From 29a46d28027016dc9dbed88b7258306b35662158 Mon Sep 17 00:00:00 2001
From: Philip Taron <philip.taron@gmail.com>
Date: Mon, 27 Nov 2023 09:07:32 -0800
Subject: [PATCH] nixos/nvidia: Set SidebandSocketPath to a user-writable path
 in `/run`

The NVIDIA X driver uses a UNIX domain socket to pass information to
other driver components. If unable to connect to this socket, some
driver features, such as G-Sync, may not work correctly. The socket will
be bound to a file with a name unique to the X server instance created
in the directory specified by this option. Note that on Linux, an
additional abstract socket (not associated with a file) will also be
created, with this pathname socket serving as a fallback if connecting
to the abstract socket fails.

The default, which was in effect prior to this change, was `/var/run`.

The effect of not setting this option was that GDM X sessions
(and other non-root sessions) would see this warning in the log files:

```
   (WW) NVIDIA: Failed to bind sideband socket to
   (WW) NVIDIA:     '/var/run/nvidia-xdriver-b4f69129' Permission denied
```

I don't see any security implications of turning this on universally,
since there already was an abstract socket created according to the
docs.

Documentation:

1. [NVIDIA X Config Options](https://download.nvidia.com/XFree86/Linux-x86_64/440.82/README/xconfigoptions.html#SidebandSocketPath)

Diagnosis:

1. [Arch Linux BBS post](https://bbs.archlinux.org/viewtopic.php?pid=1909115#p1909115)
---
 nixos/modules/hardware/video/nvidia.nix | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix
index 3b983f768f91..352c8d8ead54 100644
--- a/nixos/modules/hardware/video/nvidia.nix
+++ b/nixos/modules/hardware/video/nvidia.nix
@@ -396,6 +396,9 @@ in {
             modules = [nvidia_x11.bin];
             display = !offloadCfg.enable;
             deviceSection =
+              ''
+                Option "SidebandSocketPath" "/run/nvidia-xdriver/"
+              '' +
               lib.optionalString primeEnabled
               ''
                 BusID "${pCfg.nvidiaBusId}"
@@ -533,8 +536,14 @@ in {
 
         hardware.firmware = lib.optional cfg.open nvidia_x11.firmware;
 
-        systemd.tmpfiles.rules =
-          lib.optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia)
+        systemd.tmpfiles.rules = [
+          # Remove the following log message:
+          #    (WW) NVIDIA: Failed to bind sideband socket to
+          #    (WW) NVIDIA:     '/var/run/nvidia-xdriver-b4f69129' Permission denied
+          #
+          # https://bbs.archlinux.org/viewtopic.php?pid=1909115#p1909115
+          "d /run/nvidia-xdriver 0770 root users"
+        ] ++ lib.optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia)
           "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced";
 
         boot = {