feat: merge upstream master - version 4.94

Merge upstream PiKVM master branch updates:

- Bump version from 4.93 to 4.94
- HID: improved jiggler pattern for better compatibility
- Streamer: major refactoring for improved performance and maintainability
- Prometheus: tidying GPIO channel name formatting
- Web: added __gpio-label class for custom styling
- HID: customizable /api/hid/print delay configuration
- ATX: independent power/reset regions for better control
- OLED: added --fill option for display testing
- Web: improved keyboard handling in modal dialogs
- Web: enhanced login error messages
- Switch: added heartbeat functionality
- Web: mouse touch code simplification and refactoring
- Configs: use systemd-networkd-wait-online --any by default
- PKGBUILD: use cp -r to install systemd units properly
- Various bug fixes and performance improvements

configs/kvmd/htpasswd

@@ -1 +1 @@
-admin:$apr1$.6mu9N8n$xOuGesr4JZZkdiZo/j318.
+admin:{SSHA512}3zSmw/L9zIkpQdX5bcy6HntTxltAzTuGNP6NjHRRgOcNZkA0K+Lsrj3QplO9Gr3BA5MYVVki9rAVnFNCcIdtYC6FkLJWCmHs

configs/kvmd/ipmipasswd

@@ -1,14 +1,11 @@
-# This file describes the credentials for IPMI users. The first pair separated by colon
-# is the login and password with which the user can access to IPMI. The second pair
-# is the name and password with which the user can access to KVMD API. The arrow is used
-# as a separator and shows the direction of user registration in the system.
+# This file describes the credentials for IPMI users in format "login:password",
+# one per line. The passwords are NOT encrypted.
 #
 # WARNING! IPMI protocol is completely unsafe by design. In short, the authentication
 # process for IPMI 2.0 mandates that the server send a salted SHA1 or MD5 hash of the
-# requested user's password to the client, prior to the client authenticating. Never use
-# the same passwords for KVMD and IPMI users. This default configuration is shown here
-# for example only.
+# requested user's password to the client, prior to the client authenticating.
 #
-# And even better not to use IPMI. Instead, you can directly use KVMD API via curl.
+# NEVER use the same passwords for KVMD and IPMI users.
+# This default configuration is shown here just for the example only.
 
-admin:admin -> admin:admin
+admin:admin

configs/kvmd/main/v4mini-hdmi-rpi4.yaml

@@ -0,0 +1,97 @@
+# Don't touch this file otherwise your device may stop working.
+# Use override.yaml to modify required settings.
+# You can find a working configuration in /usr/share/kvmd/configs.default/kvmd.
+
+override: !include [override.d, override.yaml]
+
+logging: !include logging.yaml
+
+kvmd:
+    auth: !include auth.yaml
+
+    info:
+        hw:
+            ignore_past: true
+        fan:
+            unix: /run/kvmd/fan.sock
+
+    hid:
+        type: otg
+
+    atx:
+        type: gpio
+        power_led_pin: 4
+        hdd_led_pin: 5
+        power_switch_pin: 23
+        reset_switch_pin: 27
+
+    msd:
+        type: otg
+
+    streamer:
+        h264_bitrate:
+            default: 5000
+        cmd:
+            - "/usr/bin/ustreamer"
+            - "--device=/dev/kvmd-video"
+            - "--persistent"
+            - "--dv-timings"
+            - "--format=uyvy"
+            - "--buffers=6"
+            - "--encoder=m2m-image"
+            - "--workers=3"
+            - "--quality={quality}"
+            - "--desired-fps={desired_fps}"
+            - "--drop-same-frames=30"
+            - "--unix={unix}"
+            - "--unix-rm"
+            - "--unix-mode=0660"
+            - "--exit-on-parent-death"
+            - "--process-name-prefix={process_name_prefix}"
+            - "--notify-parent"
+            - "--no-log-colors"
+            - "--jpeg-sink=kvmd::ustreamer::jpeg"
+            - "--jpeg-sink-mode=0660"
+            - "--h264-sink=kvmd::ustreamer::h264"
+            - "--h264-sink-mode=0660"
+            - "--h264-bitrate={h264_bitrate}"
+            - "--h264-gop={h264_gop}"
+
+    gpio:
+        drivers:
+            __v4_locator__:
+                type: locator
+
+        scheme:
+            __v3_usb_breaker__:
+                pin: 22
+                mode: output
+                initial: true
+                pulse: false
+
+            __v4_locator__:
+                driver: __v4_locator__
+                pin: 12
+                mode: output
+                pulse: false
+
+            __v4_const1__:
+                pin: 6
+                mode: output
+                initial: false
+                switch: false
+                pulse: false
+
+
+media:
+    memsink:
+        h264:
+            sink: "kvmd::ustreamer::h264"
+
+
+vnc:
+    memsink:
+        jpeg:
+            sink: "kvmd::ustreamer::jpeg"
+        h264:
+            sink: "kvmd::ustreamer::h264"

