BetterCorp/BetterFrame
1
0
Fork 0
mirror of https://github.com/BetterCorp/BetterFrame.git synced 2026-05-26 21:26:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
BetterFrame/kiosk/src/server.rs

421 lines
13 KiB
Rust
Raw Normal View History

feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
use std::fs;
use std::path::PathBuf;
fix(bundle): synthesize stream for any camera with rtsp_url ONVIF-imported cameras with rtsp_url but no camera_streams rows showed "(no stream)" in the kiosk because the bundle fallback was gated to type=rtsp only. Drop the type check + backfill existing rows so old imports get a main stream row created. feat(kiosk-mgmt): report hostname + all network interfaces Behind Docker/Angie the server only saw the proxy bridge IP (172.31.0.2). Kiosk now shells `ip -j addr show`, reports every non-loopback IPv4/v6 with CIDR, MAC, and operstate. Plus `hostname` for verifying that managed-config applies landed. Admin UI renders interface list with LAN IPs preferred for the copy-paste local-LAN endpoint. feat(managed-config): auto-sync hostname from kiosk name When admin renames a managed-image kiosk, slugify the name → DNS-safe hostname and bump managed_config_version so the kiosk applies it on next heartbeat. Empty form hostname now falls back to slug too, so DHCP shows the friendly name. feat(events): forward firmware + OS update outcomes as kiosk.log Kiosk POSTs `/api/kiosk/event` with topic=kiosk.log on firmware-apply attempts. Server-side firmware/os-update endpoints also insert into event_log so admins can audit upgrades without correlating per-source. Wire schema heartbeat gains reported_hostname + network_interfaces for Rust import parity.
2026-05-21 07:23:50 +00:00
use std::process::Command;
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
use std::time::Duration;
use serde::Deserialize;
fix(bundle): synthesize stream for any camera with rtsp_url ONVIF-imported cameras with rtsp_url but no camera_streams rows showed "(no stream)" in the kiosk because the bundle fallback was gated to type=rtsp only. Drop the type check + backfill existing rows so old imports get a main stream row created. feat(kiosk-mgmt): report hostname + all network interfaces Behind Docker/Angie the server only saw the proxy bridge IP (172.31.0.2). Kiosk now shells `ip -j addr show`, reports every non-loopback IPv4/v6 with CIDR, MAC, and operstate. Plus `hostname` for verifying that managed-config applies landed. Admin UI renders interface list with LAN IPs preferred for the copy-paste local-LAN endpoint. feat(managed-config): auto-sync hostname from kiosk name When admin renames a managed-image kiosk, slugify the name → DNS-safe hostname and bump managed_config_version so the kiosk applies it on next heartbeat. Empty form hostname now falls back to slug too, so DHCP shows the friendly name. feat(events): forward firmware + OS update outcomes as kiosk.log Kiosk POSTs `/api/kiosk/event` with topic=kiosk.log on firmware-apply attempts. Server-side firmware/os-update endpoints also insert into event_log so admins can audit upgrades without correlating per-source. Wire schema heartbeat gains reported_hostname + network_interfaces for Rust import parity.
2026-05-21 07:23:50 +00:00
use serde_json::Value;
fix: resolve all Rust compile errors in kiosk app
2026-05-10 18:04:43 +00:00
use tracing::info;
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
use crate::bundle::KioskBundle;
feat(display): report and control power state
2026-05-21 07:10:30 +00:00
pub struct DisplayReport {
pub index: usize,
pub name: String,
pub width_px: u32,
pub height_px: u32,
pub power_state: String,
}
fix(release): surface build versions
2026-05-21 06:51:41 +00:00
fn kiosk_app_version() -> &'static str {
option_env!("BF_BUILD_VERSION").unwrap_or(env!("CARGO_PKG_VERSION"))
}
fix(bundle): synthesize stream for any camera with rtsp_url ONVIF-imported cameras with rtsp_url but no camera_streams rows showed "(no stream)" in the kiosk because the bundle fallback was gated to type=rtsp only. Drop the type check + backfill existing rows so old imports get a main stream row created. feat(kiosk-mgmt): report hostname + all network interfaces Behind Docker/Angie the server only saw the proxy bridge IP (172.31.0.2). Kiosk now shells `ip -j addr show`, reports every non-loopback IPv4/v6 with CIDR, MAC, and operstate. Plus `hostname` for verifying that managed-config applies landed. Admin UI renders interface list with LAN IPs preferred for the copy-paste local-LAN endpoint. feat(managed-config): auto-sync hostname from kiosk name When admin renames a managed-image kiosk, slugify the name → DNS-safe hostname and bump managed_config_version so the kiosk applies it on next heartbeat. Empty form hostname now falls back to slug too, so DHCP shows the friendly name. feat(events): forward firmware + OS update outcomes as kiosk.log Kiosk POSTs `/api/kiosk/event` with topic=kiosk.log on firmware-apply attempts. Server-side firmware/os-update endpoints also insert into event_log so admins can audit upgrades without correlating per-source. Wire schema heartbeat gains reported_hostname + network_interfaces for Rust import parity.
2026-05-21 07:23:50 +00:00
fn reported_hostname() -> Option<String> {
hostname::get()
.ok()
.map(|h| h.to_string_lossy().trim().to_string())
.filter(|h| !h.is_empty())
}
fn read_network_interfaces() -> Vec<Value> {
let out = match Command::new("ip").args(["-j", "addr", "show"]).output() {
Ok(out) if out.status.success() => out,
Ok(out) => {
tracing::warn!("ip -j addr show exited with {}", out.status);
return Vec::new();
}
Err(err) => {
tracing::warn!("ip -j addr show failed: {err}");
return Vec::new();
}
};
let parsed: Value = match serde_json::from_slice(&out.stdout) {
Ok(v) => v,
Err(err) => {
tracing::warn!("ip -j addr show parse failed: {err}");
return Vec::new();
}
};
let Some(items) = parsed.as_array() else {
return Vec::new();
};
items
.iter()
.filter_map(|item| {
let name = item.get("ifname")?.as_str()?;
let addr_info = item.get("addr_info")?.as_array()?;
let ips: Vec<Value> = addr_info
.iter()
.filter_map(|addr| {
let family = addr.get("family")?.as_str()?;
if family != "inet" && family != "inet6" {
return None;
}
let local = addr.get("local")?.as_str()?;
let prefix = addr.get("prefixlen").and_then(|v| v.as_u64());
Some(match prefix {
Some(prefix) => Value::String(format!("{local}/{prefix}")),
None => Value::String(local.to_string()),
})
})
.collect();
if ips.is_empty() {
return None;
}
Some(serde_json::json!({
"name": name,
"mac": item.get("address").and_then(|v| v.as_str()),
"operstate": item.get("operstate").and_then(|v| v.as_str()),
"ips": ips,
}))
})
.collect()
}
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
fn state_dir() -> PathBuf {
let home = dirs::home_dir().expect("no home directory");
let dir = home.join(".betterframe-kiosk");
fs::create_dir_all(&dir).ok();
dir
}
feat(kiosk): improve display controls and health
2026-05-21 00:03:05 +00:00
fn key_file() -> PathBuf {
state_dir().join("kiosk.key")
}
fn server_file() -> PathBuf {
state_dir().join("server.url")
}
fn bundle_cache_path() -> PathBuf {
state_dir().join("bundle.json")
}
fn local_key_file() -> PathBuf {
state_dir().join("local.key")
}
feat(kiosk): LAN-side local HTTP server (GET layout API + admin proxy) Kiosk now exposes :18090 with two surfaces: - GET /local/layout/:id?key=<kiosk_local_key> Bookmark-friendly layout switch on this kiosk. Auth = kiosk-generated local key (32 random bytes, hex, stored at <state_dir>/local.key). - ANY /proxy/* — forwards to BF server with the request's Authorization header preserved. Lets LAN clients reach a cloud-hosted BF server via the kiosk's local socket; kiosk adds no auth of its own. Heartbeat reports {local_key, local_port}; kiosks table grows local_key/local_port/local_last_ip columns. Admin kiosk edit page now shows the local URLs as a copy-paste block. Override port: BF_KIOSK_LOCAL_PORT. Disable: BF_KIOSK_LOCAL_DISABLE=1.
