdline.txt ]]; then
CMDLINE="/boot/firmware/cmdline.txt"
fi
if [[ -f "${CMDLINE}" ]]; then
if ! grep -q 'consoleblank=0' "${CMDLINE}"; then
sed -i 's/$/ consoleblank=0/' "${CMDLINE}"
fi
fi
# ---------------------------------------------------------------------------
# 11. GPU memory split
# ---------------------------------------------------------------------------
info "Setting GPU memory to 128 MB"
CONFIG_TXT="/boot/config.txt"
if [[ -f /boot/firmware/config.txt ]]; then
CONFIG_TXT="/boot/firmware/config.txt"
fi
if [[ -f "${CONFIG_TXT}" ]]; then
if grep -q '^gpu_mem=' "${CONFIG_TXT}"; then
sed -i 's/^gpu_mem=.*/gpu_mem=128/' "${CONFIG_TXT}"
else
echo "gpu_mem=128" >> "${CONFIG_TXT}"
fi
fi
# ---------------------------------------------------------------------------
# 12. Screen rotation and resolution in config.txt
# ---------------------------------------------------------------------------
info "Configuring display rotation and resolution"
if [[ -f "${CONFIG_TXT}" ]]; then
# Rotation via display_rotate (legacy) or display_lcd_rotate
if [[ "${ROTATION}" != "0" ]]; then
ROTATE_VAL=0
case "${ROTATION}" in
90) ROTATE_VAL=1 ;;
180) ROTATE_VAL=2 ;;
270) ROTATE_VAL=3 ;;
esac
if grep -q '^display_rotate=' "${CONFIG_TXT}"; then
sed -i "s/^display_rotate=.*/display_rotate=${ROTATE_VAL}/" "${CONFIG_TXT}"
else
echo "display_rotate=${ROTATE_VAL}" >> "${CONFIG_TXT}"
fi
fi
# Resolution via hdmi_group and hdmi_mode
# Parse WxH
RES_W="${RESOLUTION%%x*}"
RES_H="${RESOLUTION##*x}"
HDMI_MODE=""
case "${RES_W}x${RES_H}" in
1920x1080) HDMI_MODE=16 ;;
1280x720) HDMI_MODE=4 ;;
1680x1050) HDMI_MODE=58 ;;
1280x1024) HDMI_MODE=35 ;;
1024x768) HDMI_MODE=16 ;; # DMT mode 16
*) warn "Unknown resolution ${RESOLUTION}, skipping hdmi_mode config" ;;
esac
if [[ -n "${HDMI_MODE}" ]]; then
# hdmi_group=1 = CEA (TVs), hdmi_group=2 = DMT (monitors)
HDMI_GROUP=1
if [[ "${RES_W}x${RES_H}" == "1680x1050" ]] || [[ "${RES_W}x${RES_H}" == "1280x1024" ]]; then
HDMI_GROUP=2
fi
for KEY_VAL in "hdmi_group=${HDMI_GROUP}" "hdmi_mode=${HDMI_MODE}"; do
KEY="${KEY_VAL%%=*}"
if grep -q "^${KEY}=" "${CONFIG_TXT}"; then
sed -i "s/^${KEY}=.*/${KEY_VAL}/" "${CONFIG_TXT}"
else
echo "${KEY_VAL}" >> "${CONFIG_TXT}"
fi
done
fi
fi
# ---------------------------------------------------------------------------
# 13. Enable SSH
# ---------------------------------------------------------------------------
info "Enabling SSH"
systemctl enable ssh 2>/dev/null || systemctl enable sshd 2>/dev/null || true
systemctl start ssh 2>/dev/null || systemctl start sshd 2>/dev/null || true
# ---------------------------------------------------------------------------
# 14. Set hostname
# ---------------------------------------------------------------------------
info "Setting hostname to 'vigilar-kiosk'"
hostnamectl set-hostname vigilar-kiosk 2>/dev/null || {
echo "vigilar-kiosk" > /etc/hostname
sed -i "s/127\.0\.1\.1.*/127.0.1.1\tvigilar-kiosk/" /etc/hosts
}
# ---------------------------------------------------------------------------
# Done
# ---------------------------------------------------------------------------
info "Setup complete!"
echo ""
echo " Kiosk URL: ${VIGILAR_URL}"
echo " User: ${KIOSK_USER}"
echo " Service: vigilar-kiosk.service (systemd, enabled)"
echo " Config: ${CONFIG_FILE}"
echo ""
echo " To start now: sudo systemctl start vigilar-kiosk"
echo " To check status: sudo systemctl status vigilar-kiosk"
echo " To view logs: sudo journalctl -u vigilar-kiosk -f"
echo " To reconfigure: sudo ./update_kiosk.sh"
echo ""
echo " A reboot is recommended: sudo reboot"
Reference in New Issue View Git Blame Copy Permalink