diff --git a/setup-signage.sh b/setup-signage.sh index b1e348a..8e67fcd 100644 --- a/setup-signage.sh +++ b/setup-signage.sh @@ -20,13 +20,15 @@ KIOSK_URL="https://example.com" SIGNAGE_USER="signage" # WayVNC Configuration -WAYVNC_PASSWORD_TO_SET="" # Example: "your_secure_password" -WAYVNC_LISTEN_ADDRESS="0.0.0.0" # Listen on all interfaces -WAYVNC_PORT="5900" # Default VNC port +# SET THIS PASSWORD! If left blank, a default 'changeme' will be used, which is INSECURE. +WAYVNC_PASSWORD_TO_SET="burek123" # Example: "your_secure_password" +WAYVNC_USERNAME="signage_vnc" # Username for VNC authentication +WAYVNC_LISTEN_ADDRESS="0.0.0.0" # Listen on all interfaces +WAYVNC_PORT="5900" # Default VNC port # --- End Configuration --- # --- Step Counter --- -TOTAL_STEPS=13 # Adjust this if you add/remove major steps +TOTAL_STEPS=14 # Adjusted for new WayVNC config step CURRENT_STEP=0 log_step_message() { @@ -39,6 +41,10 @@ echo -e "${BLU}Starting Alpine Linux Signage Setup (Using Sway, greetd, WayVNC). echo -e "${BLU}Target URL: ${GRN}$KIOSK_URL${DEF}" echo -e "${BLU}Signage User: ${GRN}$SIGNAGE_USER${DEF}" echo -e "${BLU}WayVNC will listen on: ${GRN}$WAYVNC_LISTEN_ADDRESS:$WAYVNC_PORT${DEF}" +if [ -z "$WAYVNC_PASSWORD_TO_SET" ]; then + echo -e "${RED}WARNING: WAYVNC_PASSWORD_TO_SET is empty. A default insecure password 'changeme' will be used.${DEF}" + WAYVNC_PASSWORD_TO_SET="changeme" +fi echo "-------------------------------------" # 1. Check if running as root @@ -47,25 +53,20 @@ if [ "$(id -u)" -ne 0 ]; then exit 1 fi -# 2. Check for 'nomodeset' kernel parameter (early check) -set +e # Temporarily disable exit-on-error +# 2. Check for 'nomodeset' kernel parameter +set +e KERNEL_CMDLINE=$(cat /proc/cmdline) log_step_message "Checking kernel command line for 'nomodeset'" echo "Command line: $KERNEL_CMDLINE" if echo "$KERNEL_CMDLINE" | grep -q -w 'nomodeset'; then - echo "" echo -e "${RED}!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!${DEF}" - echo -e "${RED}!! ${YLW}WARNING: Kernel parameter 'nomodeset' detected in /proc/cmdline! ${RED}!!${DEF}" - echo -e "${RED}!! ${YLW}This PREVENTS Wayland compositors (like Sway) from working correctly with DRM.${RED}!!${DEF}" - echo -e "${RED}!! ${YLW}You MUST remove 'nomodeset' from your bootloader configuration ${RED}!!${DEF}" - echo -e "${RED}!! ${YLW}(e.g., /etc/default/grub or /boot/extlinux.conf) and update/reboot ${RED}!!${DEF}" - echo -e "${RED}!! ${YLW}for the graphical kiosk to function. ${RED}!!${DEF}" + echo -e "${RED}!! ${YLW}WARNING: 'nomodeset' detected! Wayland (Sway) will likely NOT work. ${RED}!!${DEF}" + echo -e "${RED}!! ${YLW}Remove 'nomodeset' from your bootloader config and reboot. ${RED}!!${DEF}" echo -e "${RED}!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!${DEF}" - echo "" else echo -e "${GRN}'nomodeset' not found. Proceeding...${DEF}" fi -set -e # Re-enable exit-on-error +set -e echo "-------------------------------------" # 3. Update repositories @@ -73,15 +74,15 @@ log_step_message "Updating package repositories" apk update echo "-------------------------------------" -# 4. Setup base Wayland environment (includes enabling community repo) +# 4. Setup base Wayland environment log_step_message "Setting up base Wayland environment (elogind, eudev)" apk add --no-cache alpine-conf -setup-wayland-base # This enables community repository +setup-wayland-base echo -e "${GRN}Base Wayland environment setup complete.