2026-05-14 05:24:21 +00:00
/// Load (or generate) the kiosk-local API key used by the LAN-side GET
feat(harden): hardware-bound at-rest encryption of kiosk state files New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF from a Pi-bound value: 1. /proc/device-tree/serial-number (Pi 5 firmware exposes it) 2. /proc/cpuinfo Serial line (older kernels) 3. /etc/machine-id (non-Pi dev fallback) File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag. Atomic write via tempfile + rename so a crash mid-write can't leave a half-encrypted file. Wired into kiosk/src/server.rs at every file I/O touching sensitive state: - kiosk.key (bearer token to BF server) - local.key (LAN-side API auth key) - bundle.json (cached bundle with RTSP credentials in URL form) Migration: read paths tolerate legacy plaintext (kiosks upgraded from a pre-at_rest build) AND re-store as ciphertext on the first read. One- shot upgrade — subsequent boots skip the migration write. Threat model defended: SD card extraction. Attacker who pulls the card can't decrypt without also having the same physical Pi (CPU serial is hardware-bound). Doesn't defeat an attacker who has both — at that point they ARE the kiosk. Bar is raised from "trivially extract every camera password" to "must steal the device intact." Not defended: TPM-style attestation, remote attestation, sealed boot. Pi 5 has no TPM and we don't ship a secure-boot config. Tests in-module: round-trip short bytes, round-trip JSON, legacy plaintext passthrough.
2026-05-21 09:34:29 +00:00
/// layout-switch endpoint. Persisted hex, 32 bytes random. Stored
/// encrypted-at-rest (hardware-bound) so pulling the SD card doesn't yield
/// the key plaintext.
feat(kiosk): LAN-side local HTTP server (GET layout API + admin proxy) Kiosk now exposes :18090 with two surfaces: - GET /local/layout/:id?key=<kiosk_local_key> Bookmark-friendly layout switch on this kiosk. Auth = kiosk-generated local key (32 random bytes, hex, stored at <state_dir>/local.key). - ANY /proxy/* — forwards to BF server with the request's Authorization header preserved. Lets LAN clients reach a cloud-hosted BF server via the kiosk's local socket; kiosk adds no auth of its own. Heartbeat reports {local_key, local_port}; kiosks table grows local_key/local_port/local_last_ip columns. Admin kiosk edit page now shows the local URLs as a copy-paste block. Override port: BF_KIOSK_LOCAL_PORT. Disable: BF_KIOSK_LOCAL_DISABLE=1.
2026-05-14 05:24:21 +00:00
pub fn load_or_create_local_key() -> String {
feat(harden): hardware-bound at-rest encryption of kiosk state files New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF from a Pi-bound value: 1. /proc/device-tree/serial-number (Pi 5 firmware exposes it) 2. /proc/cpuinfo Serial line (older kernels) 3. /etc/machine-id (non-Pi dev fallback) File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag. Atomic write via tempfile + rename so a crash mid-write can't leave a half-encrypted file. Wired into kiosk/src/server.rs at every file I/O touching sensitive state: - kiosk.key (bearer token to BF server) - local.key (LAN-side API auth key) - bundle.json (cached bundle with RTSP credentials in URL form) Migration: read paths tolerate legacy plaintext (kiosks upgraded from a pre-at_rest build) AND re-store as ciphertext on the first read. One- shot upgrade — subsequent boots skip the migration write. Threat model defended: SD card extraction. Attacker who pulls the card can't decrypt without also having the same physical Pi (CPU serial is hardware-bound). Doesn't defeat an attacker who has both — at that point they ARE the kiosk. Bar is raised from "trivially extract every camera password" to "must steal the device intact." Not defended: TPM-style attestation, remote attestation, sealed boot. Pi 5 has no TPM and we don't ship a secure-boot config. Tests in-module: round-trip short bytes, round-trip JSON, legacy plaintext passthrough.
2026-05-21 09:34:29 +00:00
let path = local_key_file();
if let Ok(raw) = fs::read(&path) {
let was_encrypted = crate::at_rest::decrypt_from_disk(&raw).is_ok();
if let Some(trimmed) = crate::at_rest::read_text_maybe_encrypted(&path) {
if trimmed.len() >= 16 {
if !was_encrypted {
let _ = crate::at_rest::write_encrypted(&path, trimmed.as_bytes());
}
return trimmed;
}
feat(kiosk): improve display controls and health
2026-05-21 00:03:05 +00:00
}
feat(kiosk): LAN-side local HTTP server (GET layout API + admin proxy) Kiosk now exposes :18090 with two surfaces: - GET /local/layout/:id?key=<kiosk_local_key> Bookmark-friendly layout switch on this kiosk. Auth = kiosk-generated local key (32 random bytes, hex, stored at <state_dir>/local.key). - ANY /proxy/* — forwards to BF server with the request's Authorization header preserved. Lets LAN clients reach a cloud-hosted BF server via the kiosk's local socket; kiosk adds no auth of its own. Heartbeat reports {local_key, local_port}; kiosks table grows local_key/local_port/local_last_ip columns. Admin kiosk edit page now shows the local URLs as a copy-paste block. Override port: BF_KIOSK_LOCAL_PORT. Disable: BF_KIOSK_LOCAL_DISABLE=1.
2026-05-14 05:24:21 +00:00
}
use rand::RngCore;
let mut buf = [0u8; 32];
rand::thread_rng().fill_bytes(&mut buf);
let hex_key = hex::encode(buf);
feat(harden): hardware-bound at-rest encryption of kiosk state files New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF from a Pi-bound value: 1. /proc/device-tree/serial-number (Pi 5 firmware exposes it) 2. /proc/cpuinfo Serial line (older kernels) 3. /etc/machine-id (non-Pi dev fallback) File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag. Atomic write via tempfile + rename so a crash mid-write can't leave a half-encrypted file. Wired into kiosk/src/server.rs at every file I/O touching sensitive state: - kiosk.key (bearer token to BF server) - local.key (LAN-side API auth key) - bundle.json (cached bundle with RTSP credentials in URL form) Migration: read paths tolerate legacy plaintext (kiosks upgraded from a pre-at_rest build) AND re-store as ciphertext on the first read. One- shot upgrade — subsequent boots skip the migration write. Threat model defended: SD card extraction. Attacker who pulls the card can't decrypt without also having the same physical Pi (CPU serial is hardware-bound). Doesn't defeat an attacker who has both — at that point they ARE the kiosk. Bar is raised from "trivially extract every camera password" to "must steal the device intact." Not defended: TPM-style attestation, remote attestation, sealed boot. Pi 5 has no TPM and we don't ship a secure-boot config. Tests in-module: round-trip short bytes, round-trip JSON, legacy plaintext passthrough.
