forked from colin/nix-files
pipewire: sandbox with landlock (so that rtkit integration works) and split rtkit into own file
This commit is contained in:
parent
ae418fb2d1
commit
9481131daf
@ -95,6 +95,7 @@
|
||||
./rhythmbox.nix
|
||||
./ripgrep.nix
|
||||
./rofi
|
||||
./rtkit.nix
|
||||
./s6-rc.nix
|
||||
./sane-input-handler
|
||||
./sane-sandboxed.nix
|
||||
|
@ -21,10 +21,10 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
suggestedPrograms = [ "wireplumber" ];
|
||||
suggestedPrograms = [ "rtkit" "wireplumber" ];
|
||||
|
||||
# sandbox.method = "landlock"; #< also works
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.method = "landlock";
|
||||
# sandbox.method = "bwrap"; #< also works, but can't claim the full scheduling priority it wants
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [
|
||||
# dbus is used for rtkit integration
|
||||
@ -40,6 +40,11 @@ in
|
||||
sandbox.extraConfig = [
|
||||
"--sane-sandbox-keep-namespace" "pid"
|
||||
];
|
||||
sandbox.capabilities = [
|
||||
# if using landlock, these capabilities allow pipewire to claim higher scheduling priority
|
||||
"ipc_lock"
|
||||
"sys_nice"
|
||||
];
|
||||
sandbox.usePortal = false;
|
||||
sandbox.extraPaths = [
|
||||
"/dev/snd"
|
||||
@ -51,6 +56,7 @@ in
|
||||
sandbox.extraHomePaths = [
|
||||
# pulseaudio cookie
|
||||
".config/pulse"
|
||||
".config/pipewire"
|
||||
];
|
||||
|
||||
# note the .conf.d approach: using ~/.config/pipewire/pipewire.conf directly breaks all audio,
|
||||
@ -82,6 +88,7 @@ in
|
||||
services.pipewire = {
|
||||
description = "pipewire: multimedia service";
|
||||
partOf = [ "sound" ];
|
||||
depends = [ "rtkit" ];
|
||||
# depends = [ "xdg-desktop-portal" ]; # for Realtime portal (dependency cycle)
|
||||
# env PIPEWIRE_LOG_SYSTEMD=false"
|
||||
# env PIPEWIRE_DEBUG"*:3,mod.raop*:5,pw.rtsp-client*:5"
|
||||
@ -130,12 +137,4 @@ in
|
||||
services.udev.packages = lib.mkIf cfg.enabled [
|
||||
cfg.package
|
||||
];
|
||||
|
||||
# rtkit/RealtimeKit: allow applications which want realtime audio (e.g. Dino? Pulseaudio server?) to request it.
|
||||
# this might require more configuration (e.g. polkit-related) to work exactly as desired.
|
||||
# - readme outlines requirements: <https://github.com/heftig/rtkit>
|
||||
# XXX(2023/10/12): rtkit does not play well on moby. any application sending audio out dies after 10s.
|
||||
# - note that `rtkit-daemon` can be launched with a lot of config: pipewire docs (top of this file)
|
||||
# suggest using a much less aggressive canary. maybe try that?
|
||||
security.rtkit.enable = lib.mkIf cfg.enabled true;
|
||||
}
|
||||
|
26
hosts/common/programs/rtkit.nix
Normal file
26
hosts/common/programs/rtkit.nix
Normal file
@ -0,0 +1,26 @@
|
||||
# rtkit/RealtimeKit: allow applications which want realtime audio (e.g. Dino? Pulseaudio server?) to request it.
|
||||
# this might require more configuration (e.g. polkit-related) to work exactly as desired.
|
||||
# - readme outlines requirements: <https://github.com/heftig/rtkit>
|
||||
# XXX(2023/10/12): rtkit does not play well on moby. any application sending audio out dies after 10s.
|
||||
# - note that `rtkit-daemon` can be launched with a lot of config
|
||||
# - suggest using a much less aggressive canary. maybe try that?
|
||||
# - see: <https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Performance-tuning>
|
||||
{ config, lib, ... }:
|
||||
let
|
||||
cfg = config.sane.programs.rtkit;
|
||||
in
|
||||
{
|
||||
sane.programs.rtkit = {
|
||||
services.rtkit = {
|
||||
description = "rtkit: grant realtime scheduling privileges to select processes";
|
||||
command = "${cfg.package}/libexec/rtkit-daemon";
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = lib.mkIf cfg.enabled [
|
||||
cfg.package # "to make polkit pickup rtkit policies". TODO: needed?
|
||||
];
|
||||
security.polkit = lib.mkIf cfg.enabled {
|
||||
enable = true;
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user