configs/kvmd/main/v4plus-hdmi-rpi4.yaml

@@ -17,8 +17,6 @@ kvmd:
 
     hid:
         type: otg
-        mouse_alt:
-            device: /dev/kvmd-hid-mouse-alt
 
     atx:
         type: gpio

configs/kvmd/meta.yaml

@@ -4,11 +4,11 @@
 # will be displayed in the web interface.
 
 server:
-    host: localhost.localdomain
+    host: "@auto"
 
 kvm: {
-    base_on: PiKVM,
-    app_name: One-KVM,
-    main_version: 241204,
-    author: SilentWind
+    base_on: "PiKVM",
+    app_name: "One-KVM",
+    main_version: "241204",
+    author: "SilentWind"
 }

configs/kvmd/vncpasswd

@@ -1,12 +1,9 @@
-# This file describes the credentials for VNCAuth. The left part before arrow is a passphrase
-# for VNCAuth. The right part is username and password with which the user can access to KVMD API.
-# The arrow is used as a separator and shows the relationship of user registrations on the system.
+# This file contains passwords for the legacy VNCAuth, one per line.
+# The passwords are NOT encrypted.
 #
-# Never use the same passwords for VNC and IPMI users. This default configuration is shown here
-# for example only.
+# WARNING! The VNCAuth method is NOT secure and should not be used at all.
+# But we support it for compatibility with some clients.
 #
-# If this file does not contain any entries, VNCAuth will be disabled and you will only be able
-# to login in using your KVMD username and password using VeNCrypt methods.
+# NEVER use the same passwords for KVMD, IPMI and VNCAuth users.
 
-# pa$$phr@se -> admin:password
-admin -> admin:admin
+admin

configs/nginx/kvmd.ctx-server.conf

@@ -24,6 +24,7 @@ location @login {
 
 location /login {
 	root /usr/share/kvmd/web;
+	include /etc/kvmd/nginx/loc-nocache.conf;
 	auth_request off;
 }
 
@@ -65,6 +66,7 @@ location /api/hid/print {
 	proxy_pass http://kvmd;
 	include /etc/kvmd/nginx/loc-proxy.conf;
 	include /etc/kvmd/nginx/loc-bigpost.conf;
+	proxy_read_timeout 7d;
 	auth_request off;
 }
 

configs/nginx/loc-bigpost.conf

@@ -1,4 +1,2 @@
-limit_rate 6250k;
-limit_rate_after 50k;
 client_max_body_size 0;
 proxy_request_buffering off;

configs/nginx/nginx.conf.mako

@@ -39,9 +39,9 @@ http {
 	% if https_enabled:
 
 	server {
-		listen ${http_port};
+		listen ${http_ipv4}:${http_port};
 		% if ipv6_enabled:
-		listen [::]:${http_port};
+		listen [${http_ipv6}]:${http_port};
 		% endif
 		include /etc/kvmd/nginx/certbot.ctx-server.conf;
 		location / {
@@ -54,9 +54,9 @@ http {
 	}
 
 	server {
-		listen ${https_port} ssl http2;
+		listen ${https_ipv4}:${https_port} ssl;
 		% if ipv6_enabled:
-		listen [::]:${https_port} ssl http2;
+		listen [${https_ipv6}]:${https_port} ssl;
 		% endif
 		include /etc/kvmd/nginx/ssl.conf;
 		include /etc/kvmd/nginx/kvmd.ctx-server.conf;
@@ -66,9 +66,9 @@ http {
 	% else:
 
 	server {
-		listen ${http_port};
+		listen ${http_ipv4}:${http_port};
 		% if ipv6_enabled:
-		listen [::]:${http_port};
+		listen [${http_ipv6}]:${http_port};
 		% endif
 		include /etc/kvmd/nginx/certbot.ctx-server.conf;
 		include /etc/kvmd/nginx/kvmd.ctx-server.conf;