${DEF}" echo "-------------------------------------" -# 5. Install necessary packages -log_step_message "Installing Sway, Chromium, Mesa, D-Bus, Fonts, Firmware, Greetd, WayVNC, swaybg, open-vm-tools" +# 5. Install necessary packages (openssl added) +log_step_message "Installing core packages (Sway, Chromium, Greetd, WayVNC, openssl etc.)" apk add \ sway \ swayidle \ @@ -100,11 +101,11 @@ apk add \ greetd \ greetd-agreety \ wayvnc \ - open-vm-tools + openssl # Added for key generation echo -e "${GRN}Required packages installed.${DEF}" echo "-------------------------------------" -# 6. Enable & Start D-Bus service +# 6. D-Bus service log_step_message "Enabling and starting D-Bus service" if ! rc-service dbus status > /dev/null 2>&1; then rc-update add dbus default @@ -115,13 +116,11 @@ else fi echo "-------------------------------------" -# 7. Enable & Start open-vm-tools service (if installed) +# 7. open-vm-tools service log_step_message "Enabling and starting open-vm-tools service" if apk info --installed open-vm-tools > /dev/null 2>&1; then if ! rc-service open-vm-tools status > /dev/null 2>&1; then - echo -e "${BLU}Enabling open-vm-tools service...${DEF}" rc-update add open-vm-tools default - echo -e "${BLU}Starting open-vm-tools service...${DEF}" rc-service open-vm-tools start echo -e "${GRN}open-vm-tools service enabled and started.${DEF}" else @@ -132,148 +131,129 @@ else fi echo "-------------------------------------" -# 8. Create the signage user and add to necessary groups +# 8. Create signage user and groups log_step_message "Creating signage user '$SIGNAGE_USER' and configuring groups" if ! id -u "$SIGNAGE_USER" >/dev/null 2>&1; then - echo -e "${BLU}Creating group '$SIGNAGE_USER' (for primary group)...${DEF}" addgroup "$SIGNAGE_USER" - echo -e "${BLU}Creating user '$SIGNAGE_USER' with shell /bin/sh...${DEF}" adduser -D -G "$SIGNAGE_USER" -s /bin/sh -h "/home/$SIGNAGE_USER" "$SIGNAGE_USER" - - echo -e "${BLU}Adding user '$SIGNAGE_USER' to 'video' supplementary group...${DEF}" addgroup "$SIGNAGE_USER" video - echo -e "${BLU}Adding user '$SIGNAGE_USER' to 'input' supplementary group...${DEF}" addgroup "$SIGNAGE_USER" input echo -e "${GRN}User '$SIGNAGE_USER' created and added to video/input groups.${DEF}" else - echo -e "${YLW}User '$SIGNAGE_USER' already exists. Ensuring shell is /bin/sh and group memberships...${DEF}" + echo -e "${YLW}User '$SIGNAGE_USER' already exists. Ensuring shell and groups...${DEF}" usermod -s /bin/sh "$SIGNAGE_USER" - - if ! getent group "$SIGNAGE_USER" >/dev/null 2>&1; then - echo -e "${BLU}Primary group '$SIGNAGE_USER' not found, creating it.${DEF}" - addgroup "$SIGNAGE_USER" - if ! groups "$SIGNAGE_USER" | grep -q -w "$SIGNAGE_USER"; then - addgroup "$SIGNAGE_USER" "$SIGNAGE_USER" - fi - fi - - echo -e "${BLU}Ensuring $SIGNAGE_USER is in 'video' supplementary group...${DEF}" - if ! groups "$SIGNAGE_USER" | grep -q -w video; then - addgroup "$SIGNAGE_USER" video - echo -e "${GRN}$SIGNAGE_USER added to 'video'.${DEF}" - else - echo -e "${GRN}$SIGNAGE_USER already in 'video'.${DEF}" - fi - - echo -e "${BLU}Ensuring $SIGNAGE_USER is in 'input' supplementary group...${DEF}" - if ! groups "$SIGNAGE_USER" | grep -q -w input; then - addgroup "$SIGNAGE_USER" input - echo -e "${GRN}$SIGNAGE_USER added to 'input'.${DEF}" - else - echo -e "${GRN}$SIGNAGE_USER already in 'input'.