Kiosk Devices

What It Is

A kiosk is a FortrOS node type that runs as an output-only (or limited-interaction) endpoint: digital signs, information displays, point-of-sale terminals, lobby dashboards. Kiosks run the FortrOS base OS and maintainer (for health reporting and org membership) but no hypervisor and no user login.

The kiosk's display state is defined by the org. The device is brought in line with the declared state automatically. No one "uses" a kiosk -- it displays what the org tells it to display.

Why It Matters

Kiosks are typically managed by ad-hoc methods: a Raspberry Pi running Chromium in kiosk mode, manually configured, with no monitoring, no updates, and no security. When the sign needs updating, someone walks over with a USB stick or SSHes in to change a URL.

FortrOS kiosks are org-managed: their display configuration is in the org's CRDT state, updates propagate via gossip, health is monitored, and the device is part of the org's ZTNA overlay. Updating 50 lobby displays across 10 buildings is a single config change.

How It Works

A kiosk runs a minimal FortrOS image:

• Base OS: Same immutable Buildroot image as any node
• Maintainer: Gossip, CRDT sync, health reporting, cert renewal
• Display service: A tier 1 node container that renders the declared content (URL, image, video, dashboard) to the local display
• No hypervisor: Kiosks don't run VMs or user workloads
• No user login: No desktop environment, no SSH (management is via the overlay only)

The kiosk's display configuration is a key in the org's config CRDT:

kiosk.lobby-building-a.url = "https://dashboard.internal/lobby"
kiosk.lobby-building-a.rotation = 0
kiosk.lobby-building-a.refresh = 300

Change the URL in the CRDT, and the kiosk updates within a gossip cycle.

Security

Kiosks are physically exposed (lobbies, public areas). The threat model:

• Physical access: Anyone can touch the device. FortrOS's LUKS encryption and Secure Boot prevent booting unauthorized software. No USB boot (UEFI locked down). No accessible management ports on the local network.
• Network position: Kiosks may be on less-trusted networks (guest WiFi, lobby Ethernet). All management traffic goes through the WireGuard overlay. The kiosk's local network presence is minimal (DHCP client, WireGuard UDP).
• Display content: The org controls what's displayed. A compromised kiosk (if somehow achieved) can only display wrong content -- it has no access to org secrets, user data, or other services (ZTNA boundaries apply).

How FortrOS Uses It

• Org membership: Kiosks are enrolled like any node (enrollment token, TPM identity, LUKS /persist).
• Health reporting: The maintainer reports kiosk health via gossip. Dead kiosk = alert on the monitoring map.
• Rolling updates: Kiosk generation images are updated via the same rolling upgrade process as any node.
• No special management: Kiosks use the same CRDT config system as everything else. No separate "kiosk management server."

Links

• 09 Running Workloads -- Workload trust boundaries (kiosks are node-level)
• Monitoring and Self-Observation -- Kiosk health on the topology map
• Device Obfuscation -- Kiosks as cover for relay nodes in adversarial environments