2026-05-21 09:34:29 +00:00
let _ = crate::at_rest::write_encrypted(&path, hex_key.as_bytes());
feat(kiosk): LAN-side local HTTP server (GET layout API + admin proxy) Kiosk now exposes :18090 with two surfaces: - GET /local/layout/:id?key=<kiosk_local_key> Bookmark-friendly layout switch on this kiosk. Auth = kiosk-generated local key (32 random bytes, hex, stored at <state_dir>/local.key). - ANY /proxy/* — forwards to BF server with the request's Authorization header preserved. Lets LAN clients reach a cloud-hosted BF server via the kiosk's local socket; kiosk adds no auth of its own. Heartbeat reports {local_key, local_port}; kiosks table grows local_key/local_port/local_last_ip columns. Admin kiosk edit page now shows the local URLs as a copy-paste block. Override port: BF_KIOSK_LOCAL_PORT. Disable: BF_KIOSK_LOCAL_DISABLE=1.
2026-05-14 05:24:21 +00:00
hex_key
}
feat: layout switch push + idle/sleep timer + offline bundle cache Layout switch push: - POST /admin/kiosks/:id/layout/:layoutId — coordinator sends {type:"layout-switch", layout_id} via WS - Kiosk renders specified layout from cached bundle - KioskEditPage adds Switch Layout dropdown + button Idle/sleep timer: - thread_local LAST_ACTIVITY + IS_ASLEEP + CURRENT_LAYOUT_ID - mark_activity() on render/switch/wake; wakes if asleep - glib timeout_add_local every 1s checks elapsed: - elapsed >= idle_timeout AND not on default + resets_idle_timer → switch to default layout - elapsed >= sleep_timeout AND !asleep → cec::standby() - Display idle/sleep timeouts from bundle.display Offline cache: - server::save_bundle → ~/.betterframe-kiosk/bundle.json - server::load_cached_bundle on offline boot - fetch_bundle no longer panics; returns Option - 30s retry loop until server reachable - Reload-bundle gracefully handles fetch failures
2026-05-12 23:00:11 +00:00
feat(harden): hardware-bound at-rest encryption of kiosk state files New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF from a Pi-bound value: 1. /proc/device-tree/serial-number (Pi 5 firmware exposes it) 2. /proc/cpuinfo Serial line (older kernels) 3. /etc/machine-id (non-Pi dev fallback) File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag. Atomic write via tempfile + rename so a crash mid-write can't leave a half-encrypted file. Wired into kiosk/src/server.rs at every file I/O touching sensitive state: - kiosk.key (bearer token to BF server) - local.key (LAN-side API auth key) - bundle.json (cached bundle with RTSP credentials in URL form) Migration: read paths tolerate legacy plaintext (kiosks upgraded from a pre-at_rest build) AND re-store as ciphertext on the first read. One- shot upgrade — subsequent boots skip the migration write. Threat model defended: SD card extraction. Attacker who pulls the card can't decrypt without also having the same physical Pi (CPU serial is hardware-bound). Doesn't defeat an attacker who has both — at that point they ARE the kiosk. Bar is raised from "trivially extract every camera password" to "must steal the device intact." Not defended: TPM-style attestation, remote attestation, sealed boot. Pi 5 has no TPM and we don't ship a secure-boot config. Tests in-module: round-trip short bytes, round-trip JSON, legacy plaintext passthrough.
2026-05-21 09:34:29 +00:00
/// Persist the latest bundle to disk for offline boot. Encrypted at rest
/// because the bundle contains camera RTSP URIs with credentials in URL
/// form (rtsp://user:pass@host/...).
feat: layout switch push + idle/sleep timer + offline bundle cache Layout switch push: - POST /admin/kiosks/:id/layout/:layoutId — coordinator sends {type:"layout-switch", layout_id} via WS - Kiosk renders specified layout from cached bundle - KioskEditPage adds Switch Layout dropdown + button Idle/sleep timer: - thread_local LAST_ACTIVITY + IS_ASLEEP + CURRENT_LAYOUT_ID - mark_activity() on render/switch/wake; wakes if asleep - glib timeout_add_local every 1s checks elapsed: - elapsed >= idle_timeout AND not on default + resets_idle_timer → switch to default layout - elapsed >= sleep_timeout AND !asleep → cec::standby() - Display idle/sleep timeouts from bundle.display Offline cache: - server::save_bundle → ~/.betterframe-kiosk/bundle.json - server::load_cached_bundle on offline boot - fetch_bundle no longer panics; returns Option - 30s retry loop until server reachable - Reload-bundle gracefully handles fetch failures
2026-05-12 23:00:11 +00:00
pub fn save_bundle(bundle: &KioskBundle) {
feat(harden): hardware-bound at-rest encryption of kiosk state files New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF from a Pi-bound value: 1. /proc/device-tree/serial-number (Pi 5 firmware exposes it) 2. /proc/cpuinfo Serial line (older kernels) 3. /etc/machine-id (non-Pi dev fallback) File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag. Atomic write via tempfile + rename so a crash mid-write can't leave a half-encrypted file. Wired into kiosk/src/server.rs at every file I/O touching sensitive state: - kiosk.key (bearer token to BF server) - local.key (LAN-side API auth key) - bundle.json (cached bundle with RTSP credentials in URL form) Migration: read paths tolerate legacy plaintext (kiosks upgraded from a pre-at_rest build) AND re-store as ciphertext on the first read. One- shot upgrade — subsequent boots skip the migration write. Threat model defended: SD card extraction. Attacker who pulls the card can't decrypt without also having the same physical Pi (CPU serial is hardware-bound). Doesn't defeat an attacker who has both — at that point they ARE the kiosk. Bar is raised from "trivially extract every camera password" to "must steal the device intact." Not defended: TPM-style attestation, remote attestation, sealed boot. Pi 5 has no TPM and we don't ship a secure-boot config. Tests in-module: round-trip short bytes, round-trip JSON, legacy plaintext passthrough.
2026-05-21 09:34:29 +00:00
match serde_json::to_vec(bundle) {
Ok(bytes) => {
if let Err(e) = crate::at_rest::write_encrypted(&bundle_cache_path(), &bytes) {
feat: layout switch push + idle/sleep timer + offline bundle cache Layout switch push: - POST /admin/kiosks/:id/layout/:layoutId — coordinator sends {type:"layout-switch", layout_id} via WS - Kiosk renders specified layout from cached bundle - KioskEditPage adds Switch Layout dropdown + button Idle/sleep timer: - thread_local LAST_ACTIVITY + IS_ASLEEP + CURRENT_LAYOUT_ID - mark_activity() on render/switch/wake; wakes if asleep - glib timeout_add_local every 1s checks elapsed: - elapsed >= idle_timeout AND not on default + resets_idle_timer → switch to default layout - elapsed >= sleep_timeout AND !asleep → cec::standby() - Display idle/sleep timeouts from bundle.display Offline cache: - server::save_bundle → ~/.betterframe-kiosk/bundle.json - server::load_cached_bundle on offline boot - fetch_bundle no longer panics; returns Option - 30s retry loop until server reachable - Reload-bundle gracefully handles fetch failures
2026-05-12 23:00:11 +00:00
tracing::warn!("failed to save bundle cache: {e}");
}
}
Err(e) => tracing::warn!("failed to serialize bundle: {e}"),
}
}
/// Load a cached bundle from disk. Returns None if file missing or invalid.