${DEF}" - fi + if ! getent group "$SIGNAGE_USER" >/dev/null 2>&1; then addgroup "$SIGNAGE_USER"; if ! groups "$SIGNAGE_USER" | grep -q -w "$SIGNAGE_USER"; then addgroup "$SIGNAGE_USER" "$SIGNAGE_USER"; fi; fi + if ! groups "$SIGNAGE_USER" | grep -q -w video; then addgroup "$SIGNAGE_USER" video; echo -e "${GRN}Added $SIGNAGE_USER to video.${DEF}"; else echo -e "${GRN}$SIGNAGE_USER already in video.${DEF}"; fi + if ! groups "$SIGNAGE_USER" | grep -q -w input; then addgroup "$SIGNAGE_USER" input; echo -e "${GRN}Added $SIGNAGE_USER to input.${DEF}"; else echo -e "${GRN}$SIGNAGE_USER already in input.${DEF}"; fi fi SIGNAGE_HOME="/home/$SIGNAGE_USER" -if [ ! -d "$SIGNAGE_HOME" ]; then - echo -e "${BLU}Creating home directory '$SIGNAGE_HOME'...${DEF}" - mkdir -p "$SIGNAGE_HOME" -fi -chown "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_HOME" +mkdir -p "$SIGNAGE_HOME/.local/share/sway" +chown -R "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_HOME" chmod 750 "$SIGNAGE_HOME" - -SIGNAGE_LOCAL_SHARE="$SIGNAGE_HOME/.local/share" -mkdir -p "$SIGNAGE_LOCAL_SHARE/sway" -chown -R "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_HOME/.local" -chmod 700 "$SIGNAGE_HOME/.local" -chmod 700 "$SIGNAGE_LOCAL_SHARE" -chmod 700 "$SIGNAGE_LOCAL_SHARE/sway" -echo -e "${GRN}User home directory and local share directory configured.${DEF}" +chmod -R 700 "$SIGNAGE_HOME/.local" +echo -e "${GRN}User home directory configured.${DEF}" echo "-------------------------------------" -# 9. Configure user's .profile for WayVNC password and other environment variables +# 9. Configure user's .profile (WayVNC password not needed here anymore) log_step_message "Configuring $SIGNAGE_HOME/.profile for $SIGNAGE_USER" SIGNAGE_PROFILE="$SIGNAGE_HOME/.profile" - cat > "$SIGNAGE_PROFILE" << EOF # Profile for $SIGNAGE_USER executed by /bin/sh on login -# --- WayVNC Configuration --- -# IMPORTANT: Set a strong password for WayVNC if it's accessible from untrusted networks. -# Uncomment and set your password: -# export WAYVNC_PASSWORD="your_very_secure_password_here" -EOF - -if [ -n "$WAYVNC_PASSWORD_TO_SET" ]; then - echo "export WAYVNC_PASSWORD=\"$WAYVNC_PASSWORD_TO_SET\"" >> "$SIGNAGE_PROFILE" - echo -e "${YLW}WAYVNC_PASSWORD has been pre-set in $SIGNAGE_PROFILE. Review for security.${DEF}" -else - echo -e "${YLW}INFO: WAYVNC_PASSWORD is not set. Edit $SIGNAGE_PROFILE to set it for WayVNC security.${DEF}" -fi - -cat >> "$SIGNAGE_PROFILE" << EOF - # --- Other Environment Variables (optional) --- -# export XDG_CURRENT_DESKTOP=sway # Sway usually sets this -# export MOZ_ENABLE_WAYLAND=1 # For Firefox, if used -# export QT_QPA_PLATFORM=wayland # For Qt apps, if used -# export ECORE_EVAS_ENGINE=wayland_shm # For EFL apps -# export ELM_ACCEL=wayland -# export SDL_VIDEODRIVER=wayland -# export _JAVA_AWT_WM_NONREPARENTING=1 +# export XDG_CURRENT_DESKTOP=sway +# export MOZ_ENABLE_WAYLAND=1 +# export QT_QPA_PLATFORM=wayland EOF - chown "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_PROFILE" chmod 600 "$SIGNAGE_PROFILE" echo -e "${GRN}$SIGNAGE_PROFILE configured.