feat: Add support for ipxe boot ephemeral systems

sw/default.nix

@@ -32,6 +32,7 @@ in
         "desktop"
         "tablet-kiosk"
         "headless"
+        "stateless-kiosk"
       ];
       default = "desktop";
       description = "Type of system configuration: 'desktop' for normal OS, 'tablet-kiosk' for tablet/kiosk mode.";
@@ -91,7 +92,7 @@ in
         ];
     }
     # Import Desktop or Kiosk modules based on type
-    (mkIf (cfg.type == "desktop") (
+        (mkIf (cfg.type == "desktop") (
       import ./desktop {
         inherit
           config
@@ -121,5 +122,15 @@ in
           ;
       }
     ))
+    (mkIf (cfg.type == "stateless-kiosk") (
+      import ./stateless-kiosk {
+        inherit
+          config
+          lib
+          pkgs
+          inputs
+          ;
+      }
+    ))
   ]);
 }

sw/stateless-kiosk/default.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}:
+lib.mkMerge [
+  (import ./kiosk-browser.nix {
+    inherit
+      config
+      lib
+      pkgs
+      inputs
+      ;
+  })
+  (import ./net.nix {
+    inherit
+      config
+      lib
+      pkgs
+      inputs
+      ;
+  })
+  {
+    services.openssh.enable = false;
+  }
+]

sw/stateless-kiosk/kiosk-browser.nix

@@ -0,0 +1,118 @@
+{ config, lib, pkgs, ... }:
+
+let
+  kioskPolicies = {
+    DisableAppUpdate = true;
+    DisableFirefoxStudies = true;
+    DisableTelemetry = true;
+    DisablePocket = true;
+    DisableSetDesktopBackground = true;
+    DisableFeedbackCommands = true;
+    DontCheckDefaultBrowser = true;
+    OverrideFirstRunPage = "";
+    OverridePostUpdatePage = "";
+    NoDefaultBookmarks = true;
+    DisableProfileImport = true;
+
+    Permissions = {
+      Camera        = { Allow = ["homeassistant.lan"]; };
+      Microphone    = { Allow = ["homeassistant.lan"]; };
+      Location      = { Allow = ["homeassistant.lan"]; };
+      Notifications = { Allow = ["homeassistant.lan"]; };
+      Clipboard     = { Allow = ["homeassistant.lan"]; };
+      Fullscreen    = { Allow = ["homeassistant.lan"]; };
+    };
+  };
+
+  extraPrefs = pkgs.writeText "kiosk-prefs.js" ''
+    pref("browser.shell.checkDefaultBrowser", false);
+    pref("browser.startup.homepage_override.mstone", "ignore");
+    pref("startup.homepage_welcome_url", "");
+    pref("startup.homepage_welcome_url.additional", "");
+    pref("browser.sessionstore.resume_from_crash", false);
+    pref("browser.sessionstore.max_resumed_crashes", 0);
+    pref("network.captive-portal-service.enabled", false);
+    pref("network.connectivity-service.enabled", false);
+    pref("browser.messaging-system.whatsNewPanel.enabled", false);
+    pref("browser.aboutwelcome.enabled", false);
+    pref("privacy.popups.showBrowserMessage", false);
+  '';
+
+  firefoxWrapped = pkgs.wrapFirefox pkgs.firefox-unwrapped {
+    extraPolicies = kioskPolicies;
+    extraPrefsFiles = [ extraPrefs ];
+  };
+
+  firefoxKiosk = pkgs.writeShellScriptBin "firefoxkiosk" ''
+    #!/usr/bin/env bash
+    set -eu
+
+    BASE="http://homeassistant.lan:8123"
+
+    get_primary_mac() {
+      for dev in /sys/class/net/*; do
+        iface="$(basename "$dev")"
+        [ "$iface" = "lo" ] && continue
+        if [ -f "$dev/type" ] && [ "$(cat "$dev/type")" = "1" ]; then
+          cat "$dev/address"
+          return 0
+        fi
+      done
+      return 1
+    }
+
+    MAC="$(get_primary_mac 2>/dev/null || echo "")"
+    MAC="$(echo "$MAC" | tr '[:upper:]' '[:lower:]')"
+
+    case "$MAC" in
+      "00:e0:4c:46:0b:32") STATION="1" ;;
+      "00:e0:4c:46:07:26") STATION="2" ;; 
+      "00:e0:4c:46:05:94") STATION="3" ;;
+      "00:e0:4c:46:07:11") STATION="4" ;;
+      "00:e0:4c:46:08:02") STATION="5" ;;
+      "00:e0:4c:46:08:5c") STATION="6" ;;
+      *) ;;
+    esac
+
+    DEFAULT_PATH="lovelace/0"
+    PATH_PART="$DEFAULT_PATH"
+    BROWSER_ID=""  # browser_mod identifier
+
+    if [ -n "$STATION" ]; then
+      PATH_PART="assembly-line/$STATION"
+      BROWSER_ID="Station%20$STATION"
+    fi
+
+    URL="$BASE/$PATH_PART"
+
+    # Add BrowserID query param if we have one
+    if [ -n "$BROWSER_ID" ]; then
+      if [[ "$URL" == *"?"* ]]; then
+	URL="$URL&BrowserID=$BROWSER_ID"
+      else
+	URL="$URL?BrowserID=$BROWSER_ID"
+      fi
+    fi
+
+    sleep 2
+
+    exec ${firefoxWrapped}/bin/firefox --kiosk "$URL"
+  '';
+in
+{
+  environment.systemPackages = [ firefoxKiosk ];
+
+  services.xserver.enable = false;
+  services.seatd.enable = true;
+
+  services.cage = {
+    enable = true;
+    user = "engr-ugaif";
+    program = "${firefoxKiosk}/bin/firefoxkiosk";
+  };
+
+  systemd.services.cage = {
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+  };
+}

sw/stateless-kiosk/net.nix

@@ -0,0 +1,43 @@
+{ config, lib, pkgs, inputs, ... }:
+{
+  # Minimal container networking (systemd-networkd)
+  networking = {
+    useNetworkd = true;
+    networkmanager.enable = false;
+    dhcpcd.enable = false;
+    useDHCP = false;
+    useHostResolvConf = false;
+  };
+
+  systemd.network = {
+    enable = true;
+    wait-online.enable = true;
+
+    networks."10-wired" = {
+      matchConfig.Type = "ether";
+      networkConfig = {
+        LinkLocalAddressing = false;
+        DHCP = "no";
+        VLAN = [ "vlan5" ];
+      };
+      linkConfig.RequiredForOnline = "no";
+    };
+
+    netdevs."20-vlan5" = {
+      netdevConfig = {
+        Kind = "vlan";
+	Name = "vlan5";
+      };
+      vlanConfig.Id = 5;
+    };
+
+    networks."30-vlan5" = {
+      matchConfig.Name = "vlan5";
+      networkConfig = {
+        DHCP = "ipv4";
+        IPv6AcceptRA = true;
+      };
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+}