feat(harden): hardware-bound at-rest encryption of kiosk state files New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF from a Pi-bound value: 1. /proc/device-tree/serial-number (Pi 5 firmware exposes it) 2. /proc/cpuinfo Serial line (older kernels) 3. /etc/machine-id (non-Pi dev fallback) File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag. Atomic write via tempfile + rename so a crash mid-write can't leave a half-encrypted file. Wired into kiosk/src/server.rs at every file I/O touching sensitive state: - kiosk.key (bearer token to BF server) - local.key (LAN-side API auth key) - bundle.json (cached bundle with RTSP credentials in URL form) Migration: read paths tolerate legacy plaintext (kiosks upgraded from a pre-at_rest build) AND re-store as ciphertext on the first read. One- shot upgrade — subsequent boots skip the migration write. Threat model defended: SD card extraction. Attacker who pulls the card can't decrypt without also having the same physical Pi (CPU serial is hardware-bound). Doesn't defeat an attacker who has both — at that point they ARE the kiosk. Bar is raised from "trivially extract every camera password" to "must steal the device intact." Not defended: TPM-style attestation, remote attestation, sealed boot. Pi 5 has no TPM and we don't ship a secure-boot config. Tests in-module: round-trip short bytes, round-trip JSON, legacy plaintext passthrough.
2026-05-21 09:34:29 +00:00
/// Tolerates legacy plaintext (kiosks upgraded from a pre-at_rest build)
/// so pairing survives the rollout.
feat: layout switch push + idle/sleep timer + offline bundle cache Layout switch push: - POST /admin/kiosks/:id/layout/:layoutId — coordinator sends {type:"layout-switch", layout_id} via WS - Kiosk renders specified layout from cached bundle - KioskEditPage adds Switch Layout dropdown + button Idle/sleep timer: - thread_local LAST_ACTIVITY + IS_ASLEEP + CURRENT_LAYOUT_ID - mark_activity() on render/switch/wake; wakes if asleep - glib timeout_add_local every 1s checks elapsed: - elapsed >= idle_timeout AND not on default + resets_idle_timer → switch to default layout - elapsed >= sleep_timeout AND !asleep → cec::standby() - Display idle/sleep timeouts from bundle.display Offline cache: - server::save_bundle → ~/.betterframe-kiosk/bundle.json - server::load_cached_bundle on offline boot - fetch_bundle no longer panics; returns Option - 30s retry loop until server reachable - Reload-bundle gracefully handles fetch failures
2026-05-12 23:00:11 +00:00
pub fn load_cached_bundle() -> Option<KioskBundle> {
feat(harden): hardware-bound at-rest encryption of kiosk state files New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF from a Pi-bound value: 1. /proc/device-tree/serial-number (Pi 5 firmware exposes it) 2. /proc/cpuinfo Serial line (older kernels) 3. /etc/machine-id (non-Pi dev fallback) File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag. Atomic write via tempfile + rename so a crash mid-write can't leave a half-encrypted file. Wired into kiosk/src/server.rs at every file I/O touching sensitive state: - kiosk.key (bearer token to BF server) - local.key (LAN-side API auth key) - bundle.json (cached bundle with RTSP credentials in URL form) Migration: read paths tolerate legacy plaintext (kiosks upgraded from a pre-at_rest build) AND re-store as ciphertext on the first read. One- shot upgrade — subsequent boots skip the migration write. Threat model defended: SD card extraction. Attacker who pulls the card can't decrypt without also having the same physical Pi (CPU serial is hardware-bound). Doesn't defeat an attacker who has both — at that point they ARE the kiosk. Bar is raised from "trivially extract every camera password" to "must steal the device intact." Not defended: TPM-style attestation, remote attestation, sealed boot. Pi 5 has no TPM and we don't ship a secure-boot config. Tests in-module: round-trip short bytes, round-trip JSON, legacy plaintext passthrough.
2026-05-21 09:34:29 +00:00
let bytes = crate::at_rest::read_maybe_encrypted(&bundle_cache_path())?;
match serde_json::from_slice::<KioskBundle>(&bytes) {
feat: layout switch push + idle/sleep timer + offline bundle cache Layout switch push: - POST /admin/kiosks/:id/layout/:layoutId — coordinator sends {type:"layout-switch", layout_id} via WS - Kiosk renders specified layout from cached bundle - KioskEditPage adds Switch Layout dropdown + button Idle/sleep timer: - thread_local LAST_ACTIVITY + IS_ASLEEP + CURRENT_LAYOUT_ID - mark_activity() on render/switch/wake; wakes if asleep - glib timeout_add_local every 1s checks elapsed: - elapsed >= idle_timeout AND not on default + resets_idle_timer → switch to default layout - elapsed >= sleep_timeout AND !asleep → cec::standby() - Display idle/sleep timeouts from bundle.display Offline cache: - server::save_bundle → ~/.betterframe-kiosk/bundle.json - server::load_cached_bundle on offline boot - fetch_bundle no longer panics; returns Option - 30s retry loop until server reachable - Reload-bundle gracefully handles fetch failures
2026-05-12 23:00:11 +00:00
Ok(b) => Some(b),
Err(e) => {
tracing::warn!("cached bundle invalid: {e}");
None
}
}
}
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
/// Discover the BetterFrame server.
pub fn discover_server(override_url: Option<&str>) -> String {
if let Some(url) = override_url {
return url.to_string();
}
// Check saved
if let Ok(saved) = fs::read_to_string(server_file()) {
let saved = saved.trim().to_string();
if check_health(&saved) {
return saved;
}
}
fix(deploy+kiosk): server healthcheck wget, nodered spider, cloud discovery - server Dockerfile installs wget — bookworm-slim doesn't include it by default, so the healthcheck CMD silently failed → Coolify marked the container unhealthy. - nodered healthcheck swapped to /nrdp/ (always 200 when runtime up) via wget --spider; previous /nrdp/auth/login returned non-2xx when adminAuth disabled. - start_period bumped to 90s for nodered's flow load on smaller hosts. - Kiosk discovery: cloud fallback now frame-eu.betterportal.net per the managed-fleet endpoint.
2026-05-19 02:15:25 +00:00
// Probe order: on-device → LAN mDNS → BetterCorp managed cloud.
// Single image works for aio (server beside kiosk on same Pi), on-prem
// (server on the LAN, discoverable by mDNS), and client-only (no local
// server — falls through to the cloud).
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
let candidates = [
fix(deploy): require proxied local services Bind native backend services and Node-RED to loopback so Angie remains the public auth boundary. Keep Docker on an internal compose network and stop kiosk fallback to a layout when display default is none.
2026-05-11 07:51:00 +00:00
"http://localhost",
"http://betterframe.local",
fix(deploy+kiosk): server healthcheck wget, nodered spider, cloud discovery - server Dockerfile installs wget — bookworm-slim doesn't include it by default, so the healthcheck CMD silently failed → Coolify marked the container unhealthy. - nodered healthcheck swapped to /nrdp/ (always 200 when runtime up) via wget --spider; previous /nrdp/auth/login returned non-2xx when adminAuth disabled. - start_period bumped to 90s for nodered's flow load on smaller hosts. - Kiosk discovery: cloud fallback now frame-eu.betterportal.net per the managed-fleet endpoint.
