From 43d15bdbf8f6ad5736c697ddee0bbad113719e0e Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 31 Dec 2024 13:09:06 -0600 Subject: [PATCH 01/15] ci: Prevent concurrent builds The `disableConcurrentBuilds` pipeline option tells Jenkins to force subsequent builds _of the same job_ to wait in queue until the one running has completed. This is sufficient when there is only one branch/project in development at a time. In order to prevent multiple projects from running simultaneously, we need to acquire a global lock; all projects need to have this same option in order for it to be effective. --- ci/Jenkinsfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile index 1270b8c..3c782f3 100644 --- a/ci/Jenkinsfile +++ b/ci/Jenkinsfile @@ -8,6 +8,11 @@ pipeline { } } + options { + disableConcurrentBuilds() + lock 'aimee-os' + } + stages { stage('Prepare') { steps { -- 2.51.0 From 4a555211f58f1cc99536e433ace04f642285bd35 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 13 Dec 2024 19:45:47 -0600 Subject: [PATCH 02/15] Install Firefox Attempting to cross-compile Firefox will be rather challenging. It has loads of dependencies, written in a variety of languages. Some issues are more interesting than others. Notably, _dev-libs/nss_ needs to be installed on the host in order to cross-compile itself, but its ebuild does not specify this ([Bug 759127][0]). Also the build system for _gnome-base/librsvg_ is broken: [Gentoo Bug 835758][1], [GNOME Issue #810][2]. Cross-compiling _dev-libs/gobject-introspection_ is also broken ([Bug 759127][3], [850895][4]). With all of these changes, we can get to the point where Portage starts building Firefox, it will take hours and all of my machine's resources, so I haven't tested if will actually build. We shall see once Jenkins tries it... [0]: https://bugs.gentoo.org/759127 [1]: https://bugs.gentoo.org/835758 [2]: https://gitlab.gnome.org/GNOME/librsvg/-/issues/810 [3]: https://bugs.gentoo.org/850895 [4]: https://bugs.gentoo.org/751325 --- install.packages | 1 + portage/make.conf/60-use.conf | 1 + portage/make.conf/introspection.conf | 4 ++ portage/make.conf/videocore.conf | 1 + portage/make.conf/wayland.conf | 1 + portage/package.accept_keywords/firefox | 1 + portage/package.use/firefox | 6 +++ .../librsvg/do-not-build-rsvg-convert.patch | 48 +++++++++++++++++++ prepare.sh | 11 +++++ 9 files changed, 74 insertions(+) create mode 100644 portage/make.conf/60-use.conf create mode 100644 portage/make.conf/introspection.conf create mode 100644 portage/make.conf/videocore.conf create mode 100644 portage/make.conf/wayland.conf create mode 100644 portage/package.accept_keywords/firefox create mode 100644 portage/package.use/firefox create mode 100644 portage/patches/gnome-base/librsvg/do-not-build-rsvg-convert.patch diff --git a/install.packages b/install.packages index 31638b0..5c67a29 100644 --- a/install.packages +++ b/install.packages @@ -1 +1,2 @@ net-wireless/wpa_supplicant +www-client/firefox diff --git a/portage/make.conf/60-use.conf b/portage/make.conf/60-use.conf new file mode 100644 index 0000000..ad110bb --- /dev/null +++ b/portage/make.conf/60-use.conf @@ -0,0 +1 @@ +USE="${USE} -python -readline" diff --git a/portage/make.conf/introspection.conf b/portage/make.conf/introspection.conf new file mode 100644 index 0000000..63c418a --- /dev/null +++ b/portage/make.conf/introspection.conf @@ -0,0 +1,4 @@ +# Disable GObject introspection because it cannot be cross-compiled +# https://bugs.gentoo.org/850895 +# https://bugs.gentoo.org/751325 +USE="${USE} -introspection -vala" diff --git a/portage/make.conf/videocore.conf b/portage/make.conf/videocore.conf new file mode 100644 index 0000000..05c0c2b --- /dev/null +++ b/portage/make.conf/videocore.conf @@ -0,0 +1 @@ +VIDEO_CARDS='v3d vc4' diff --git a/portage/make.conf/wayland.conf b/portage/make.conf/wayland.conf new file mode 100644 index 0000000..71d123e --- /dev/null +++ b/portage/make.conf/wayland.conf @@ -0,0 +1 @@ +USE="${USE} -X wayland" diff --git a/portage/package.accept_keywords/firefox b/portage/package.accept_keywords/firefox new file mode 100644 index 0000000..f0cbd3b --- /dev/null +++ b/portage/package.accept_keywords/firefox @@ -0,0 +1 @@ +dev-libs/nss ~amd64 diff --git a/portage/package.use/firefox b/portage/package.use/firefox new file mode 100644 index 0000000..3580b88 --- /dev/null +++ b/portage/package.use/firefox @@ -0,0 +1,6 @@ +media-libs/harfbuzz -cairo +media-libs/libvpx postproc +media-libs/mesa -llvm wayland +media-video/ffmpeg openssl -gnutls +www-client/firefox -telemetry dbus wayland +x11-libs/gtk+ wayland diff --git a/portage/patches/gnome-base/librsvg/do-not-build-rsvg-convert.patch b/portage/patches/gnome-base/librsvg/do-not-build-rsvg-convert.patch new file mode 100644 index 0000000..4e2775e --- /dev/null +++ b/portage/patches/gnome-base/librsvg/do-not-build-rsvg-convert.patch @@ -0,0 +1,48 @@ +--- a/Makefile.in 2024-12-13 12:17:08.339616211 -0600 ++++ b/Makefile.in 2024-12-13 12:18:30.301517960 -0600 +@@ -641,12 +641,6 @@ + rsvg/src/test_utils/reference_utils.rs \ + rsvg-bench/Cargo.toml \ + rsvg-bench/src/main.rs \ +- rsvg_convert/tests/internal_predicates/file.rs \ +- rsvg_convert/tests/internal_predicates/mod.rs \ +- rsvg_convert/tests/internal_predicates/pdf.rs \ +- rsvg_convert/tests/internal_predicates/png.rs \ +- rsvg_convert/tests/internal_predicates/svg.rs \ +- rsvg_convert/tests/rsvg_convert.rs \ + librsvg-c/tests/legacy_sizing.rs \ + gdk-pixbuf-loader/Cargo.toml \ + gdk-pixbuf-loader/src/lib.rs \ +@@ -685,15 +679,6 @@ + librsvgincdir = $(includedir)/librsvg-$(RSVG_API_VERSION)/librsvg + librsvginc_HEADERS = $(librsvg_public_headers) + +-# Use SCRIPTS instead of PROGRAMS since we build it on our own +-bin_SCRIPTS = rsvg-convert$(EXEEXT) +-RSVG_CONVERT_BIN = $(CARGO_TARGET_DIR)/$(RUST_TARGET_SUBDIR)/rsvg-convert$(EXEEXT) +-RSVG_CONVERT_SRC = \ +- rsvg_convert/Cargo.toml \ +- rsvg_convert/build.rs \ +- rsvg_convert/src/main.rs \ +- $(NULL) +- + @HAVE_RST2MAN_TRUE@man1_MANS = rsvg-convert.1 + dist_doc_DATA = \ + README.md \ +@@ -1643,16 +1628,6 @@ + $(CARGO) --locked build $(CARGO_VERBOSE) $(CARGO_TARGET_ARGS) $(CARGO_RELEASE_ARGS) --package librsvg-c \ + && cd $(LIBRSVG_BUILD_DIR) && $(LINK) $< && cp $(RUST_LIB) .libs/librsvg_c_api.a + +-$(RSVG_CONVERT_BIN): $(RSVG_CONVERT_SRC) | librsvg_c_api.la +- +cd $(top_srcdir) && \ +- PKG_CONFIG_ALLOW_CROSS=1 \ +- PKG_CONFIG='$(PKG_CONFIG)' \ +- CARGO_TARGET_DIR=$(CARGO_TARGET_DIR) \ +- $(CARGO) --locked build $(CARGO_VERBOSE) $(CARGO_TARGET_ARGS) $(CARGO_RELEASE_ARGS) --package rsvg_convert +- +-rsvg-convert$(EXEEXT): $(RSVG_CONVERT_BIN) +- cd $(LIBRSVG_BUILD_DIR) && cp $(RSVG_CONVERT_BIN) rsvg-convert$(EXEEXT) +- + rsvg-convert.1: rsvg-convert.rst + @HAVE_RST2MAN_TRUE@ $(RST2MAN) $(top_srcdir)/rsvg-convert.rst rsvg-convert.1 + @HAVE_RST2MAN_FALSE@ @echo "========================================" diff --git a/prepare.sh b/prepare.sh index aa4d100..919d248 100644 --- a/prepare.sh +++ b/prepare.sh @@ -6,3 +6,14 @@ fi if [ "$(find /var/db/repos/gentoo/metadata -newermt '-24 hours' | wc -l)" -eq 0 ]; then emaint sync fi + +mkdir -p /etc/portage/package.use +mkdir -p /etc/portage/make.conf +cp portage/package.use/firefox /etc/portage/package.use/ +cp portage/make.conf/introspection.conf /etc/portage/make.conf/ +cp portage/make.conf/wayland.conf /etc/portage/make.conf/ +echo 'VIDEO_CARDS=""' > /etc/portage/make.conf/videocards.conf + +xargs -r emerge -vbknuUj --rebuilt-binaries=y --color=y < Date: Mon, 23 Dec 2024 08:41:04 -0600 Subject: [PATCH 03/15] Build Firefox w/ gcc Building _www-client/firefox_ fails fairly early with an error about not being able to find `aarch64-unknown-linux-gnu-clang-19` to use as `CC`. I have not been able to determine what is supposed to provide this program/symlink, nor much information at all about cross-compiling with Clang, really. We shall try building Firefox with GCC, since we know that toolchain is complete. --- portage/package.use/firefox | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/portage/package.use/firefox b/portage/package.use/firefox index 3580b88..a07789a 100644 --- a/portage/package.use/firefox +++ b/portage/package.use/firefox @@ -2,5 +2,5 @@ media-libs/harfbuzz -cairo media-libs/libvpx postproc media-libs/mesa -llvm wayland media-video/ffmpeg openssl -gnutls -www-client/firefox -telemetry dbus wayland +www-client/firefox -clang -telemetry dbus wayland x11-libs/gtk+ wayland -- 2.51.0 From 6dfea850362bc431332f3a5e893ca1d60bbbca53 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 23 Dec 2024 16:20:17 -0600 Subject: [PATCH 04/15] Install Firefox from Gentoo binpkg MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Unfortunately, even building Firefox with GCC fails: > 3:30.02 [gecko-profiler 0.1.0] /../lib/gcc/aarch64-unknown-linux-gnu/14/include/g++-v14/cstdlib:79:15: fatal error: 'stdlib.h' file not found > 3:30.02 [gecko-profiler 0.1.0] thread 'main' panicked at tools/profiler/rust-api/build.rs:104:10: > 3:30.02 [gecko-profiler 0.1.0] Unable to generate bindings: ClangDiagnostic("/../lib/gcc/aarch64-unknown-linux-gnu/14/include/g++-v14/cstdlib:79:15: fatal error: 'stdlib.h' file not found\n") Clearly, something is misconfigured, because `stdlib.h` does indeed exist. I am not sure what, though, and I am getting tired of messing with this. Fortunately, the official Gentoo binary package project has a build of _www-client/firefox_ for ARM64. It has a rather different USE flag configuration than what we did, though, so we have to pull in quite a few more dependencies. We can't just add _www-client/firefox_ to `install.packages` because Aimee OS runs `emerge` with `--getbinpkgonly`, which implies `--binpkg-changed-deps=y`. This since we want to build everything _except_ Firefox locally, the dependency graph is quite a bit different, so Portage ignores the binary package and will try to build _www-client/firefox_ from source. To work around this limitation, we need to install Firefox manually in the `customize.sh` script in two phases. First, we install all of its dependencies in the build root (`/usr/aarch64-…`), but not Firefox itself, to get binpkgs for them. Then, we install _www-client/firefox_ in the target root (`/mnt/gentoo`) with the `--getbinpkg` and `--usepkgonly` flags. Hopefully, one day I can figure out how to cross-compile Firefox (and it doesn't take days to build once I do), and we can remove this hackery. --- build.packages | 3 +++ customize.sh | 12 ++++++++++++ install.packages | 2 +- portage/make.conf/wayland.conf | 2 +- portage/package.accept_keywords/firefox | 1 - portage/package.use/firefox | 11 ++++++++++- prepare.sh | 5 +++++ 7 files changed, 32 insertions(+), 4 deletions(-) delete mode 100644 portage/package.accept_keywords/firefox diff --git a/build.packages b/build.packages index 9677552..26ab468 100644 --- a/build.packages +++ b/build.packages @@ -1,2 +1,5 @@ sys-boot/raspberrypi-firmware sys-boot/u-boot +x11-libs/gtk+ +media-libs/mesa +media-video/ffmpeg diff --git a/customize.sh b/customize.sh index f0bc12a..c27ae19 100755 --- a/customize.sh +++ b/customize.sh @@ -1,6 +1,18 @@ #!/bin/sh # vim: set sw=4 ts=4 sts=4 et : +. "${CONFIGDIR:=${PWD}}"/config + +O=$1 + +export PORTAGE_CONFIGROOT="$O"/portage + +if [ ! -f /mnt/gentoo/usr/lib64/firefox/firefox ]; then + ${target}-emerge -vbknuUDj --onlydeps --with-bdeps=n www-client/firefox:esr + PORTAGE_BINHOST=https://distfiles.gentoo.org/releases/arm64/binpackages/23.0/arm64 \ + ${target}-emerge -vgKnj --root=/mnt/gentoo www-client/firefox:esr +fi + passwd -R /mnt/gentoo -d root systemctl --root=/mnt/gentoo enable wpa_supplicant@wlan0 diff --git a/install.packages b/install.packages index 5c67a29..7998e21 100644 --- a/install.packages +++ b/install.packages @@ -1,2 +1,2 @@ net-wireless/wpa_supplicant -www-client/firefox +media-video/pipewire diff --git a/portage/make.conf/wayland.conf b/portage/make.conf/wayland.conf index 71d123e..624b840 100644 --- a/portage/make.conf/wayland.conf +++ b/portage/make.conf/wayland.conf @@ -1 +1 @@ -USE="${USE} -X wayland" +USE="${USE} wayland" diff --git a/portage/package.accept_keywords/firefox b/portage/package.accept_keywords/firefox deleted file mode 100644 index f0cbd3b..0000000 --- a/portage/package.accept_keywords/firefox +++ /dev/null @@ -1 +0,0 @@ -dev-libs/nss ~amd64 diff --git a/portage/package.use/firefox b/portage/package.use/firefox index a07789a..d877364 100644 --- a/portage/package.use/firefox +++ b/portage/package.use/firefox @@ -2,5 +2,14 @@ media-libs/harfbuzz -cairo media-libs/libvpx postproc media-libs/mesa -llvm wayland media-video/ffmpeg openssl -gnutls -www-client/firefox -clang -telemetry dbus wayland + +# Must match USE flags of the www-client/firefox package on the +# offical Gentoo binhost +www-client/firefox X clang dbus gmp-autoupdate gnome-shell jumbo-build pulseaudio system-av1 system-harfbuzz system-icu system-jpeg system-libevent system-libvpx system-webp telemetry wayland LLVM_SLOT: 19 -17 -18 +x11-libs/cairo X x11-libs/gtk+ wayland +media-libs/libglvnd X + +# Firefox requires a PulseAudio-compatible sound server; we use Pipewire +media-video/pipewire sound-server +media-libs/libcanberra udev alsa diff --git a/prepare.sh b/prepare.sh index 919d248..9c6dd89 100644 --- a/prepare.sh +++ b/prepare.sh @@ -1,5 +1,7 @@ #!/bin/sh +. "${CONFIGDIR:=${PWD}}"/config + if [ ! -f /var/db/repos/gentoo/metadata/timestamp ]; then emerge-webrsync fi @@ -9,6 +11,7 @@ fi mkdir -p /etc/portage/package.use mkdir -p /etc/portage/make.conf +echo 'virtual/libudev systemd' >> /etc/portage/package.use/systemd cp portage/package.use/firefox /etc/portage/package.use/ cp portage/make.conf/introspection.conf /etc/portage/make.conf/ cp portage/make.conf/wayland.conf /etc/portage/make.conf/ @@ -17,3 +20,5 @@ echo 'VIDEO_CARDS=""' > /etc/portage/make.conf/videocards.conf xargs -r emerge -vbknuUj --rebuilt-binaries=y --color=y < Date: Sun, 29 Dec 2024 12:08:09 -0600 Subject: [PATCH 05/15] ci: archive build logs on failure --- ci/Jenkinsfile | 5 +++++ ci/podTemplate.yaml | 3 +++ 2 files changed, 8 insertions(+) diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile index 3c782f3..124de5c 100644 --- a/ci/Jenkinsfile +++ b/ci/Jenkinsfile @@ -34,5 +34,10 @@ pipeline { archiveArtifacts '*' } } + failure { + dir('/var/tmp/portage') { + archiveArtifacts '*/*/temp/*.log' + } + } } } diff --git a/ci/podTemplate.yaml b/ci/podTemplate.yaml index 51cd9d8..a0f1c5c 100644 --- a/ci/podTemplate.yaml +++ b/ci/podTemplate.yaml @@ -32,6 +32,9 @@ spec: subPath: distfiles - mountPath: /var/db/repos/gentoo name: portage + - mountPath: /var/tmp + name: workspace-volume + subPath: tmp hostUsers: false volumes: - name: binpkgs -- 2.51.0 From b08263688b2b3e2da4764ad4c5fc794c9607e26b Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 29 Dec 2024 20:28:06 -0600 Subject: [PATCH 06/15] Begin implementing kiosk browser This commit introduces the _kiosk.service_ unit, which launches `sway` to start a Wayland session, which in turn launches Firefox. The `policies.json` file configures Firefox in a sort of kiosk mode, disabling most features and blocking all but the desginated sites. Unfortunately, running `firefox --kiosk` doesn't actually work: Firefox apparently runs, but doesn't draw anything on the screen. Note that we have to launch Firefox by its "real" path, since `/usr/bin/firefox` is a Bash script, and Bash is not installed. Fortunately, the wrapper script doesn't do anything we really care about, so bypassing it is fine. --- aimee-os | 2 +- customize.sh | 2 +- install.packages | 1 + overlay/etc/firefox/policies/policies.json | 57 +++++++++++++++++++ overlay/etc/pam.d/kiosk | 7 +++ overlay/etc/sway/kiosk.conf | 11 ++++ .../lib/systemd/system-preset/70-kiosk.preset | 3 + overlay/usr/lib/systemd/system/kiosk.service | 31 ++++++++++ overlay/usr/lib/sysusers.d/kiosk.conf | 2 + 9 files changed, 114 insertions(+), 2 deletions(-) create mode 100644 overlay/etc/firefox/policies/policies.json create mode 100644 overlay/etc/pam.d/kiosk create mode 100644 overlay/etc/sway/kiosk.conf create mode 100644 overlay/usr/lib/systemd/system-preset/70-kiosk.preset create mode 100644 overlay/usr/lib/systemd/system/kiosk.service create mode 100644 overlay/usr/lib/sysusers.d/kiosk.conf diff --git a/aimee-os b/aimee-os index 554063e..c30da6a 160000 --- a/aimee-os +++ b/aimee-os @@ -1 +1 @@ -Subproject commit 554063e1f4e316a6d3087a27076e0c6d5a34fca1 +Subproject commit c30da6a5ff0d2f9fade417e91b083d7b483f0984 diff --git a/customize.sh b/customize.sh index c27ae19..447106c 100755 --- a/customize.sh +++ b/customize.sh @@ -15,4 +15,4 @@ fi passwd -R /mnt/gentoo -d root -systemctl --root=/mnt/gentoo enable wpa_supplicant@wlan0 +systemctl --root=/mnt/gentoo set-default graphical.target diff --git a/install.packages b/install.packages index 7998e21..1c92159 100644 --- a/install.packages +++ b/install.packages @@ -1,2 +1,3 @@ +gui-wm/sway net-wireless/wpa_supplicant media-video/pipewire diff --git a/overlay/etc/firefox/policies/policies.json b/overlay/etc/firefox/policies/policies.json new file mode 100644 index 0000000..a1aeb90 --- /dev/null +++ b/overlay/etc/firefox/policies/policies.json @@ -0,0 +1,57 @@ +{ + "policies": { + "BlockAboutAddons": true, + "BlockAboutConfig": true, + "BlockAboutProfiles": true, + "CaptivePortal": false, + "DisableDeveloperTools": true, + "DisableFeedbackCommands": true, + "DisableFirefoxScreenshots": true, + "DisableFirefoxSutudies": true, + "DisableFormHistory": true, + "DisableMasterPasswordCreation": true, + "DisablePasswordReveal": true, + "DisablePocket": true, + "DisablePrivateBrowsing": true, + "DisableProfileImport": true, + "DisableProfileRefresh": true, + "DisableSecurityBypass": true, + "DisableSetDesktopBackground": true, + "DNSOverHTTPS": { + "Enabled": false, + "Locked": true + }, + "DontCheckDefaultBrowser": true, + "Homepage": { + "URL": "https://homeassistant.pyrocufflink.blue/", + "Locked": true, + "StartPage": "homepage-locked" + }, + "NewTabPage": false, + "NoDefaultBookmarks": true, + "OfferToSaveLogins": false, + "OverrideFirstRunPage": "", + "OverridePostUpdatePage": "", + "PasswordManagerEnabled": false, + "Preferences": { + "browser.sessionstore.resume_from_crash": { + "Value": false + }, + "browser.startup.couldRestoreSession.count": { + "Value": -1 + }, + "datareporting.policy.dataSubmissionPolicyBypassNotification": { + "Value": true + }, + "extensions.activeThemeID": { + "Value": "firefox-compact-dark@mozilla.org" + } + }, + "WebsiteFilter": { + "Block": [""], + "Exceptions": [ + "https://*.pyrocufflink.blue/*" + ] + } + } +} diff --git a/overlay/etc/pam.d/kiosk b/overlay/etc/pam.d/kiosk new file mode 100644 index 0000000..e36c548 --- /dev/null +++ b/overlay/etc/pam.d/kiosk @@ -0,0 +1,7 @@ +account required pam_localuser.so + +session optional pam_loginuid.so +session required pam_env.so envfile=/etc/profile.env +session required pam_limits.so +session required pam_env.so +session required pam_systemd.so diff --git a/overlay/etc/sway/kiosk.conf b/overlay/etc/sway/kiosk.conf new file mode 100644 index 0000000..590fdde --- /dev/null +++ b/overlay/etc/sway/kiosk.conf @@ -0,0 +1,11 @@ +# vim: set ft=swayconfig : + +output DSI-1 resolution 720x1280 transform 90 + +input * { + map_to_output DSI-1 +} + +exec /usr/lib64/firefox/firefox + +for_window [title="Mozilla Firefox"] fullscreen diff --git a/overlay/usr/lib/systemd/system-preset/70-kiosk.preset b/overlay/usr/lib/systemd/system-preset/70-kiosk.preset new file mode 100644 index 0000000..8d571ce --- /dev/null +++ b/overlay/usr/lib/systemd/system-preset/70-kiosk.preset @@ -0,0 +1,3 @@ +enable wpa_supplicant@.service wlan0 + +enable kiosk.service diff --git a/overlay/usr/lib/systemd/system/kiosk.service b/overlay/usr/lib/systemd/system/kiosk.service new file mode 100644 index 0000000..3eaf046 --- /dev/null +++ b/overlay/usr/lib/systemd/system/kiosk.service @@ -0,0 +1,31 @@ +[Unit] +After=systemd-user-sessions.service plymouth-quit-wait.service +Before=graphical.target +ConditionPathExists=/dev/tty1 +Wants=dbus.socket systemd-logind.service +After=dbus.socket systemd-logind.service +Conflicts=getty@tty1.service +After=getty@tty1.service +Wants=time-sync.target +After=time-sync.target + +[Service] +StateDirectory=%N +CacheDirectory=%N +Environment=XDG_CACHE_HOME=%C/%N +ExecStart=/usr/bin/sway -c /etc/sway/kiosk.conf +User=kiosk +StandardInput=tty +StandardOutput=tty +StandardError=journal +TTYPath=/dev/tty1 +TTYReset=yes +TTYVHangup=yes +TTYVTDisallocate=yes +PAMName=kiosk +UtmpMode=user +UtmpIdentifier=tty1 + +[Install] +WantedBy=graphical.target +Alias=display-manager.service diff --git a/overlay/usr/lib/sysusers.d/kiosk.conf b/overlay/usr/lib/sysusers.d/kiosk.conf new file mode 100644 index 0000000..6cfac69 --- /dev/null +++ b/overlay/usr/lib/sysusers.d/kiosk.conf @@ -0,0 +1,2 @@ +g kiosk - +u kiosk - "Kiosk User" /var/lib/kiosk /bin/sh -- 2.51.0 From 001c471567c53bdc62cad66ee2b89d1404e31fce Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 31 Dec 2024 11:25:24 -0600 Subject: [PATCH 07/15] kernel/firmware: Support RPi GPU, touchscreen Getting the Raspberry Pi 4 GPU and 7-inch Touch Display 2 working was quite challenging. Several kernel drivers are needed, beyond the obvious VC4 and V3D, like voltage regulators and backlight controls. Even with all the drivers enabled, I still had trouble getting `/dev/dri/card1` (the display device, as opposed to `/dev/dri/card0`, the 3D rendering device) to appear until I explicitly enabled the `vc4-kms-dsi-ili9881-7inch` device tree overlay. I am not entirely sure why this is necessary, since `display_auto_detect` supposedly should have added this overlay automatically. I am also not sure how it would work if I wanted to use an HDMI monitor instead of the DSI panel, but fortunately, for this project, that's not necessary. --- config.txt | 14 ++++++------ linux.config | 60 +++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 65 insertions(+), 9 deletions(-) diff --git a/config.txt b/config.txt index 4670275..f0b1528 100644 --- a/config.txt +++ b/config.txt @@ -1,12 +1,8 @@ arm_64bit=1 +arm_boost=1 start_x=1 -bootcode_delay=0 -boot_delay=0 - -gpu_mem=32 - kernel=u-boot.bin enable_uart=1 @@ -14,4 +10,10 @@ dtoverlay=miniuart-bt dtparam i2c_arm=on -device_tree=bcm2711-rpi-4-b.dtb +display_auto_detect=1 +dtoverlay=vc4-kms-v3d +dtoverlay=vc4-kms-dsi-ili9881-7inch +max_framebuffers=2 +disable_fw_kms_setup=1 +disable_overscan=1 +dtparam=audio=on diff --git a/linux.config b/linux.config index 169ff93..e61d910 100644 --- a/linux.config +++ b/linux.config @@ -45,12 +45,65 @@ CONFIG_IPV6=y CONFIG_IPV6_SIT=m CONFIG_IPV6_SIT_6RD=m +CONFIG_INPUT_TOUCHSCREEN=y +CONFIG_TOUCHSCREEN_GOODIX=m +CONFIG_TOUCHSCREEN_EDT_FT5X06=m +CONFIG_TOUCHSCREEN_RASPBERRYPI_FW=m + +CONFIG_REGULATOR_RASPBERRYPI_TOUCHSCREEN_ATTINY=m +CONFIG_REGULATOR_RASPBERRYPI_TOUCHSCREEN_V2=m # CONFIG_MEDIA_CEC_SUPPORT is not set # CONFIG_MEDIA_SUPPORT is not set -# CONFIG_SOUND is not set -# CONFIG_SND is not set -# CONFIG_SND_SOC is not set +CONFIG_DRM=m +CONFIG_DRM_KMS_HELPER=m +CONFIG_DRM_LOAD_EDID_FIRMWARE=y +CONFIG_DRM_DISPLAY_HELPER=m +CONFIG_DRM_GEM_SHMEM_HELPER=m +CONFIG_DRM_SCHED=m +CONFIG_DRM_PANEL_SIMPLE=m +CONFIG_DRM_PANEL_ILITEK_ILI9806E=m +CONFIG_DRM_PANEL_ILITEK_ILI9881C=m +CONFIG_DRM_PANEL_RASPBERRYPI_TOUCHSCREEN=y +CONFIG_DRM_DISPLAY_CONNECTOR=m +CONFIG_DRM_TOSHIBA_TC358762=m +CONFIG_DRM_SIMPLE_BRIDGE=m +CONFIG_DRM_V3D=m +CONFIG_VC4=m +CONFIG_DRM_VC4_HDMI_CEC=y +CONFIG_DRM_RP1_DSI=m +CONFIG_DRM_RP1_DPI=m +CONFIG_DRM_RP1_VEC=m +CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=m +CONFIG_FB_BCM2708=y +CONFIG_FB_SIMPLE=y +CONFIG_FB_SSD1307=m +CONFIG_FB_RPISENSE=m +CONFIG_FB_CFB_FILLRECT=y +CONFIG_FB_CFB_COPYAREA=y +CONFIG_FB_CFB_IMAGEBLIT=y +CONFIG_FB_IOMEM_HELPERS=y +CONFIG_FB_BACKLIGHT=m +CONFIG_BACKLIGHT_CLASS_DEVICE=m +CONFIG_BACKLIGHT_PWM=m +CONFIG_BACKLIGHT_RPI=m +CONFIG_BACKLIGHT_LM3630A=m +CONFIG_BACKLIGHT_GPIO=m +CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y +CONFIG_BCM_VC_SM_CMA=m + +CONFIG_SOUND=y +CONFIG_SND=m +# CONFIG_SND_PCM_TIMER is not set +# CONFIG_SND_SUPPORT_OLD_API is not set +# CONFIG_SND_PROC_FS is not set +# CONFIG_SND_CTL_FAST_LOOKUP is not set +# CONFIG_SND_DRIVERS is not set +# CONFIG_SND_PCI is not set +# CONFIG_SND_SPI is not set +# CONFIG_SND_USB is not set +CONFIG_SND_SOC=m +CONFIG_SND_BCM2835_SOC_I2S=m CONFIG_AUDIT=y CONFIG_SECURITY=y @@ -64,6 +117,7 @@ CONFIG_MEMCG=y CONFIG_CGROUP_PIDS=y CONFIG_BLK_CGROUP=y +CONFIG_I2C_HID_OF_GOODIX=m CONFIG_USB_DWC2=m CONFIG_USB_DWC2_PCI=m CONFIG_USB_ACM=m -- 2.51.0 From 10b7901d5d7b3e20408a7602835bc30c28cd5abe Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 31 Dec 2024 11:25:38 -0600 Subject: [PATCH 08/15] kernel: Enable BPF firewall for systemd _systemd_ complains if this is not enabled, as it prevents certain sandbox features from working. --- linux.config | 2 ++ 1 file changed, 2 insertions(+) diff --git a/linux.config b/linux.config index e61d910..eecd382 100644 --- a/linux.config +++ b/linux.config @@ -112,9 +112,11 @@ CONFIG_SECURITY_SELINUX=y CONFIG_DEFAULT_SECURITY_SELINUX=y # DEFAULT_SECURITY_DAC is not set +CONFIG_BPF_SYSCALL=y CONFIG_POSIX_MQUEUE=y CONFIG_MEMCG=y CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_BPF=y CONFIG_BLK_CGROUP=y