Compare commits
7 Commits
7db40fbf47
...
10fc7bbb84
Author | SHA1 | Date |
---|---|---|
Colin | 10fc7bbb84 | |
Colin | 87e3f2a9ef | |
Colin | 5006692594 | |
Colin | 9481131daf | |
Colin | ae418fb2d1 | |
Colin | c174eddddf | |
Colin | 6d74c6616c |
|
@ -881,7 +881,7 @@ in
|
|||
"/sys/bus/usb"
|
||||
];
|
||||
|
||||
valgrind = {};
|
||||
valgrind.sandbox.enable = false; #< it's a launcher: can't sandbox
|
||||
|
||||
visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
visidata.sandbox.autodetectCliPaths = true;
|
||||
|
|
|
@ -21,5 +21,15 @@
|
|||
ln -s curlftpfs $out/bin/mount.curlftpfs
|
||||
'';
|
||||
});
|
||||
|
||||
# TODO: try to sandbox this better? maybe i can have fuse (unsandboxed) invoke curlftpfs (sandboxed)?
|
||||
# - landlock gives EPERM
|
||||
# - bwrap just silently doesn't mount it, maybe because of setuid stuff around fuse?
|
||||
# sandbox.method = "capshonly";
|
||||
# sandbox.net = "all";
|
||||
# sandbox.capabilities = [
|
||||
# "sys_admin"
|
||||
# "sys_module"
|
||||
# ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -95,6 +95,7 @@
|
|||
./rhythmbox.nix
|
||||
./ripgrep.nix
|
||||
./rofi
|
||||
./rtkit.nix
|
||||
./s6-rc.nix
|
||||
./sane-input-handler
|
||||
./sane-sandboxed.nix
|
||||
|
|
|
@ -21,10 +21,14 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
suggestedPrograms = [ "wireplumber" ];
|
||||
suggestedPrograms = [
|
||||
"rtkit"
|
||||
"wireplumber"
|
||||
];
|
||||
|
||||
# sandbox.method = "landlock"; #< also works
|
||||
sandbox.method = "bwrap";
|
||||
# sandbox.method = "landlock";
|
||||
sandbox.method = "bwrap"; #< also works, but can't claim the full scheduling priority it wants
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [
|
||||
# dbus is used for rtkit integration
|
||||
# rtkit runs on the system bus.
|
||||
|
@ -37,11 +41,14 @@ in
|
|||
];
|
||||
sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path
|
||||
sandbox.extraConfig = [
|
||||
"--sane-sandbox-keep-namespace" "pid"
|
||||
"--sane-sandbox-keep-namespace" "pid" #< required for rtkit
|
||||
];
|
||||
# sandbox.capabilities = [
|
||||
# # if rtkit isn't present, and sandboxing is via landlock, these capabilities allow pipewire to claim higher scheduling priority
|
||||
# "ipc_lock"
|
||||
# "sys_nice"
|
||||
# ];
|
||||
sandbox.usePortal = false;
|
||||
# needs to *create* the various device files, so needs write access to the /run/user/$uid directory itself
|
||||
sandbox.extraRuntimePaths = [ "/" ];
|
||||
sandbox.extraPaths = [
|
||||
"/dev/snd"
|
||||
# desko/lappy don't need these, but moby complains if not present
|
||||
|
@ -52,6 +59,7 @@ in
|
|||
sandbox.extraHomePaths = [
|
||||
# pulseaudio cookie
|
||||
".config/pulse"
|
||||
".config/pipewire"
|
||||
];
|
||||
|
||||
# note the .conf.d approach: using ~/.config/pipewire/pipewire.conf directly breaks all audio,
|
||||
|
@ -83,6 +91,7 @@ in
|
|||
services.pipewire = {
|
||||
description = "pipewire: multimedia service";
|
||||
partOf = [ "sound" ];
|
||||
# depends = [ "rtkit" ];
|
||||
# depends = [ "xdg-desktop-portal" ]; # for Realtime portal (dependency cycle)
|
||||
# env PIPEWIRE_LOG_SYSTEMD=false"
|
||||
# env PIPEWIRE_DEBUG"*:3,mod.raop*:5,pw.rtsp-client*:5"
|
||||
|
@ -100,7 +109,10 @@ in
|
|||
description = "pipewire-pulse: Pipewire compatibility layer for PulseAudio clients";
|
||||
depends = [ "pipewire" ];
|
||||
partOf = [ "sound" ];
|
||||
command = "pipewire-pulse";
|
||||
command = pkgs.writeShellScript "pipewire-pulse-start" ''
|
||||
mkdir -p $XDG_RUNTIME_DIR/pulse
|
||||
exec pipewire-pulse
|
||||
'';
|
||||
readiness.waitExists = [
|
||||
"$XDG_RUNTIME_DIR/pulse/native"
|
||||
"$XDG_RUNTIME_DIR/pulse/pid"
|
||||
|
@ -128,12 +140,4 @@ in
|
|||
services.udev.packages = lib.mkIf cfg.enabled [
|
||||
cfg.package
|
||||
];