2026-05-19 02:15:25 +00:00
"https://frame-eu.betterportal.net",
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
];
for url in candidates {
info!("trying {url}...");
if check_health(url) {
fs::write(server_file(), url).ok();
return url.to_string();
}
}
panic!("Could not find BetterFrame server");
}
fn check_health(url: &str) -> bool {
reqwest::blocking::Client::new()
.get(format!("{url}/healthz"))
.timeout(Duration::from_secs(3))
.send()
.map(|r| r.status().is_success())
.unwrap_or(false)
}
/// Check if already paired (key file exists).
pub fn is_paired() -> bool {
key_file().exists()
}
feat(harden): hardware-bound at-rest encryption of kiosk state files New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF from a Pi-bound value: 1. /proc/device-tree/serial-number (Pi 5 firmware exposes it) 2. /proc/cpuinfo Serial line (older kernels) 3. /etc/machine-id (non-Pi dev fallback) File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag. Atomic write via tempfile + rename so a crash mid-write can't leave a half-encrypted file. Wired into kiosk/src/server.rs at every file I/O touching sensitive state: - kiosk.key (bearer token to BF server) - local.key (LAN-side API auth key) - bundle.json (cached bundle with RTSP credentials in URL form) Migration: read paths tolerate legacy plaintext (kiosks upgraded from a pre-at_rest build) AND re-store as ciphertext on the first read. One- shot upgrade — subsequent boots skip the migration write. Threat model defended: SD card extraction. Attacker who pulls the card can't decrypt without also having the same physical Pi (CPU serial is hardware-bound). Doesn't defeat an attacker who has both — at that point they ARE the kiosk. Bar is raised from "trivially extract every camera password" to "must steal the device intact." Not defended: TPM-style attestation, remote attestation, sealed boot. Pi 5 has no TPM and we don't ship a secure-boot config. Tests in-module: round-trip short bytes, round-trip JSON, legacy plaintext passthrough.
2026-05-21 09:34:29 +00:00
/// Read stored kiosk key. Detects legacy plaintext (kiosks upgraded from
/// a pre-at_rest build) and re-stores it ciphertext in place so subsequent
/// SD-card extractions don't see the bearer token.
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
pub fn load_key() -> String {
feat(harden): hardware-bound at-rest encryption of kiosk state files New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF from a Pi-bound value: 1. /proc/device-tree/serial-number (Pi 5 firmware exposes it) 2. /proc/cpuinfo Serial line (older kernels) 3. /etc/machine-id (non-Pi dev fallback) File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag. Atomic write via tempfile + rename so a crash mid-write can't leave a half-encrypted file. Wired into kiosk/src/server.rs at every file I/O touching sensitive state: - kiosk.key (bearer token to BF server) - local.key (LAN-side API auth key) - bundle.json (cached bundle with RTSP credentials in URL form) Migration: read paths tolerate legacy plaintext (kiosks upgraded from a pre-at_rest build) AND re-store as ciphertext on the first read. One- shot upgrade — subsequent boots skip the migration write. Threat model defended: SD card extraction. Attacker who pulls the card can't decrypt without also having the same physical Pi (CPU serial is hardware-bound). Doesn't defeat an attacker who has both — at that point they ARE the kiosk. Bar is raised from "trivially extract every camera password" to "must steal the device intact." Not defended: TPM-style attestation, remote attestation, sealed boot. Pi 5 has no TPM and we don't ship a secure-boot config. Tests in-module: round-trip short bytes, round-trip JSON, legacy plaintext passthrough.
2026-05-21 09:34:29 +00:00
let path = key_file();
let raw = fs::read(&path).expect("failed to read kiosk key");
let was_encrypted = crate::at_rest::decrypt_from_disk(&raw).is_ok();
let key = crate::at_rest::read_text_maybe_encrypted(&path).expect("failed to decode kiosk key");
if !was_encrypted {
// Best-effort migrate. If write fails (e.g. RO mount during a
// recovery boot) we still hand back the key so the kiosk works.
let _ = crate::at_rest::write_encrypted(&path, key.as_bytes());
}
key
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
}
#[derive(Deserialize)]
struct InitiateResp {
code: String,
expires_at: String,
}
/// Initiate pairing — returns (code, expires_at).
pub fn initiate_pairing(server: &str) -> (String, String) {
let hostname = hostname::get()
.map(|h| h.to_string_lossy().to_string())
.unwrap_or_else(|_| "kiosk".into());
let hw_model = fs::read_to_string("/proc/device-tree/model")
.unwrap_or_else(|_| "unknown".into())
.replace('\0', "");
let client = reqwest::blocking::Client::new();
let resp: InitiateResp = client
.post(format!("{server}/api/pair/initiate"))
.json(&serde_json::json!({
"proposed_name": hostname,
"hardware_model": hw_model,
"capabilities": ["rtsp", "gstreamer", "gtk4"]
}))
.send()
.expect("pairing initiate failed")
.json()
.expect("bad initiate response");
(resp.code, resp.expires_at)
}
#[derive(Deserialize)]
struct ClaimResp {
status: String,
kiosk_key: Option<String>,
kiosk_name: Option<String>,
}
/// Poll for pairing claim. Returns (name, key) when admin confirms.
pub fn poll_claim(server: &str, code: &str) -> (String, String) {
let client = reqwest::blocking::Client::new();
loop {
let resp = client
.post(format!("{server}/api/pair/claim"))
.json(&serde_json::json!({ "code": code }))
.send()
.expect("claim request failed");
if resp.status().as_u16() == 200 {
let claim: ClaimResp = resp.json().expect("bad claim response");
if claim.status == "claimed" {
let key = claim.kiosk_key.expect("missing kiosk_key");
let name = claim.kiosk_name.unwrap_or_else(|| "kiosk".into());
feat(harden): hardware-bound at-rest encryption of kiosk state files New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF from a Pi-bound value: 1. /proc/device-tree/serial-number (Pi 5 firmware exposes it) 2. /proc/cpuinfo Serial line (older kernels) 3. /etc/machine-id (non-Pi dev fallback) File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag. Atomic write via tempfile + rename so a crash mid-write can't leave a half-encrypted file. Wired into kiosk/src/server.rs at every file I/O touching sensitive state: - kiosk.key (bearer token to BF server) - local.key (LAN-side API auth key) - bundle.json (cached bundle with RTSP credentials in URL form) Migration: read paths tolerate legacy plaintext (kiosks upgraded from a pre-at_rest build) AND re-store as ciphertext on the first read. One- shot upgrade — subsequent boots skip the migration write. Threat model defended: SD card extraction. Attacker who pulls the card can't decrypt without also having the same physical Pi (CPU serial is hardware-bound). Doesn't defeat an attacker who has both — at that point they ARE the kiosk. Bar is raised from "trivially extract every camera password" to "must steal the device intact." Not defended: TPM-style attestation, remote attestation, sealed boot. Pi 5 has no TPM and we don't ship a secure-boot config. Tests in-module: round-trip short bytes, round-trip JSON, legacy plaintext passthrough.