CONFIG_I2C_HID_OF_GOODIX=m -- 2.51.0 From e21df5effe6563ce7726cff9b206a34dc0d0e5a0 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 31 Dec 2024 11:25:42 -0600 Subject: [PATCH 09/15] exclude: Omit systemd-ssh-generator This thing is pointless. Unfortunately, we cannot use Portage's `INSTALL_MASK` feature as it doesn't work for symbolic links. Since _systemd_ installs symlinks in `/etc/ssh` that point to files we would mask, those symlinks would point to nothing, which would cause `sshd` to fail to start as it is unable to open those files. Thus, we have to omit these files by excluding them from the squashfs image. --- squashfs.exclude | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 squashfs.exclude diff --git a/squashfs.exclude b/squashfs.exclude new file mode 100644 index 0000000..59021cb --- /dev/null +++ b/squashfs.exclude @@ -0,0 +1,5 @@ +etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf +etc/ssh/sshd_config.d/20-systemd-userdb.conf +usr/lib/systemd/ssh_config.d +usr/lib/systemd/sshd_config.d +usr/lib/systemd/system-generators/systemd-ssh-generator -- 2.51.0 From 4b586b70ad081a079965ef439c9a460fd54c8e74 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Thu, 2 Jan 2025 12:22:49 -0600 Subject: [PATCH 10/15] kernel: Enable user namespaces for Firefox Firefox complains about "security features" not working if this is not enabled. --- linux.config | 1 + 1 file changed, 1 insertion(+) diff --git a/linux.config b/linux.config index eecd382..3d8dcd9 100644 --- a/linux.config +++ b/linux.config @@ -118,6 +118,7 @@ CONFIG_MEMCG=y CONFIG_CGROUP_PIDS=y CONFIG_CGROUP_BPF=y CONFIG_BLK_CGROUP=y +CONFIG_USER_NS=y CONFIG_I2C_HID_OF_GOODIX=m CONFIG_USB_DWC2=m -- 2.51.0 From 413e76128adba2bd05544f15fdce7f3899d780f1 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Thu, 2 Jan 2025 12:56:28 -0600 Subject: [PATCH 11/15] overlay: Add authorized SSH keys for root Adding my personal keys so I can manage the system remotely. --- overlay/root/.ssh/authorized_keys | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 overlay/root/.ssh/authorized_keys diff --git a/overlay/root/.ssh/authorized_keys b/overlay/root/.ssh/authorized_keys new file mode 100644 index 0000000..40c9995 --- /dev/null +++ b/overlay/root/.ssh/authorized_keys @@ -0,0 +1,4 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINZCN2cxMDwedJ1Ke23Z3CZRcOYjqW8fFqsooRus7RK0AAAABHNzaDo= dustin@rosalina.p +yrocufflink.blue +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAB6xTCSNz+AcQCWcyVKs84tThXN4wpLgCo2Lc48L6EsAAAABHNzaDo= dustin@luma.pyroc +ufflink.blue -- 2.51.0 From 953db28cfdcaf4b9e0c258c479920daa30cd9850 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Thu, 2 Jan 2025 13:13:28 -0600 Subject: [PATCH 12/15] prepare: Never sync Portage repos To minimize unexpected changes between builds, I'm going to schedule a separate task to sync the Portage repositories. This way, we know that two runs in a row from the same source will have the same packages, unless we have specifically updated Portage. --- prepare.sh | 7 ------- 1 file changed, 7 deletions(-) diff --git a/prepare.sh b/prepare.sh index 9c6dd89..48408d9 100644 --- a/prepare.sh +++ b/prepare.sh @@ -2,13 +2,6 @@ . "${CONFIGDIR:=${PWD}}"/config -if [ ! -f /var/db/repos/gentoo/metadata/timestamp ]; then - emerge-webrsync -fi -if [ "$(find /var/db/repos/gentoo/metadata -newermt '-24 hours' | wc -l)" -eq 0 ]; then - emaint sync -fi - mkdir -p /etc/portage/package.use mkdir -p /etc/portage/make.conf echo 'virtual/libudev systemd' >> /etc/portage/package.use/systemd -- 2.51.0 From fa8c0aec6e59be29e3af4d83cfd17a772a384f85 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Thu, 2 Jan 2025 13:15:42 -0600 Subject: [PATCH 13/15] Update Aimee OS --- aimee-os | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aimee-os b/aimee-os index c30da6a..b43e831 160000 --- a/aimee-os +++ b/aimee-os @@ -1 +1 @@ -Subproject commit c30da6a5ff0d2f9fade417e91b083d7b483f0984 +Subproject commit b43e8319f4655ccef463100f198e45c30401c27b -- 2.51.0 From e24a49a6276e5a278ff8821c4db35e3c0e104340 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Thu, 2 Jan 2025 17:48:04 -0600 Subject: [PATCH 14/15] network: Use MAC address as DHCP client ID _systemd-networkd_ uses a randomly-generated ID as the DHCP client identifier by default. On Aimee OS, it is not able to persist this ID between boots; I think it may derive the value from the machine ID. To avoid getting a new IP address every boot, we can configure it to use the MAC address of the device as the DHCP client ID. --- overlay/etc/systemd/network/95-default.network | 1 + 1 file changed, 1 insertion(+) diff --git a/overlay/etc/systemd/network/95-default.network b/overlay/etc/systemd/network/95-default.network index 3a1192d..ccd31c5 100644 --- a/overlay/etc/systemd/network/95-default.network +++ b/overlay/etc/systemd/network/95-default.network @@ -5,6 +5,7 @@ Type=ether wlan DHCP=yes [DHCPv4] +ClientIdentifier=mac UseDomains=yes [DHCPv6] -- 2.51.0 From ad37463416735a73d4b9bbdbd19eb72acd61be44 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 3 Jan 2025 14:15:20 -0600 Subject: [PATCH 15/15] photoframe: Start photo slide show on idle The `photoframe` script was based on the one used by the original Buildroot-based photo frame system. I've split it into two processes, though: one to listen to the URL stream and download new photos as instructed by the server, and another to actually display the photos. Getting `feh` and Firefox to both be fullscreen at the same time was difficult, and only works if they are on separate Sway workspaces. Thus, "activating" the slide show means switching to the workspace where `feh` is and "deactivating" it means switching back to Firefox's workspace. --- install.packages | 5 +++- overlay/etc/sway/kiosk.conf | 8 ++++++ overlay/usr/bin/photoframe | 46 ++++++++++++++++++++++++++++++++++ portage/package.use/photoframe | 5 ++++ 4 files changed, 63 insertions(+), 1 deletion(-) create mode 100755 overlay/usr/bin/photoframe create mode 100644 portage/package.use/photoframe diff --git a/install.packages b/install.packages index 1c92159..600e5b5 100644 --- a/install.packages +++ b/install.packages @@ -1,3 +1,6 @@ +gui-apps/swayidle gui-wm/sway -net-wireless/wpa_supplicant +media-gfx/feh media-video/pipewire +net-misc/curl +net-wireless/wpa_supplicant diff --git a/overlay/etc/sway/kiosk.conf b/overlay/etc/sway/kiosk.conf index 590fdde..956f768 100644 --- a/overlay/etc/sway/kiosk.conf +++ b/overlay/etc/sway/kiosk.conf @@ -7,5 +7,13 @@ input * { } exec /usr/lib64/firefox/firefox +exec /usr/bin/photoframe stream + +exec swayidle -w \ + timeout 120 'photoframe show' resume 'photoframe hide' for_window [title="Mozilla Firefox"] fullscreen +for_window [class="photoframe"] fullscreen + +assign [title="Mozilla Firefox"] 1 +assign [class="photoframe"] 2 diff --git a/overlay/usr/bin/photoframe b/overlay/usr/bin/photoframe new file mode 100755 index 0000000..d1ebdab --- /dev/null +++ b/overlay/usr/bin/photoframe @@ -0,0 +1,46 @@ +#!/bin/sh + +photoframe_hide() { + swaymsg 'workspace 1' +} + +photoframe_show() { + # Run on a separate workspace so Firefox can stay fullscreen, too + swaymsg 'workspace 2' + if [ -f /tmp/photoframe.pid ]; then + # feh is already running + return 0 + fi + if [ ! -f /tmp/photoframe-current ]; then + cp /usr/share/feh/images/feh.png /tmp/photoframe-current + fi + feh -FZ --draw-exif --class photoframe /tmp/photoframe-current & + # Wait for the feh window to actually appear ... + swaymsg -t subscribe '["window"]' + # Sometimes, Sway's `for_window ... fullscreen` doesn't work? + swaymsg fullscreen + echo $! > /tmp/photoframe.pid +} + +photoframe_stream() { + while :; do + curl -NsS https://photos.pyrocufflink.blue/stream | + while read url; do + curl -fsL -o /tmp/photoframe-next "${url}" || continue + mv /tmp/photoframe-next /tmp/photoframe-current + done + sleep 30 + done +} + +case $1 in +show) + photoframe_show + ;; +hide) + photoframe_hide + ;; +stream) + photoframe_stream + ;; +esac diff --git a/portage/package.use/photoframe b/portage/package.use/photoframe new file mode 100644 index 0000000..9888bdf --- /dev/null +++ b/portage/package.use/photoframe @@ -0,0 +1,5 @@ +gui-apps/swayidle -systemd +gui-libs/wlroots X +gui-wm/sway X +media-gfx/feh exif inotify +net-misc/curl -alt-svc -ftp -hsts -http3 -imap -pop3 -progress-meter -psl -quic -smtp -tftp -websockets -adns -http2 CURL_QUIC: -* -- 2.51.0