${DEF}" echo "-------------------------------------" - -# 10. Configure Sway -log_step_message "Configuring Sway" +# 10. Configure WayVNC with authentication +log_step_message "Configuring WayVNC with authentication" SIGNAGE_CONFIG_DIR="$SIGNAGE_HOME/.config" -SIGNAGE_SWAY_CONFIG_DIR="$SIGNAGE_CONFIG_DIR/sway" +WAYVNC_CONFIG_DIR="$SIGNAGE_CONFIG_DIR/wayvnc" +WAYVNC_KEYS_DIR="$WAYVNC_CONFIG_DIR/keys" +WAYVNC_CONFIG_FILE="$WAYVNC_CONFIG_DIR/config" + +mkdir -p "$WAYVNC_KEYS_DIR" +chown -R "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_CONFIG_DIR" || true # In case .config already existed +chmod 700 "$SIGNAGE_CONFIG_DIR" +chmod 700 "$WAYVNC_CONFIG_DIR" +chmod 700 "$WAYVNC_KEYS_DIR" + +# Generate self-signed cert and keys if they don't exist +TLS_KEY_FILE="$WAYVNC_KEYS_DIR/tls_key.pem" +TLS_CERT_FILE="$WAYVNC_KEYS_DIR/tls_cert.pem" +# WayVNC also supports rsa_private_key_file for RSA-AES, we'll use TLS for simplicity here. +# If you need RSA-AES, you'd generate an RSA key: openssl genrsa -out "$WAYVNC_KEYS_DIR/rsa_key.pem" 2048 + +if [ ! -f "$TLS_KEY_FILE" ] || [ ! -f "$TLS_CERT_FILE" ]; then + echo -e "${BLU}Generating self-signed TLS certificate and key for WayVNC...${DEF}" + # Run as signage user to ensure correct ownership from the start + su - "$SIGNAGE_USER" -c "openssl genpkey -algorithm RSA -out \"$TLS_KEY_FILE\" -pkeyopt rsa_keygen_bits:2048" + su - "$SIGNAGE_USER" -c "openssl req -new -key \"$TLS_KEY_FILE\" -out \"$WAYVNC_KEYS_DIR/tls_csr.pem\" -subj \"/CN=localhost/O=Kiosk/OU=Signage\"" + su - "$SIGNAGE_USER" -c "openssl x509 -req -days 3650 -in \"$WAYVNC_KEYS_DIR/tls_csr.pem\" -signkey \"$TLS_KEY_FILE\" -out \"$TLS_CERT_FILE\"" + rm -f "$WAYVNC_KEYS_DIR/tls_csr.pem" # Clean up CSR + echo -e "${GRN}TLS certificate and key generated.${DEF}" +else + echo -e "${GRN}WayVNC TLS certificate and key already exist.${DEF}" +fi + +# Create WayVNC config file +cat > "$WAYVNC_CONFIG_FILE" << EOF +# WayVNC configuration for signage kiosk +address=$WAYVNC_LISTEN_ADDRESS +port=$WAYVNC_PORT + +enable_auth=true +username=$WAYVNC_USERNAME +password=$WAYVNC_PASSWORD_TO_SET + +# For TLS encryption (recommended) +private_key_file=$TLS_KEY_FILE +certificate_file=$TLS_CERT_FILE + +# Optional: If you generated an RSA key for RSA-AES (some clients might prefer) +# rsa_private_key_file=$WAYVNC_KEYS_DIR/rsa_key.pem + +# Optional: Relax encryption requirements (can be less secure, for compatibility) +# relax_encryption=true + +# Optional: Keyboard layout settings +# xkb_layout=us +EOF +chown "$SIGNAGE_USER:$SIGNAGE_USER" "$WAYVNC_CONFIG_FILE" +chmod 600 "$WAYVNC_CONFIG_FILE" +chmod 400 "$TLS_KEY_FILE" # Restrict private key readability +chmod 644 "$TLS_CERT_FILE" + +echo -e "${GRN}WayVNC configuration file created at $WAYVNC_CONFIG_FILE with authentication enabled.${DEF}" +if [ "$WAYVNC_PASSWORD_TO_SET" = "changeme" ]; then + echo -e "${RED}CRITICAL: WayVNC password is set to 'changeme'. This is INSECURE. Change WAYVNC_PASSWORD_TO_SET in the script and re-run, or manually edit $WAYVNC_CONFIG_FILE.${DEF}" +fi +echo "-------------------------------------" + +# 11. Configure Sway +log_step_message "Configuring Sway" +SIGNAGE_SWAY_CONFIG_DIR="$SIGNAGE_CONFIG_DIR/sway" # .config already handled SIGNAGE_SWAY_CONFIG_FILE="$SIGNAGE_SWAY_CONFIG_DIR/config" -echo -e "${BLU}Creating Sway configuration directories...${DEF}" -mkdir -p "$SIGNAGE_SWAY_CONFIG_DIR" -chown -R "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_CONFIG_DIR" || true -chmod 700 "$SIGNAGE_CONFIG_DIR" +mkdir -p "$SIGNAGE_SWAY_CONFIG_DIR" # Ensure sway dir exists under .config +chown -R "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_SWAY_CONFIG_DIR" chmod 700 "$SIGNAGE_SWAY_CONFIG_DIR" -echo -e "${BLU}Creating $SIGNAGE_SWAY_CONFIG_FILE...