2026-05-21 09:34:29 +00:00
crate::at_rest::write_encrypted(&key_file(), key.as_bytes())
.expect("failed to save kiosk key");
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
return (name, key);
}
}
std::thread::sleep(Duration::from_secs(2));
}
}
feat: layout switch push + idle/sleep timer + offline bundle cache Layout switch push: - POST /admin/kiosks/:id/layout/:layoutId — coordinator sends {type:"layout-switch", layout_id} via WS - Kiosk renders specified layout from cached bundle - KioskEditPage adds Switch Layout dropdown + button Idle/sleep timer: - thread_local LAST_ACTIVITY + IS_ASLEEP + CURRENT_LAYOUT_ID - mark_activity() on render/switch/wake; wakes if asleep - glib timeout_add_local every 1s checks elapsed: - elapsed >= idle_timeout AND not on default + resets_idle_timer → switch to default layout - elapsed >= sleep_timeout AND !asleep → cec::standby() - Display idle/sleep timeouts from bundle.display Offline cache: - server::save_bundle → ~/.betterframe-kiosk/bundle.json - server::load_cached_bundle on offline boot - fetch_bundle no longer panics; returns Option - 30s retry loop until server reachable - Reload-bundle gracefully handles fetch failures
2026-05-12 23:00:11 +00:00
/// Fetch bundle from server. Returns None on network/HTTP/parse failure.
/// On success, also writes the bundle to the on-disk cache.
pub fn fetch_bundle(server: &str, key: &str) -> Option<KioskBundle> {
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
let client = reqwest::blocking::Client::new();
feat: layout switch push + idle/sleep timer + offline bundle cache Layout switch push: - POST /admin/kiosks/:id/layout/:layoutId — coordinator sends {type:"layout-switch", layout_id} via WS - Kiosk renders specified layout from cached bundle - KioskEditPage adds Switch Layout dropdown + button Idle/sleep timer: - thread_local LAST_ACTIVITY + IS_ASLEEP + CURRENT_LAYOUT_ID - mark_activity() on render/switch/wake; wakes if asleep - glib timeout_add_local every 1s checks elapsed: - elapsed >= idle_timeout AND not on default + resets_idle_timer → switch to default layout - elapsed >= sleep_timeout AND !asleep → cec::standby() - Display idle/sleep timeouts from bundle.display Offline cache: - server::save_bundle → ~/.betterframe-kiosk/bundle.json - server::load_cached_bundle on offline boot - fetch_bundle no longer panics; returns Option - 30s retry loop until server reachable - Reload-bundle gracefully handles fetch failures
2026-05-12 23:00:11 +00:00
let resp = match client
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
.get(format!("{server}/api/kiosk/bundle"))
.header("Authorization", format!("Bearer {key}"))
feat: layout switch push + idle/sleep timer + offline bundle cache Layout switch push: - POST /admin/kiosks/:id/layout/:layoutId — coordinator sends {type:"layout-switch", layout_id} via WS - Kiosk renders specified layout from cached bundle - KioskEditPage adds Switch Layout dropdown + button Idle/sleep timer: - thread_local LAST_ACTIVITY + IS_ASLEEP + CURRENT_LAYOUT_ID - mark_activity() on render/switch/wake; wakes if asleep - glib timeout_add_local every 1s checks elapsed: - elapsed >= idle_timeout AND not on default + resets_idle_timer → switch to default layout - elapsed >= sleep_timeout AND !asleep → cec::standby() - Display idle/sleep timeouts from bundle.display Offline cache: - server::save_bundle → ~/.betterframe-kiosk/bundle.json - server::load_cached_bundle on offline boot - fetch_bundle no longer panics; returns Option - 30s retry loop until server reachable - Reload-bundle gracefully handles fetch failures
2026-05-12 23:00:11 +00:00
.timeout(Duration::from_secs(10))
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
.send()
feat: layout switch push + idle/sleep timer + offline bundle cache Layout switch push: - POST /admin/kiosks/:id/layout/:layoutId — coordinator sends {type:"layout-switch", layout_id} via WS - Kiosk renders specified layout from cached bundle - KioskEditPage adds Switch Layout dropdown + button Idle/sleep timer: - thread_local LAST_ACTIVITY + IS_ASLEEP + CURRENT_LAYOUT_ID - mark_activity() on render/switch/wake; wakes if asleep - glib timeout_add_local every 1s checks elapsed: - elapsed >= idle_timeout AND not on default + resets_idle_timer → switch to default layout - elapsed >= sleep_timeout AND !asleep → cec::standby() - Display idle/sleep timeouts from bundle.display Offline cache: - server::save_bundle → ~/.betterframe-kiosk/bundle.json - server::load_cached_bundle on offline boot - fetch_bundle no longer panics; returns Option - 30s retry loop until server reachable - Reload-bundle gracefully handles fetch failures
2026-05-12 23:00:11 +00:00
{
Ok(r) => r,
Err(e) => {
tracing::warn!("bundle fetch failed: {e}");
return None;
}
};
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
if !resp.status().is_success() {
feat: layout switch push + idle/sleep timer + offline bundle cache Layout switch push: - POST /admin/kiosks/:id/layout/:layoutId — coordinator sends {type:"layout-switch", layout_id} via WS - Kiosk renders specified layout from cached bundle - KioskEditPage adds Switch Layout dropdown + button Idle/sleep timer: - thread_local LAST_ACTIVITY + IS_ASLEEP + CURRENT_LAYOUT_ID - mark_activity() on render/switch/wake; wakes if asleep - glib timeout_add_local every 1s checks elapsed: - elapsed >= idle_timeout AND not on default + resets_idle_timer → switch to default layout - elapsed >= sleep_timeout AND !asleep → cec::standby() - Display idle/sleep timeouts from bundle.display Offline cache: - server::save_bundle → ~/.betterframe-kiosk/bundle.json - server::load_cached_bundle on offline boot - fetch_bundle no longer panics; returns Option - 30s retry loop until server reachable - Reload-bundle gracefully handles fetch failures
2026-05-12 23:00:11 +00:00
tracing::warn!("bundle fetch returned {}", resp.status());
return None;
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
}
feat: layout switch push + idle/sleep timer + offline bundle cache Layout switch push: - POST /admin/kiosks/:id/layout/:layoutId — coordinator sends {type:"layout-switch", layout_id} via WS - Kiosk renders specified layout from cached bundle - KioskEditPage adds Switch Layout dropdown + button Idle/sleep timer: - thread_local LAST_ACTIVITY + IS_ASLEEP + CURRENT_LAYOUT_ID - mark_activity() on render/switch/wake; wakes if asleep - glib timeout_add_local every 1s checks elapsed: - elapsed >= idle_timeout AND not on default + resets_idle_timer → switch to default layout - elapsed >= sleep_timeout AND !asleep → cec::standby() - Display idle/sleep timeouts from bundle.display Offline cache: - server::save_bundle → ~/.betterframe-kiosk/bundle.json - server::load_cached_bundle on offline boot - fetch_bundle no longer panics; returns Option - 30s retry loop until server reachable - Reload-bundle gracefully handles fetch failures
2026-05-12 23:00:11 +00:00
match resp.json::<KioskBundle>() {
Ok(b) => {
save_bundle(&b);
Some(b)
}
Err(e) => {
tracing::warn!("bundle parse failed: {e}");
None
}
}
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
}
feat: Pi fan control + temp monitoring + stream swap on layout change Kiosk: - hwmon.rs reads /sys/class/thermal + /sys/class/hwmon for CPU temp, fan RPM, fan PWM - Heartbeat reports cpu_temp_c, fan_rpm, fan_pwm - WS message "fan" with {pwm: N} or {mode: "auto"} sets pwm1_enable+pwm1 - Picture content_fit Cover → Contain (no more cropping/overlay cuts) - ensure_warm tears down + rebuilds pipeline when desired stream changes (M↔S swap on layout change) Server: - Migration v0.8: add cpu_temp_c, fan_rpm, fan_pwm to kiosks - Heartbeat persists hwmon fields - KioskEditPage shows CPU/fan/PWM + Auto/Off/50%/Full buttons - POST /admin/kiosks/:id/fan dispatches via coordinator WS
2026-05-11 09:47:07 +00:00
/// Send heartbeat with display geometry + hwmon.
fix(nodered): kiosk-side layout.changed events + provisioning retries Three related fixes: 1. Idle reverts (and any other kiosk-initiated layout switch) now POST layout.changed to /api/kiosk/event. Previously the server only emitted on admin-initiated switches, so Node-RED never saw the idle revert. 2. Server's /api/kiosk/event splays the payload to the top level when the topic has a dedicated trigger node (layout.changed, kiosk.changed, kiosk.status, display.power.changed, camera.changed). The trigger nodes expect flat shapes matching the admin emit; the old wrapped shape left every field undefined. 3. Auto-provisioning of bf-server-config in Node-RED: extend retry window to ~5 min, log per attempt, force v2 API + full-deploy header so credentials inline get accepted, surface response body on failure.