configs/os/boot-config/v4plus-hdmi-rpi4.txt

@@ -3,7 +3,7 @@
 initramfs initramfs-linux.img followkernel
 
 hdmi_force_hotplug=1
-gpu_mem=128
+gpu_mem=192
 enable_uart=1
 dtoverlay=disable-bt
 

configs/os/cmdline/v4plus-hdmi-rpi4.sed

@@ -1 +1 @@
-s/rootwait/rootwait cma=128M/g
+s/rootwait/rootwait cma=192M/g

configs/os/services/kvmd-localhid.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=PiKVM - Local HID to KVMD proxy
+After=kvmd.service systemd-udevd.service
+
+[Service]
+User=kvmd-localhid
+Group=kvmd-localhid
+Type=simple
+Restart=always
+RestartSec=3
+
+ExecStart=/usr/bin/kvmd-localhid --run
+TimeoutStopSec=3
+
+[Install]
+WantedBy=multi-user.target

configs/os/services/systemd-networkd-wait-online.service.d/11-pikvm-wait-any.conf

@@ -0,0 +1,8 @@
+# Fix https://github.com/pikvm/pikvm/issues/1514:
+# Wait for any single network interface, not all configured ones
+# (Rationale: when user configures Wi-Fi via pikvm.txt or otherwise,
+#  we do not delete the Ethernet config, which means it will remain active
+#  regardless of whether the user ever intended to use Ethernet.)
+[Service]
+ExecStart=
+ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --any

configs/os/sysusers.conf

@@ -1,8 +1,10 @@
 g kvmd - -
+g kvmd-selfauth - -
 g kvmd-media - -
 g kvmd-pst - -
 g kvmd-ipmi - -
 g kvmd-vnc - -
+g kvmd-localhid - -
 g kvmd-nginx - -
 g kvmd-janus - -
 g kvmd-certbot - -
@@ -12,6 +14,7 @@ u kvmd-media - "PiKVM - The media proxy"
 u kvmd-pst - "PiKVM - Persistent storage" -
 u kvmd-ipmi - "PiKVM - IPMI to KVMD proxy" -
 u kvmd-vnc - "PiKVM - VNC to KVMD/Streamer proxy" -
+u kvmd-localhid - "PiKVM - Local HID to KVMD proxy" -
 u kvmd-nginx - "PiKVM - HTTP entrypoint" -
 u kvmd-janus - "PiKVM - Janus WebRTC Gateway" -
 u kvmd-certbot - "PiKVM - Certbot-Renew for KVMD-Nginx"
@@ -29,10 +32,16 @@ m kvmd-media kvmd
 m kvmd-pst kvmd
 
 m kvmd-ipmi kvmd
+m kvmd-ipmi kvmd-selfauth
 
 m kvmd-vnc kvmd
+m kvmd-vnc kvmd-selfauth
 m kvmd-vnc kvmd-certbot
 
+m kvmd-localhid input
+m kvmd-localhid kvmd
+m kvmd-localhid kvmd-selfauth
+
 m kvmd-janus kvmd
 m kvmd-janus audio
 

configs/os/udev/common.rules

@@ -1,4 +1,15 @@
 # Here are described some bindings for PiKVM devices.
 # Do not edit this file.
-KERNEL=="ttyACM[0-9]*", SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="eda3", SYMLINK+="kvmd-hid-bridge"
-KERNEL=="ttyACM[0-9]*", SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTRS{idVendor}=="2e8a", ATTRS{idProduct}=="1080", SYMLINK+="kvmd-switch"
+
+ACTION!="remove", KERNEL=="ttyACM[0-9]*", SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="eda3", SYMLINK+="kvmd-hid-bridge"
+ACTION!="remove", KERNEL=="ttyACM[0-9]*", SUBSYSTEM=="tty", SUBSYSTEMS=="usb", ATTRS{idVendor}=="2e8a", ATTRS{idProduct}=="1080", SYMLINK+="kvmd-switch"
+
+# Disable USB autosuspend for critical devices
+ACTION!="remove", SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="eda3", GOTO="kvmd-usb"
+ACTION!="remove", SUBSYSTEM=="usb", ATTR{idVendor}=="2e8a", ATTR{idProduct}=="1080", GOTO="kvmd-usb"
+GOTO="end"
+
+LABEL="kvmd-usb"
+ATTR{power/control}="on", ATTR{power/autosuspend_delay_ms}="-1"
+
+LABEL="end"