pipewire: split rtkit into own file, and use defaults from pipewire project
This commit is contained in:
@@ -21,10 +21,13 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
suggestedPrograms = [ "rtkit" "wireplumber" ];
|
suggestedPrograms = [
|
||||||
|
"rtkit"
|
||||||
|
"wireplumber"
|
||||||
|
];
|
||||||
|
|
||||||
sandbox.method = "landlock";
|
# sandbox.method = "landlock";
|
||||||
# sandbox.method = "bwrap"; #< also works, but can't claim the full scheduling priority it wants
|
sandbox.method = "bwrap"; #< also works, but can't claim the full scheduling priority it wants
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [
|
sandbox.whitelistDbus = [
|
||||||
# dbus is used for rtkit integration
|
# dbus is used for rtkit integration
|
||||||
@@ -38,13 +41,13 @@ in
|
|||||||
];
|
];
|
||||||
sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path
|
sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path
|
||||||
sandbox.extraConfig = [
|
sandbox.extraConfig = [
|
||||||
"--sane-sandbox-keep-namespace" "pid"
|
"--sane-sandbox-keep-namespace" "pid" #< required for rtkit
|
||||||
];
|
|
||||||
sandbox.capabilities = [
|
|
||||||
# if using landlock, these capabilities allow pipewire to claim higher scheduling priority
|
|
||||||
"ipc_lock"
|
|
||||||
"sys_nice"
|
|
||||||
];
|
];
|
||||||
|
# sandbox.capabilities = [
|
||||||
|
# # if rtkit isn't present, and sandboxing is via landlock, these capabilities allow pipewire to claim higher scheduling priority
|
||||||
|
# "ipc_lock"
|
||||||
|
# "sys_nice"
|
||||||
|
# ];
|
||||||
sandbox.usePortal = false;
|
sandbox.usePortal = false;
|
||||||
sandbox.extraPaths = [
|
sandbox.extraPaths = [
|
||||||
"/dev/snd"
|
"/dev/snd"
|
||||||
@@ -88,7 +91,7 @@ in
|
|||||||
services.pipewire = {
|
services.pipewire = {
|
||||||
description = "pipewire: multimedia service";
|
description = "pipewire: multimedia service";
|
||||||
partOf = [ "sound" ];
|
partOf = [ "sound" ];
|
||||||
depends = [ "rtkit" ];
|
# depends = [ "rtkit" ];
|
||||||
# depends = [ "xdg-desktop-portal" ]; # for Realtime portal (dependency cycle)
|
# depends = [ "xdg-desktop-portal" ]; # for Realtime portal (dependency cycle)
|
||||||
# env PIPEWIRE_LOG_SYSTEMD=false"
|
# env PIPEWIRE_LOG_SYSTEMD=false"
|
||||||
# env PIPEWIRE_DEBUG"*:3,mod.raop*:5,pw.rtsp-client*:5"
|
# env PIPEWIRE_DEBUG"*:3,mod.raop*:5,pw.rtsp-client*:5"
|
||||||
|
|||||||
@@ -5,20 +5,61 @@
|
|||||||
# - note that `rtkit-daemon` can be launched with a lot of config
|
# - note that `rtkit-daemon` can be launched with a lot of config
|
||||||
# - suggest using a much less aggressive canary. maybe try that?
|
# - suggest using a much less aggressive canary. maybe try that?
|
||||||
# - see: <https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Performance-tuning>
|
# - see: <https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Performance-tuning>
|
||||||
{ config, lib, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.sane.programs.rtkit;
|
cfg = config.sane.programs.rtkit;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sane.programs.rtkit = {
|
sane.programs.rtkit = {
|
||||||
services.rtkit = {
|
packageUnwrapped = pkgs.rmDbusServices pkgs.rtkit;
|
||||||
description = "rtkit: grant realtime scheduling privileges to select processes";
|
# services.rtkit = {
|
||||||
command = "${cfg.package}/libexec/rtkit-daemon";
|
# description = "rtkit: grant realtime scheduling privileges to select processes";
|
||||||
};
|
# command = "${cfg.package}/libexec/rtkit-daemon";
|
||||||
|
# };
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.rtkit-daemon = lib.mkIf cfg.enabled {
|
||||||
|
description = "rtkit: grant realtime scheduling privileges to select processes";
|
||||||
|
wantedBy = [ "default.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = lib.escapeShellArgs [
|
||||||
|
"${cfg.package}/libexec/rtkit-daemon"
|
||||||
|
"--scheduling-policy=FIFO"
|
||||||
|
"--our-realtime-priority=89"
|
||||||
|
"--max-realtime-priority=88"
|
||||||
|
"--min-nice-level=-19"
|
||||||
|
"--rttime-usec-max=2000000"
|
||||||
|
"--users-max=100"
|
||||||
|
"--processes-per-user-max=1000"
|
||||||
|
"--threads-per-user-max=10000"
|
||||||
|
"--actions-burst-sec=10"
|
||||||
|
"--actions-per-burst-max=1000"
|
||||||
|
"--canary-cheep-msec=30000"
|
||||||
|
"--canary-watchdog-msec=60000"
|
||||||
|
];
|
||||||
|
|
||||||
|
Type = "simple";
|
||||||
|
# Type = "dbus";
|
||||||
|
# BusName = "org.freedesktop.RealtimeKit1";
|
||||||
|
Restart = "on-failure";
|
||||||
|
# User = "rtkit"; # it wants starts as root
|
||||||
|
# Group = "rtkit";
|
||||||
|
# wantedBy = [ "default.target" ];
|
||||||
|
# TODO: harden
|
||||||
|
CapabilityBoundingSet = "CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_CHROOT CAP_SETGID CAP_SETUID";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
users.users.rtkit = lib.mkIf cfg.enabled {
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "rtkit";
|
||||||
|
description = "RealtimeKit daemon";
|
||||||
|
};
|
||||||
|
users.groups.rtkit = lib.mkIf cfg.enabled {};
|
||||||
|
|
||||||
|
|
||||||
environment.systemPackages = lib.mkIf cfg.enabled [
|
environment.systemPackages = lib.mkIf cfg.enabled [
|
||||||
cfg.package # "to make polkit pickup rtkit policies". TODO: needed?
|
# for /share/polkit-1, but unclear if actually needed
|
||||||
|
cfg.package
|
||||||
];
|
];
|
||||||
security.polkit = lib.mkIf cfg.enabled {
|
security.polkit = lib.mkIf cfg.enabled {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|||||||
Reference in New Issue
Block a user