2026-05-13 11:03:51 +00:00
/// Report a kiosk-side layout switch to the server, which forwards to
/// node-red as a `layout.changed` event. Covers idle reverts and any other
/// switch the kiosk performs without an admin click (admin clicks already
/// emit server-side).
pub fn report_layout_change(
server: &str,
key: &str,
display_id: u32,
layout_id: u32,
layout_name: &str,
) {
let client = reqwest::blocking::Client::new();
let _ = client
.post(format!("{server}/api/kiosk/event"))
.header("Authorization", format!("Bearer {key}"))
.json(&serde_json::json!({
"topic": "layout.changed",
"source_type": "system",
"payload": {
"display_id": display_id,
"layout_id": layout_id,
"layout_name": layout_name,
},
}))
.timeout(Duration::from_secs(5))
.send();
}
fix(bundle): synthesize stream for any camera with rtsp_url ONVIF-imported cameras with rtsp_url but no camera_streams rows showed "(no stream)" in the kiosk because the bundle fallback was gated to type=rtsp only. Drop the type check + backfill existing rows so old imports get a main stream row created. feat(kiosk-mgmt): report hostname + all network interfaces Behind Docker/Angie the server only saw the proxy bridge IP (172.31.0.2). Kiosk now shells `ip -j addr show`, reports every non-loopback IPv4/v6 with CIDR, MAC, and operstate. Plus `hostname` for verifying that managed-config applies landed. Admin UI renders interface list with LAN IPs preferred for the copy-paste local-LAN endpoint. feat(managed-config): auto-sync hostname from kiosk name When admin renames a managed-image kiosk, slugify the name → DNS-safe hostname and bump managed_config_version so the kiosk applies it on next heartbeat. Empty form hostname now falls back to slug too, so DHCP shows the friendly name. feat(events): forward firmware + OS update outcomes as kiosk.log Kiosk POSTs `/api/kiosk/event` with topic=kiosk.log on firmware-apply attempts. Server-side firmware/os-update endpoints also insert into event_log so admins can audit upgrades without correlating per-source. Wire schema heartbeat gains reported_hostname + network_interfaces for Rust import parity.
2026-05-21 07:23:50 +00:00
pub fn report_kiosk_log(server: &str, key: &str, level: &str, message: &str, payload: Value) {
let client = reqwest::blocking::Client::new();
let _ = client
.post(format!("{server}/api/kiosk/event"))
.header("Authorization", format!("Bearer {key}"))
.json(&serde_json::json!({
"topic": "kiosk.log",
"source_type": "system",
"payload": {
"level": level,
"message": message,
"context": payload,
},
}))
.timeout(Duration::from_secs(5))
.send();
}
feat: Pi fan control + temp monitoring + stream swap on layout change Kiosk: - hwmon.rs reads /sys/class/thermal + /sys/class/hwmon for CPU temp, fan RPM, fan PWM - Heartbeat reports cpu_temp_c, fan_rpm, fan_pwm - WS message "fan" with {pwm: N} or {mode: "auto"} sets pwm1_enable+pwm1 - Picture content_fit Cover → Contain (no more cropping/overlay cuts) - ensure_warm tears down + rebuilds pipeline when desired stream changes (M↔S swap on layout change) Server: - Migration v0.8: add cpu_temp_c, fan_rpm, fan_pwm to kiosks - Heartbeat persists hwmon fields - KioskEditPage shows CPU/fan/PWM + Auto/Off/50%/Full buttons - POST /admin/kiosks/:id/fan dispatches via coordinator WS
2026-05-11 09:47:07 +00:00
pub fn heartbeat(
server: &str,
key: &str,
feat(display): report and control power state
2026-05-21 07:10:30 +00:00
displays: &[DisplayReport],
feat: Pi fan control + temp monitoring + stream swap on layout change Kiosk: - hwmon.rs reads /sys/class/thermal + /sys/class/hwmon for CPU temp, fan RPM, fan PWM - Heartbeat reports cpu_temp_c, fan_rpm, fan_pwm - WS message "fan" with {pwm: N} or {mode: "auto"} sets pwm1_enable+pwm1 - Picture content_fit Cover → Contain (no more cropping/overlay cuts) - ensure_warm tears down + rebuilds pipeline when desired stream changes (M↔S swap on layout change) Server: - Migration v0.8: add cpu_temp_c, fan_rpm, fan_pwm to kiosks - Heartbeat persists hwmon fields - KioskEditPage shows CPU/fan/PWM + Auto/Off/50%/Full buttons - POST /admin/kiosks/:id/fan dispatches via coordinator WS
2026-05-11 09:47:07 +00:00
hw: &crate::hwmon::HwInfo,
feat(ota): add RAUC OS update foundation
2026-05-20 03:15:29 +00:00
) -> bool {
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
let client = reqwest::blocking::Client::new();
feat(display): report and control power state
2026-05-21 07:10:30 +00:00
let display_info: Vec<_> = displays.iter().map(|d| {
serde_json::json!({
"index": d.index,
"name": &d.name,
"width_px": d.width_px,
"height_px": d.height_px,
"power_state": &d.power_state,
fix(release): surface build versions
2026-05-21 06:51:41 +00:00
})
feat(display): report and control power state
2026-05-21 07:10:30 +00:00
}).collect();
feat(kiosk): LAN-side local HTTP server (GET layout API + admin proxy) Kiosk now exposes :18090 with two surfaces: - GET /local/layout/:id?key=<kiosk_local_key> Bookmark-friendly layout switch on this kiosk. Auth = kiosk-generated local key (32 random bytes, hex, stored at <state_dir>/local.key). - ANY /proxy/* — forwards to BF server with the request's Authorization header preserved. Lets LAN clients reach a cloud-hosted BF server via the kiosk's local socket; kiosk adds no auth of its own. Heartbeat reports {local_key, local_port}; kiosks table grows local_key/local_port/local_last_ip columns. Admin kiosk edit page now shows the local URLs as a copy-paste block. Override port: BF_KIOSK_LOCAL_PORT. Disable: BF_KIOSK_LOCAL_DISABLE=1.