${DEF}" - cat > "$SIGNAGE_SWAY_CONFIG_FILE" << EOF # Sway configuration for Alpine Signage Kiosk - -# --- Basic Setup --- -# Set the Super key as the modifier set \$mod Mod4 -# Set default font font pango:DejaVu Sans Mono 10 -# --- Output Configuration --- -# Explicitly enable all outputs and set power state to on -# This is important for ensuring the display activates correctly at boot. output * enable output * power on -# The old 'output * dpms off' command is equivalent to 'output * power on'. -# Adding 'output * enable' provides an extra layer of assurance. -# To set a specific mode for an output (name from 'swaymsg -t get_outputs'): -# output Virtual-1 mode 1280x800@60hz -# Optional: set a background if swaybg is installed -# output * bg /usr/share/backgrounds/sway/Sway_Wallpaper_Blue_1920x1080.png fill - -# --- Input Configuration --- -# Hide mouse cursor after 1000ms (1 second) of inactivity seat * hide_cursor 1000 -# Alternative: always hide (uncomment below, comment line above) -# seat * hide_cursor always -# --- Autostart Applications --- -# Chromium in Kiosk Mode -# --disable-gpu is added as a safe default, especially for VMs. -# Remove --disable-gpu if you confirm hardware acceleration works correctly. exec /usr/bin/chromium \\ --enable-features=UseOzonePlatform \\ --ozone-platform=wayland \\ @@ -289,175 +269,105 @@ exec /usr/bin/chromium \\ --enable-zero-copy \\ --ignore-gpu-blocklist \\ --disable-gpu - # --enable-unsafe-webgpu - # --disable-gpu-vsync - # --user-data-dir=/home/$SIGNAGE_USER/.config/chromium-kiosk -# WayVNC for remote access -# Password should be set via WAYVNC_PASSWORD environment variable (see ~/.profile) -exec wayvnc --render-cursor $WAYVNC_LISTEN_ADDRESS $WAYVNC_PORT +# WayVNC will now use its own config file for auth +exec wayvnc --render-cursor # Address/port are now in its config file -# --- Keybindings (Minimal, mostly for debugging) --- -# Kill focused window bindsym \$mod+Shift+q kill -# Reload sway config bindsym \$mod+Shift+c reload -# Exit sway (logs out the user) bindsym \$mod+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end the kiosk session.' -B 'Yes, exit sway' 'swaymsg exit' -# --- General Settings --- focus_follows_mouse no mouse_warping output EOF - chown "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_SWAY_CONFIG_FILE" chmod 600 "$SIGNAGE_SWAY_CONFIG_FILE" echo -e "${GRN}Sway configuration file written to $SIGNAGE_SWAY_CONFIG_FILE.${DEF}" echo "-------------------------------------" -# 11. Configure greetd for Autologin and Sway Session +# 12. Configure greetd log_step_message "Configuring greetd" GREETD_CONFIG_DIR="/etc/greetd" GREETD_CONFIG_FILE="$GREETD_CONFIG_DIR/config.toml" - mkdir -p "$GREETD_CONFIG_DIR" - -SWAY_LOG_PATH_IN_GREETD="$SIGNAGE_LOCAL_SHARE/sway/sway-greetd.log" - +SWAY_LOG_PATH_IN_GREETD="$SIGNAGE_HOME/.local/share/sway/sway-greetd.log" cat > "$GREETD_CONFIG_FILE" << EOF -# Greetd configuration for signage kiosk with Sway - [terminal] vt = 1 - [default_session] user = "$SIGNAGE_USER" -# Launch sway via dbus-run-session. User's .profile will be sourced. -# Sway debug logs (-d) are redirected. -V (version) is also included. command = "/usr/bin/dbus-run-session /usr/bin/sway -V -d 2> $SWAY_LOG_PATH_IN_GREETD" -# Simpler alternative if log redirection is problematic (logs go to greetd's output): -# command = "/usr/bin/dbus-run-session /usr/bin/sway" EOF - chmod 644 "$GREETD_CONFIG_FILE" echo -e "${GRN}greetd config written to $GREETD_CONFIG_FILE.