Created
March 9, 2026 15:23
-
-
Save soukron/94ed4bc84a298f71a3f92f8fe14a3e31 to your computer and use it in GitHub Desktop.
Setup kiosk mode and cockpit in RHEL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Setup Kiosk + Cockpit | |
| hosts: all | |
| become: true | |
| tasks: | |
| - name: Enable and start cockpit socket | |
| ansible.builtin.systemd: | |
| name: cockpit.socket | |
| state: started | |
| enabled: true | |
| - name: Create OpenSSL extensions config for Cockpit server cert | |
| ansible.builtin.copy: | |
| dest: /etc/cockpit/ws-certs.d/localhost-ext.cnf | |
| mode: "0644" | |
| content: | | |
| [v3_server] | |
| basicConstraints = CA:FALSE | |
| keyUsage = digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth | |
| subjectAltName = DNS:localhost, IP:127.0.0.1 | |
| - name: Generate Cockpit local CA private key | |
| ansible.builtin.command: | |
| cmd: openssl genrsa -out /etc/cockpit/ws-certs.d/cockpit-ca.key 2048 | |
| creates: /etc/cockpit/ws-certs.d/cockpit-ca.key | |
| - name: Generate Cockpit local CA certificate | |
| ansible.builtin.command: | |
| cmd: >- | |
| openssl req -x509 -new | |
| -key /etc/cockpit/ws-certs.d/cockpit-ca.key | |
| -out /etc/cockpit/ws-certs.d/cockpit-ca.pem | |
| -days 3650 -subj "/CN=Cockpit Local CA" | |
| creates: /etc/cockpit/ws-certs.d/cockpit-ca.pem | |
| - name: Generate Cockpit server private key | |
| ansible.builtin.command: | |
| cmd: openssl genrsa -out /etc/cockpit/ws-certs.d/50-localhost.key 2048 | |
| creates: /etc/cockpit/ws-certs.d/50-localhost.key | |
| - name: Set server private key permissions | |
| ansible.builtin.file: | |
| path: /etc/cockpit/ws-certs.d/50-localhost.key | |
| mode: "0600" | |
| - name: Generate Cockpit server CSR | |
| ansible.builtin.command: | |
| cmd: >- | |
| openssl req -new | |
| -key /etc/cockpit/ws-certs.d/50-localhost.key | |
| -out /tmp/cockpit-localhost.csr | |
| -subj "/CN=localhost" | |
| creates: /etc/cockpit/ws-certs.d/50-localhost.cert | |
| - name: Sign Cockpit server certificate with local CA | |
| ansible.builtin.command: | |
| cmd: >- | |
| openssl x509 -req | |
| -in /tmp/cockpit-localhost.csr | |
| -CA /etc/cockpit/ws-certs.d/cockpit-ca.pem | |
| -CAkey /etc/cockpit/ws-certs.d/cockpit-ca.key | |
| -CAcreateserial | |
| -out /etc/cockpit/ws-certs.d/50-localhost.cert | |
| -days 3650 | |
| -extensions v3_server | |
| -extfile /etc/cockpit/ws-certs.d/localhost-ext.cnf | |
| creates: /etc/cockpit/ws-certs.d/50-localhost.cert | |
| - name: Copy Cockpit CA certificate to system trust anchors | |
| ansible.builtin.copy: | |
| src: /etc/cockpit/ws-certs.d/cockpit-ca.pem | |
| dest: /etc/pki/ca-trust/source/anchors/cockpit-ca.pem | |
| remote_src: true | |
| mode: "0644" | |
| - name: Update system CA trust store | |
| ansible.builtin.command: update-ca-trust | |
| changed_when: true | |
| - name: Install kiosk packages | |
| ansible.builtin.dnf: | |
| name: | |
| - gnome-session-kiosk-session | |
| - gdm | |
| - firefox | |
| state: present | |
| - name: Ensure Firefox enterprise policies directory exists | |
| ansible.builtin.file: | |
| path: /etc/firefox/policies | |
| state: directory | |
| mode: "0755" | |
| - name: Configure Firefox to trust system CA certificates | |
| ansible.builtin.copy: | |
| dest: /etc/firefox/policies/policies.json | |
| mode: "0644" | |
| content: | | |
| { | |
| "policies": { | |
| "Certificates": { | |
| "ImportEnterpriseRoots": true | |
| } | |
| } | |
| } | |
| - name: Set graphical target as default (gdm) | |
| ansible.builtin.command: systemctl set-default graphical.target | |
| changed_when: true | |
| - name: Create kiosk user | |
| ansible.builtin.user: | |
| name: kiosk | |
| state: present | |
| create_home: true | |
| - name: Ensure /home/kiosk/.local/bin directory exists | |
| ansible.builtin.file: | |
| path: /home/kiosk/.local/bin | |
| state: directory | |
| owner: kiosk | |
| group: kiosk | |
| mode: "0755" | |
| - name: Create redhat-kiosk launcher script | |
| ansible.builtin.copy: | |
| dest: /home/kiosk/.local/bin/redhat-kiosk | |
| owner: kiosk | |
| group: kiosk | |
| mode: "0755" | |
| content: | | |
| #!/bin/sh | |
| while true; do | |
| firefox -kiosk https://localhost:9090 | |
| done | |
| - name: Configure GDM automatic login for kiosk | |
| ansible.builtin.copy: | |
| dest: /etc/gdm/custom.conf | |
| mode: "0644" | |
| content: | | |
| [daemon] | |
| AutomaticLoginEnable=True | |
| AutomaticLogin=kiosk | |
| - name: Ensure AccountsService users directory exists | |
| ansible.builtin.file: | |
| path: /var/lib/AccountsService/users | |
| state: directory | |
| mode: "0755" | |
| - name: Configure AccountsService for kiosk user | |
| ansible.builtin.copy: | |
| dest: /var/lib/AccountsService/users/kiosk | |
| mode: "0644" | |
| content: | | |
| [User] | |
| Session=com.redhat.Kiosk | |
| SystemAccount=false | |
| - name: Reboot the host | |
| ansible.builtin.reboot: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment