diff --git a/hosts/common/programs/pipewire.nix b/hosts/common/programs/pipewire.nix
index 640987c8..4566d87d 100644
--- a/hosts/common/programs/pipewire.nix
+++ b/hosts/common/programs/pipewire.nix
@@ -22,32 +22,32 @@ in
     };
 
     suggestedPrograms = [
-      "rtkit"
+      # "rtkit"
       "wireplumber"
     ];
 
-    # sandbox.method = "landlock";
-    sandbox.method = "bwrap";  #< also works, but can't claim the full scheduling priority it wants
+    sandbox.method = "landlock";  #< works, including without rtkit
+    # sandbox.method = "bwrap";  #< also works, but can't claim the full scheduling priority it wants
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [
-      # dbus is used for rtkit integration
-      # rtkit runs on the system bus.
-      # xdg-desktop-portal then exposes this to the user bus.
-      # therefore, user bus should be all that's needed, but...
-      # xdg-desktop-portal-wlr depends on pipewire, hence pipewire has to start before xdg-desktop-portal.
-      # then, pipewire has to talk specifically to rtkit (system) and not go through xdp.
-      # "user"
-      "system"
-    ];
+    # sandbox.whitelistDbus = [
+    #   # dbus is used for rtkit integration
+    #   # rtkit runs on the system bus.
+    #   # xdg-desktop-portal then exposes this to the user bus.
+    #   # therefore, user bus should be all that's needed, but...
+    #   # xdg-desktop-portal-wlr depends on pipewire, hence pipewire has to start before xdg-desktop-portal.
+    #   # then, pipewire has to talk specifically to rtkit (system) and not go through xdp.
+    #   # "user"
+    #   "system"
+    # ];
     sandbox.wrapperType = "inplace";  #< its config files refer to its binaries by full path
     sandbox.extraConfig = [
       "--sane-sandbox-keep-namespace" "pid"  #< required for rtkit
     ];
-    # sandbox.capabilities = [
-    #   # if rtkit isn't present, and sandboxing is via landlock, these capabilities allow pipewire to claim higher scheduling priority
-    #   "ipc_lock"
-    #   "sys_nice"
-    # ];
+    sandbox.capabilities = [
+      # if rtkit isn't present, and sandboxing is via landlock, these capabilities allow pipewire to claim higher scheduling priority
+      "ipc_lock"
+      "sys_nice"
+    ];
     sandbox.usePortal = false;
     sandbox.extraPaths = [
       "/dev/snd"
@@ -88,12 +88,30 @@ in
         name = libpipewire-module-rt
         args = {
           nice.level   = 0
-          #rt.prio      = 88
+          rt.prio      = 0
           #rt.time.soft = -1
           #rt.time.hard = -1
-          #rlimits.enabled = true
-          #rtportal.enabled = true
-          #rtkit.enabled = true
+          rlimits.enabled = false
+          rtportal.enabled = false
+          rtkit.enabled = true
+          #uclamp.min = 0
+          #uclamp.max = 1024
+        }
+        flags = [ ifexists nofail ]
+      }]
+    '';
+    fs.".config/pipewire/pipewire-pulse.conf.d/20-sane-rtkit.conf".symlink.text = ''
+      # documented: <repo:pipewire/pipewire:src/daemon/pipewire-pulse.conf.in>
+      context.modules = [{
+        name = libpipewire-module-rt
+        args = {
+          nice.level   = 0
+          rt.prio      = 0
+          #rt.time.soft = -1
+          #rt.time.hard = -1
+          rlimits.enabled = false
+          rtportal.enabled = false
+          rtkit.enabled = true
           #uclamp.min = 0
           #uclamp.max = 1024
         }