${DEF}" -echo -e "${BLU}Ensure $SIGNAGE_USER can write to $SWAY_LOG_PATH_IN_GREETD.${DEF}" echo "-------------------------------------" -# 12. Configure inittab to start greetd +# 13. Configure inittab log_step_message "Configuring autologin via greetd in /etc/inittab" if [ -f "/etc/inittab" ]; then - if [ ! -f "/etc/inittab.bak.signage" ]; then - cp /etc/inittab /etc/inittab.bak.signage - echo -e "${GRN}Backed up /etc/inittab to /etc/inittab.bak.signage${DEF}" - fi - - echo -e "${BLU}Commenting out ttys 2-6 in /etc/inittab...${DEF}" + if [ ! -f "/etc/inittab.bak.signage" ]; then cp /etc/inittab /etc/inittab.bak.signage; echo -e "${GRN}Backed up /etc/inittab.${DEF}"; fi sed -i -e '/^tty[2-6]:/s/^/#/' /etc/inittab - - echo -e "${BLU}Modifying tty1 entry in /etc/inittab to start greetd...${DEF}" GREETD_INITTAB_LINE="tty1::respawn:/usr/sbin/greetd" if grep -q "^tty1::respawn:" /etc/inittab && ! grep -Fxq "$GREETD_INITTAB_LINE" /etc/inittab; then sed -i "s|^tty1::respawn:.*|$GREETD_INITTAB_LINE|" /etc/inittab echo -e "${GRN}tty1 entry modified for greetd.${DEF}" elif ! grep -Fxq "$GREETD_INITTAB_LINE" /etc/inittab; then - echo "$GREETD_INITTAB_LINE" >> /etc/inittab - echo -e "${GRN}Added greetd line to /etc/inittab (fallback).${DEF}" - else - echo -e "${GRN}greetd line already seems to be present in /etc/inittab.${DEF}" - fi -else - echo -e "${RED}Warning: /etc/inittab not found. Cannot configure greetd startup for sysvinit.${DEF}" -fi + echo "$GREETD_INITTAB_LINE" >> /etc/inittab; echo -e "${GRN}Added greetd line to /etc/inittab.${DEF}" + else echo -e "${GRN}greetd line already in /etc/inittab.${DEF}"; fi +else echo -e "${RED}Warning: /etc/inittab not found.${DEF}"; fi echo "-------------------------------------" -# 13. Attempt to Enable elogind PAM module for session management +# 14. Configure PAM log_step_message "Attempting to configure PAM for elogind session" -PAM_GREETD_FILE="/etc/pam.d/greetd" -PAM_SYSTEM_LOGIN="/etc/pam.d/system-login" -PAM_SYSTEM_AUTH="/etc/pam.d/system-auth" PAM_TARGET_FILE="" -PAM_MODULE="pam_elogind.so" - -if [ -f "$PAM_GREETD_FILE" ]; then - PAM_TARGET_FILE="$PAM_GREETD_FILE" -elif [ -f "$PAM_SYSTEM_LOGIN" ]; then - PAM_TARGET_FILE="$PAM_SYSTEM_LOGIN" -elif [ -f "$PAM_SYSTEM_AUTH" ]; then - PAM_TARGET_FILE="$PAM_SYSTEM_AUTH" -fi +if [ -f "/etc/pam.d/greetd" ]; then PAM_TARGET_FILE="/etc/pam.d/greetd"; \ +elif [ -f "/etc/pam.d/system-login" ]; then PAM_TARGET_FILE="/etc/pam.d/system-login"; \ +elif [ -f "/etc/pam.d/system-auth" ]; then PAM_TARGET_FILE="/etc/pam.d/system-auth"; fi if [ -n "$PAM_TARGET_FILE" ]; then - echo -e "${BLU}Using $PAM_TARGET_FILE for PAM configuration.${DEF}" - if ! grep -q "$PAM_MODULE" "$PAM_TARGET_FILE"; then - echo -e "${BLU}Adding '$PAM_MODULE' to $PAM_TARGET_FILE...${DEF}" - if [ ! -f "$PAM_TARGET_FILE.bak.signage" ]; then - cp "$PAM_TARGET_FILE" "$PAM_TARGET_FILE.bak.signage" - echo -e "${GRN}Backed up $PAM_TARGET_FILE to $PAM_TARGET_FILE.bak.signage${DEF}" - fi + echo -e "${BLU}Using $PAM_TARGET_FILE for PAM.${DEF}" + if ! grep -q "pam_elogind.so" "$PAM_TARGET_FILE"; then + if [ ! -f "$PAM_TARGET_FILE.bak.signage" ]; then cp "$PAM_TARGET_FILE" "$PAM_TARGET_FILE.bak.signage"; echo -e "${GRN}Backed up $PAM_TARGET_FILE.