pipewire: sandbox with landlock (so that rtkit integration works) and split rtkit into own file

2024-04-23 05:08:33 +00:00 · 2024-04-23 05:08:33 +00:00 · 9481131daf
commit 9481131daf
parent ae418fb2d1
3 changed files with 37 additions and 11 deletions
--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@ -95,6 +95,7 @@
    ./rhythmbox.nix
    ./ripgrep.nix
    ./rofi
+    ./rtkit.nix
    ./s6-rc.nix
    ./sane-input-handler
    ./sane-sandboxed.nix
--- a/hosts/common/programs/pipewire.nix
+++ b/hosts/common/programs/pipewire.nix
@ -21,10 +21,10 @@ in
      };
    };

-    suggestedPrograms = [ "wireplumber" ];
+    suggestedPrograms = [ "rtkit" "wireplumber" ];

-    # sandbox.method = "landlock";  #< also works
-    sandbox.method = "bwrap";
+    sandbox.method = "landlock";
+    # sandbox.method = "bwrap";  #< also works, but can't claim the full scheduling priority it wants
    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [
      # dbus is used for rtkit integration
@ -40,6 +40,11 @@ in
    sandbox.extraConfig = [
      "--sane-sandbox-keep-namespace" "pid"
    ];
+    sandbox.capabilities = [
+      # if using landlock, these capabilities allow pipewire to claim higher scheduling priority
+      "ipc_lock"
+      "sys_nice"
+    ];
    sandbox.usePortal = false;
    sandbox.extraPaths = [
      "/dev/snd"
@ -51,6 +56,7 @@ in
    sandbox.extraHomePaths = [
      # pulseaudio cookie
      ".config/pulse"
+      ".config/pipewire"
    ];

    # note the .conf.d approach: using ~/.config/pipewire/pipewire.conf directly breaks all audio,
@ -82,6 +88,7 @@ in
    services.pipewire = {
      description = "pipewire: multimedia service";
      partOf = [ "sound" ];
+      depends = [ "rtkit" ];
      # depends = [ "xdg-desktop-portal" ];  # for Realtime portal (dependency cycle)
      # env PIPEWIRE_LOG_SYSTEMD=false"
      # env PIPEWIRE_DEBUG"*:3,mod.raop*:5,pw.rtsp-client*:5"
@ -130,12 +137,4 @@ in
  services.udev.packages = lib.mkIf cfg.enabled [
    cfg.package
  ];
-
-  # rtkit/RealtimeKit: allow applications which want realtime audio (e.g. Dino? Pulseaudio server?) to request it.
-  # this might require more configuration (e.g. polkit-related) to work exactly as desired.
-  # - readme outlines requirements: <https://github.com/heftig/rtkit>
-  # XXX(2023/10/12): rtkit does not play well on moby. any application sending audio out dies after 10s.
-  # - note that `rtkit-daemon` can be launched with a lot of config: pipewire docs (top of this file)
-  #   suggest using a much less aggressive canary. maybe try that?
-  security.rtkit.enable = lib.mkIf cfg.enabled true;
 }
--- a/hosts/common/programs/rtkit.nix
+++ b/hosts/common/programs/rtkit.nix
@ -0,0 +1,26 @@
+# rtkit/RealtimeKit: allow applications which want realtime audio (e.g. Dino? Pulseaudio server?) to request it.
+# this might require more configuration (e.g. polkit-related) to work exactly as desired.
+# - readme outlines requirements: <https://github.com/heftig/rtkit>
+# XXX(2023/10/12): rtkit does not play well on moby. any application sending audio out dies after 10s.
+# - note that `rtkit-daemon` can be launched with a lot of config
+#   - suggest using a much less aggressive canary. maybe try that?
+#   - see: <https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Performance-tuning>
+{ config, lib, ... }:
+let
+  cfg = config.sane.programs.rtkit;
+in
+{
+  sane.programs.rtkit = {
+    services.rtkit = {
+      description = "rtkit: grant realtime scheduling privileges to select processes";
+      command = "${cfg.package}/libexec/rtkit-daemon";
+    };
+  };
+
+  environment.systemPackages = lib.mkIf cfg.enabled [
+    cfg.package  # "to make polkit pickup rtkit policies". TODO: needed?
+  ];
+  security.polkit = lib.mkIf cfg.enabled {
+    enable = true;
+  };
+}