|
||||
|
||||
# rtkit/RealtimeKit: allow applications which want realtime audio (e.g. Dino? Pulseaudio server?) to request it.
|
||||
# this might require more configuration (e.g. polkit-related) to work exactly as desired.
|
||||
# - readme outlines requirements: <https://github.com/heftig/rtkit>
|
||||
# XXX(2023/10/12): rtkit does not play well on moby. any application sending audio out dies after 10s.
|
||||
# - note that `rtkit-daemon` can be launched with a lot of config: pipewire docs (top of this file)
|
||||
# suggest using a much less aggressive canary. maybe try that?
|
||||
security.rtkit.enable = lib.mkIf cfg.enabled true;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,67 @@
|
|||
# rtkit/RealtimeKit: allow applications which want realtime audio (e.g. Dino? Pulseaudio server?) to request it.
|
||||
# this might require more configuration (e.g. polkit-related) to work exactly as desired.
|
||||
# - readme outlines requirements: <https://github.com/heftig/rtkit>
|
||||
# XXX(2023/10/12): rtkit does not play well on moby. any application sending audio out dies after 10s.
|
||||
# - note that `rtkit-daemon` can be launched with a lot of config
|
||||
# - suggest using a much less aggressive canary. maybe try that?
|
||||
# - see: <https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Performance-tuning>
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
cfg = config.sane.programs.rtkit;
|
||||
in
|
||||
{
|
||||
sane.programs.rtkit = {
|
||||
packageUnwrapped = pkgs.rmDbusServices pkgs.rtkit;
|
||||
# services.rtkit = {
|
||||
# description = "rtkit: grant realtime scheduling privileges to select processes";
|
||||
# command = "${cfg.package}/libexec/rtkit-daemon";
|
||||
# };
|
||||
};
|
||||
|
||||
systemd.services.rtkit-daemon = lib.mkIf cfg.enabled {
|
||||
description = "rtkit: grant realtime scheduling privileges to select processes";
|
||||
wantedBy = [ "default.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = lib.escapeShellArgs [
|
||||
"${cfg.package}/libexec/rtkit-daemon"
|
||||
"--scheduling-policy=FIFO"
|
||||
"--our-realtime-priority=89"
|
||||
"--max-realtime-priority=88"
|
||||
"--min-nice-level=-19"
|
||||
"--rttime-usec-max=2000000"
|
||||
"--users-max=100"
|
||||
"--processes-per-user-max=1000"
|
||||
"--threads-per-user-max=10000"
|
||||
"--actions-burst-sec=10"
|
||||
"--actions-per-burst-max=1000"
|
||||
"--canary-cheep-msec=30000"
|
||||
"--canary-watchdog-msec=60000"
|
||||
];
|
||||
|
||||
Type = "simple";
|
||||
# Type = "dbus";
|
||||
# BusName = "org.freedesktop.RealtimeKit1";
|
||||
Restart = "on-failure";
|
||||
# User = "rtkit"; # it wants starts as root
|
||||
# Group = "rtkit";
|
||||
# wantedBy = [ "default.target" ];
|
||||
# TODO: harden
|
||||
CapabilityBoundingSet = "CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_CHROOT CAP_SETGID CAP_SETUID";
|
||||
};
|
||||
};
|
||||
users.users.rtkit = lib.mkIf cfg.enabled {
|
||||
isSystemUser = true;
|
||||
group = "rtkit";
|
||||
description = "RealtimeKit daemon";
|
||||
};
|
||||
users.groups.rtkit = lib.mkIf cfg.enabled {};
|
||||
|
||||
|
||||
environment.systemPackages = lib.mkIf cfg.enabled [
|
||||
# for /share/polkit-1, but unclear if actually needed
|
||||
cfg.package
|
||||
];
|
||||
security.polkit = lib.mkIf cfg.enabled {
|
||||
enable = true;
|
||||
};
|
||||
}
|
|
@ -3,9 +3,8 @@
|
|||
sane.programs.wireplumber = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.whitelistDbus = [
|
||||
# i think this isn't strictly necessary; it just wants to ask the portal for realtime perms
|
||||
# "system"
|
||||
"user"
|
||||
"system" #< so it can request better scheduling from rtkit
|
||||
"user" #< TODO: is this needed?
|
||||
];
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.extraPaths = [
|
||||
|
@ -21,6 +20,10 @@
|
|||
"/sys/class/video4linux"
|
||||
"/sys/devices"
|
||||
];
|
||||
sandbox.extraConfig = [
|
||||
# needed if i want rtkit to grant this higher scheduling priority
|
||||
"--sane-sandbox-keep-namespace" "pid"
|
||||
];
|
||||
|
||||
suggestedPrograms = [ "alsa-ucm-conf" ];
|
||||
|
||||
|
|
|
@ -19,7 +19,6 @@ with lib;
|
|||
let
|
||||
# HOW TO UPDATE:
|
||||
# - see: <https://xnux.eu/log/094.html>
|
||||
# - `wget https://xff.cz/kernels/git/orange-pi-active.bundle`
|
||||
# - `git fetch torvalds`
|
||||
# - `curl -o .bundle https://xff.cz/kernels/git/orange-pi-active.bundle`
|
||||
# - `git fetch .bundle '+refs/heads/*:refs/remotes/megi/*'`
|
||||
|
@ -41,9 +40,9 @@ let
|
|||
# - orange-pi is listed as the "main integration branch".
|
||||
# - this suggests it's NOT a stable branch, only `orange-pi-X.YY-YYYYMMDD-NNNN` tags are "formal" releases
|
||||
# - specific branches like `pp` (pinephone) are dev branches, and probably less stable.
|
||||
rev = "orange-pi-6.7-20240306-2359";
|
||||
base = "6.7.9";
|
||||
hash = "sha256-UQanb0l9yNWrccQLuKNln4CfvoaMy9zDKtBhnDG7yPE=";
|
||||
rev = "orange-pi-6.8-20240405-1842";
|
||||
base = "6.8.4";
|
||||
hash = "sha256-9PG/P8NxD4HyG+tE59AjHClAmH9E8yuysN5YUyf1qAk=";
|
||||
# set to empty if not a release candidate, else `-rc<N>`
|
||||
rc = "";
|
||||
|
||||
|
|
Loading…
Reference in New Issue