${DEF}"; fi if grep -q "^session" "$PAM_TARGET_FILE"; then awk '/^session/{if(!p++) print; print "session optional pam_elogind.so"; next} 1' "$PAM_TARGET_FILE" > "$PAM_TARGET_FILE.tmp" && mv "$PAM_TARGET_FILE.tmp" "$PAM_TARGET_FILE" - else - echo "session optional pam_elogind.so" >> "$PAM_TARGET_FILE" - fi - echo -e "${GRN}PAM module added.${DEF}" - else - echo -e "${GRN}'$PAM_MODULE' already present in $PAM_TARGET_FILE.${DEF}" - fi -else - echo -e "${RED}Warning: Could not find suitable PAM file (greetd, system-login, system-auth) to modify.${DEF}" - echo -e "${YLW} System relies on default PAM includes for elogind session setup.${DEF}" -fi + else echo "session optional pam_elogind.so" >> "$PAM_TARGET_FILE"; fi + echo -e "${GRN}pam_elogind.so added to PAM config.${DEF}" + else echo -e "${GRN}pam_elogind.so already in PAM config.${DEF}"; fi +else echo -e "${RED}Warning: Could not find suitable PAM file to modify.${DEF}"; fi echo "-------------------------------------" -log_step_message "Final checks and information" +# --- Final Summary --- +echo -e "${BLU}[Step $((CURRENT_STEP +1))/$TOTAL_STEPS] Final checks and information (this is not an actual step increment).${DEF}" +CURRENT_STEP=$TOTAL_STEPS # Ensure counter matches total for summary echo -e "${GRN}-----------------------------------------------------${DEF}" echo -e "${GRN} Alpine Linux Signage Setup Script Finished! ${DEF}" echo -e "${GRN}-----------------------------------------------------${DEF}" echo -e "${BLU} SUMMARY:${DEF}" -echo -e " ${GRN}* Packages installed (Sway, Chromium, Greetd, WayVNC, open-vm-tools etc.).${DEF}" -echo -e " ${GRN}* User '$SIGNAGE_USER' created/configured with shell /bin/sh and added to 'video' and 'input' groups.${DEF}" -echo -e " ${GRN}* Sway configured in $SIGNAGE_SWAY_CONFIG_FILE.${DEF}" -echo -e " ${BLU}-> Output explicitly enabled, power state set to ON.${DEF}" -echo -e " ${BLU}-> Chromium will start with --disable-gpu. Edit this file to change.${DEF}" -echo -e " ${BLU}-> Mouse cursor configured to hide after 1s inactivity.${DEF}" -echo -e " ${GRN}* WayVNC configured to launch via Sway, listening on $WAYVNC_LISTEN_ADDRESS:$WAYVNC_PORT.${DEF}" -echo -e " ${YLW}* IMPORTANT: WayVNC password MUST be set in $SIGNAGE_PROFILE for security.${DEF}" -echo -e " ${GRN}* Autologin configured via greetd ($GREETD_CONFIG_FILE).${DEF}" -echo -e " ${GRN}* /etc/inittab modified to launch greetd on tty1.${DEF}" -echo -e " ${GRN}* Attempted to configure PAM for elogind.${DEF}" -echo -e " ${GRN}* open-vm-tools service enabled (if applicable, open-vm-tools-desktop was NOT installed).${DEF}" +echo -e " ${GRN}* User '$SIGNAGE_USER' created, added to 'video'/'input' groups.${DEF}" +echo -e " ${GRN}* WayVNC configured with authentication (user: ${YLW}$WAYVNC_USERNAME${GRN}, pass: ${YLW}${WAYVNC_PASSWORD_TO_SET}${GRN}). Config: ${YLW}$WAYVNC_CONFIG_FILE${DEF}" +echo -e " ${YLW} Self-signed TLS certs generated in ${WAYVNC_KEYS_DIR}. You may need to accept these in your VNC client.${DEF}" +if [ "$WAYVNC_PASSWORD_TO_SET" = "changeme" ]; then + echo -e " ${RED}CRITICAL: WayVNC password is 'changeme'. THIS IS INSECURE!${DEF}" +fi +echo -e " ${GRN}* Sway configured to launch Chromium Kiosk and WayVNC.${DEF}" +echo -e " ${GRN}* Autologin via greetd and inittab configured.${DEF}" echo "" echo -e "${RED} !!! IMPORTANT !!!${DEF}" -echo -e " ${RED}* If you saw a WARNING about 'nomodeset' earlier, the graphical kiosk${DEF}" -echo -e " ${RED}WILL NOT WORK until you remove 'nomodeset' from your bootloader config and reboot.