2026-05-14 05:24:21 +00:00
// Surface the LAN-side local key + port to admin so the UI can show a
// copy-paste URL for bookmark-style layout switches.
let local_key = load_or_create_local_key();
let local_port: u16 = std::env::var("BF_KIOSK_LOCAL_PORT")
feat(kiosk): improve display controls and health
2026-05-21 00:03:05 +00:00
.ok()
.and_then(|s| s.parse().ok())
.unwrap_or(18090);
fix(bundle): synthesize stream for any camera with rtsp_url ONVIF-imported cameras with rtsp_url but no camera_streams rows showed "(no stream)" in the kiosk because the bundle fallback was gated to type=rtsp only. Drop the type check + backfill existing rows so old imports get a main stream row created. feat(kiosk-mgmt): report hostname + all network interfaces Behind Docker/Angie the server only saw the proxy bridge IP (172.31.0.2). Kiosk now shells `ip -j addr show`, reports every non-loopback IPv4/v6 with CIDR, MAC, and operstate. Plus `hostname` for verifying that managed-config applies landed. Admin UI renders interface list with LAN IPs preferred for the copy-paste local-LAN endpoint. feat(managed-config): auto-sync hostname from kiosk name When admin renames a managed-image kiosk, slugify the name → DNS-safe hostname and bump managed_config_version so the kiosk applies it on next heartbeat. Empty form hostname now falls back to slug too, so DHCP shows the friendly name. feat(events): forward firmware + OS update outcomes as kiosk.log Kiosk POSTs `/api/kiosk/event` with topic=kiosk.log on firmware-apply attempts. Server-side firmware/os-update endpoints also insert into event_log so admins can audit upgrades without correlating per-source. Wire schema heartbeat gains reported_hostname + network_interfaces for Rust import parity.
2026-05-21 07:23:50 +00:00
let hostname = reported_hostname();
let network_interfaces = read_network_interfaces();
feat(ota): add RAUC OS update foundation
2026-05-20 03:15:29 +00:00
client
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
.post(format!("{server}/api/kiosk/heartbeat"))
.header("Authorization", format!("Bearer {key}"))
.json(&serde_json::json!({
fix(release): surface build versions
2026-05-21 06:51:41 +00:00
"kiosk_app_version": kiosk_app_version(),
feat: WebKit for web/html cells + display auto-discovery via heartbeat Rust kiosk: - web cells now use webkit6 WebView (load_uri) - html cells use WebView.load_html (full HTML rendering) - query_displays() reads /sys/class/drm/ for connected HDMI/DP outputs - Heartbeat reports display geometry every 60s Server: - /api/kiosk/heartbeat accepts displays array - Syncs kiosk-reported displays to display records - Updates dimensions when changed, creates new displays for new ports
2026-05-10 20:39:53 +00:00
"displays": display_info,
feat: Pi fan control + temp monitoring + stream swap on layout change Kiosk: - hwmon.rs reads /sys/class/thermal + /sys/class/hwmon for CPU temp, fan RPM, fan PWM - Heartbeat reports cpu_temp_c, fan_rpm, fan_pwm - WS message "fan" with {pwm: N} or {mode: "auto"} sets pwm1_enable+pwm1 - Picture content_fit Cover → Contain (no more cropping/overlay cuts) - ensure_warm tears down + rebuilds pipeline when desired stream changes (M↔S swap on layout change) Server: - Migration v0.8: add cpu_temp_c, fan_rpm, fan_pwm to kiosks - Heartbeat persists hwmon fields - KioskEditPage shows CPU/fan/PWM + Auto/Off/50%/Full buttons - POST /admin/kiosks/:id/fan dispatches via coordinator WS
2026-05-11 09:47:07 +00:00
"cpu_temp_c": hw.cpu_temp_c,
feat(kiosk): improve display controls and health
2026-05-21 00:03:05 +00:00
"cpu_load_percent": hw.cpu_load_percent,
feat: Pi fan control + temp monitoring + stream swap on layout change Kiosk: - hwmon.rs reads /sys/class/thermal + /sys/class/hwmon for CPU temp, fan RPM, fan PWM - Heartbeat reports cpu_temp_c, fan_rpm, fan_pwm - WS message "fan" with {pwm: N} or {mode: "auto"} sets pwm1_enable+pwm1 - Picture content_fit Cover → Contain (no more cropping/overlay cuts) - ensure_warm tears down + rebuilds pipeline when desired stream changes (M↔S swap on layout change) Server: - Migration v0.8: add cpu_temp_c, fan_rpm, fan_pwm to kiosks - Heartbeat persists hwmon fields - KioskEditPage shows CPU/fan/PWM + Auto/Off/50%/Full buttons - POST /admin/kiosks/:id/fan dispatches via coordinator WS
2026-05-11 09:47:07 +00:00
"fan_rpm": hw.fan_rpm,
"fan_pwm": hw.fan_pwm,
feat(kiosk): improve display controls and health
2026-05-21 00:03:05 +00:00
"memory_total_mb": hw.memory_total_mb,
"memory_used_mb": hw.memory_used_mb,
"disk_total_mb": hw.disk_total_mb,
"disk_free_mb": hw.disk_free_mb,
"disk_used_percent": hw.disk_used_percent,
feat(kiosk): LAN-side local HTTP server (GET layout API + admin proxy) Kiosk now exposes :18090 with two surfaces: - GET /local/layout/:id?key=<kiosk_local_key> Bookmark-friendly layout switch on this kiosk. Auth = kiosk-generated local key (32 random bytes, hex, stored at <state_dir>/local.key). - ANY /proxy/* — forwards to BF server with the request's Authorization header preserved. Lets LAN clients reach a cloud-hosted BF server via the kiosk's local socket; kiosk adds no auth of its own. Heartbeat reports {local_key, local_port}; kiosks table grows local_key/local_port/local_last_ip columns. Admin kiosk edit page now shows the local URLs as a copy-paste block. Override port: BF_KIOSK_LOCAL_PORT. Disable: BF_KIOSK_LOCAL_DISABLE=1.
2026-05-14 05:24:21 +00:00
"local_key": local_key,
"local_port": local_port,
fix(bundle): synthesize stream for any camera with rtsp_url ONVIF-imported cameras with rtsp_url but no camera_streams rows showed "(no stream)" in the kiosk because the bundle fallback was gated to type=rtsp only. Drop the type check + backfill existing rows so old imports get a main stream row created. feat(kiosk-mgmt): report hostname + all network interfaces Behind Docker/Angie the server only saw the proxy bridge IP (172.31.0.2). Kiosk now shells `ip -j addr show`, reports every non-loopback IPv4/v6 with CIDR, MAC, and operstate. Plus `hostname` for verifying that managed-config applies landed. Admin UI renders interface list with LAN IPs preferred for the copy-paste local-LAN endpoint. feat(managed-config): auto-sync hostname from kiosk name When admin renames a managed-image kiosk, slugify the name → DNS-safe hostname and bump managed_config_version so the kiosk applies it on next heartbeat. Empty form hostname now falls back to slug too, so DHCP shows the friendly name. feat(events): forward firmware + OS update outcomes as kiosk.log Kiosk POSTs `/api/kiosk/event` with topic=kiosk.log on firmware-apply attempts. Server-side firmware/os-update endpoints also insert into event_log so admins can audit upgrades without correlating per-source. Wire schema heartbeat gains reported_hostname + network_interfaces for Rust import parity.
2026-05-21 07:23:50 +00:00
"reported_hostname": hostname,
"network_interfaces": network_interfaces,
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
}))
.timeout(Duration::from_secs(5))
feat(ota): add RAUC OS update foundation
2026-05-20 03:15:29 +00:00
.send()
.map(|r| r.status().is_success())
.unwrap_or(false)
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
}
Reference in a new issue Copy permalink