${DEF}" -echo -e " ${RED}* For WayVNC to be secure, you MUST set a strong WAYVNC_PASSWORD${DEF}" -echo -e " ${RED}in $SIGNAGE_HOME/.profile for the user $SIGNAGE_USER.${DEF}" -echo -e " ${YLW}Example: echo 'export WAYVNC_PASSWORD=\"your_secure_password\"' >> $SIGNAGE_HOME/.profile${DEF}" -echo -e " ${YLW}* Chromium is launched with --disable-gpu. If you have working 3D acceleration${DEF}" -echo -e " ${YLW}(especially on bare metal or with robust VM drivers), you can try removing${DEF}" -echo -e " ${YLW}this flag from $SIGNAGE_SWAY_CONFIG_FILE for better performance.${DEF}" +echo -e " ${RED}* If 'nomodeset' warning appeared, graphical kiosk WILL NOT WORK until fixed.${DEF}" +echo -e " ${YLW}* Connect to VNC using user: ${GRN}$WAYVNC_USERNAME${YLW} and password: ${GRN}YOUR_SET_PASSWORD${DEF}" +echo -e " ${YLW}The VNC server is listening on ${GRN}$WAYVNC_LISTEN_ADDRESS:$WAYVNC_PORT${DEF}" echo -e "${RED}!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!${DEF}" echo "" echo -e "${GRN} Please REBOOT the system for changes to take effect.${DEF}" echo -e "${GRN} Command: ${YLW}reboot${DEF}" echo "" -echo -e "${BLU} TROUBLESHOOTING AFTER REBOOT (if it doesn't work):${DEF}" -echo -e " ${BLU}1. Log in as root on TTY2 (Alt+F2) or SSH.${DEF}" -echo -e " ${BLU}2. Check greetd logs: ${GRN}grep greetd /var/log/messages | tail -n 20${DEF}" -echo -e " ${BLU}3. Check Sway log: ${GRN}cat $SWAY_LOG_PATH_IN_GREETD${DEF}" -echo -e " ${BLU}4. Check Sway config syntax (as root, or as user if paths adjusted):${DEF}" -echo -e " ${GRN}su - $SIGNAGE_USER -c \"export XDG_RUNTIME_DIR=/run/user/\$(id -u $SIGNAGE_USER) && sway -C -c $SIGNAGE_SWAY_CONFIG_FILE\"${DEF}" -echo -e " ${BLU}5. Check XDG_RUNTIME_DIR: ${GRN}ls -ld /run/user/\$(id -u $SIGNAGE_USER)${DEF}" -echo -e " ${BLU}6. Check services: ${GRN}rc-service elogind status && rc-service dbus status && rc-service open-vm-tools status${DEF}" -echo -e " ${BLU}7. Check inittab: ${GRN}grep ^tty1 /etc/inittab${DEF}" -echo -e " ${BLU}8. Check dmesg: ${GRN}dmesg | tail -n 50${DEF}" -echo -e " ${BLU}9. Verify Chromium flags in: ${GRN}cat $SIGNAGE_SWAY_CONFIG_FILE${DEF}" -echo -e " ${BLU}10. Check WayVNC: ${GRN}ps aux | grep wayvnc ; netstat -tulnp | grep :$WAYVNC_PORT${DEF}" -echo -e " ${YLW}Ensure WAYVNC_PASSWORD is set in $SIGNAGE_PROFILE${DEF}" -echo -e " ${BLU}11. Manually test Sway as $SIGNAGE_USER on TTY2 (stop greetd first: rc-service greetd stop):${DEF}" -echo -e " ${GRN}su - $SIGNAGE_USER -c \"dbus-run-session sway -d\"${DEF}" -echo -e " ${BLU}12. Check user groups: ${GRN}groups $SIGNAGE_USER${YLW} (should include 'video' and 'input')${DEF}" +echo -e "${BLU} TROUBLESHOOTING AFTER REBOOT:${DEF}" +echo -e " ${BLU}1. Check user groups: ${GRN}groups $SIGNAGE_USER${YLW} (should include 'video', 'input')${DEF}" +echo -e " ${BLU}2. Check Sway log: ${GRN}cat $SWAY_LOG_PATH_IN_GREETD${DEF}" +echo -e " ${BLU}3. Check WayVNC config: ${GRN}cat $WAYVNC_CONFIG_FILE${DEF}" +echo -e " ${BLU}4. Check WayVNC running: ${GRN}ps aux | grep wayvnc ; netstat -tulnp | grep :$WAYVNC_PORT${DEF}" +echo -e " ${BLU}5. Manually test WayVNC (as $SIGNAGE_USER on TTY2, after stopping greetd & starting sway):${DEF}" +echo -e " ${GRN}wayvnc${DEF}" echo -e "${GRN}-----------------------------------------------------${DEF}" exit 0 \ No newline at end of file