./hardware-graphics.nix

Author: randomizedcoder

containers/nginx/flake.nix

@@ -2,7 +2,7 @@
   description = "OpenTechLab Docker Example";
 
   inputs = {
-    nixpkgs.url = github:NixOS/nixpkgs/nixos-24.05;
+    nixpkgs.url = github:NixOS/nixpkgs/nixos-24.11;
   };
 
   outputs = { self, nixpkgs }: {

containers/nginx/old.flake.nix.old

@@ -0,0 +1,68 @@
+{
+  description = "OpenTechLab Docker Example";
+
+  inputs = {
+    nixpkgs.url = github:NixOS/nixpkgs/nixos-24.05;
+  };
+
+  outputs = { self, nixpkgs }: {
+    packages."x86_64-linux" =
+      let
+        pkgs = import nixpkgs { system = "x86_64-linux"; };
+      in
+      rec {
+        dockerImage =
+          pkgs.dockerTools.buildLayeredImage (let
+            nginxPort = "80";
+            nginxConf = pkgs.writeText "nginx.conf" ''
+              user nginx nginx;
+              daemon off;
+              events {}
+              http {
+                server {
+                  listen ${nginxPort};
+                  location / {
+                    root ${./html};
+                  }
+                }
+              }
+            '';
+
+          in rec {
+            name = "otl-nix-demo";
+            tag = "latest";
+
+            contents = with pkgs; [
+              # Set up users and groups
+              (writeTextDir "etc/shadow" ''
+                root:!x:::::::
+                nginx:!:::::::
+              '')
+              (writeTextDir "etc/passwd" ''
+                root:x:0:0::/root:${runtimeShell}
+                nginx:x:999:999::/home/nginx:
+              '')
+              (writeTextDir "etc/group" ''
+                root:x:0:
+                nginx:x:999:
+              '')
+              (writeTextDir "etc/gshadow" ''
+                root:x::
+                nginx:x::
+              '')
+
+              # Workaround: create directories required by nginx
+              (writeTextDir "var/cache/nginx/.placeholder" "")
+              (writeTextDir "var/log/nginx/.placeholder" "")
+            ];
+
+            config = {
+              Cmd = [ "${pkgs.nginx}/bin/nginx" "-c" nginxConf ];
+              ExposedPorts = {
+                "${nginxPort}/tcp" = { };
+              };
+            };
+          };
+      };
+  };
+}

hp/hp1/Makefile

@@ -20,9 +20,15 @@ rebuild:
 	#sudo cp ./*.nix /etc/nixos/
 	#sudo nix-channel --update
 	#sudo nixos-rebuild switch
-	sudo nix flake update;
 	#sudo nix-channel --update;
 	sudo nixos-rebuild switch --flake .
+	systemctl --user restart ffmpeg-stream
+
+rebuild_trace:
+	sudo nixos-rebuild switch --show-trace --flake .
+
+update:
+	sudo nix flake update;
 
 sync:
 	rsync -av /home/das/nixos/hp/hp1/ hp1:/home/das/nixos/hp/hp1/

hp/hp1/configuration.nix

@@ -67,6 +67,16 @@
     };
   };
 
+  # find /run/opengl-driver -name "libamfrt64.so.1"
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      amdvlk  # AMD Vulkan driver, includes AMF runtime
+      #rocm-opencl-runtime  # Optional: ROCm OpenCL support
+      #rocm-smi  # AMD System Management Interface (for monitoring GPU)
+    ];
+  };
+
   # https://nixos.wiki/wiki/Networking
   # https://nlewo.github.io/nixos-manual-sphinx/configuration/ipv4-config.xml.html
   networking.hostName = "hp1";
@@ -95,7 +105,7 @@
   users.users.das = {
     isNormalUser = true;
     description = "das";
-    extraGroups = [ "wheel" "libvirtd" "docker" "kubernetes" ];
+    extraGroups = [ "wheel" "libvirtd" "docker" "kubernetes" "video" ];
     packages = with pkgs; [
     ];
     # https://nixos.wiki/wiki/SSH_public_key_authentication
@@ -122,6 +132,9 @@
 
   services.fstrim.enable = true;
 
+  # AMD GPU power management
+  #services.udev.packages = with pkgs; [ rocm-smi ];
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

hp/hp1/ffmpeg_systemd_service.nix

@@ -0,0 +1,164 @@
+#
+# nixos/hp/hp1/ffmpeg_systemd_service.nix
+#
+# systemctl --user restart ffmpeg-stream
+# systemctl --user status ffmpeg-stream
+#
+# [das@hp1:~/nixos/hp/hp1]$ systemctl --user restart ffmpeg-stream
+
+# [das@hp1:~/nixos/hp/hp1]$ systemctl --user status ffmpeg-stream
+# ● ffmpeg-stream.service
+#      Loaded: loaded (/home/das/.config/systemd/user/ffmpeg-stream.service; enabled; preset: ignored)
+#      Active: active (running) since Sun 2025-02-02 15:16:54 PST; 3min 41s ago
+#  Invocation: ac9c5b7820cd40fe85f95d610a184c46
+#    Main PID: 394915 (ffmpeg)
+#       Tasks: 37 (limit: 37129)
+#      Memory: 230.4M (peak: 230.9M)
+#         CPU: 2min 13.669s
+#      CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/ffmpeg-stream.service
+#              └─394915 /nix/store/hk1a30i7a4nhc16sc407z0fi1yxgfgjp-ffmpeg-7.1-bin/bin/ffmpeg -f lavfi -re -i testsrc2=rate=30:size=1920x1080 -codec:v libx264 -b:v 10240k -maxrate:v 10000k -bu>
+
+# [das@hp1:~/nixos/hp/hp1]$ journalctl --user -u ffmpeg-stream -f
+# Feb 02 15:16:54 hp1 ffmpeg[394915]: [libx264 @ 0x352394c0] using cpu capabilities: MMX2 SSE2Fast SSSE3 SSE4.2 AVX FMA3 BMI2 AVX2
+# Feb 02 15:16:54 hp1 ffmpeg[394915]: [libx264 @ 0x352394c0] profile Constrained Baseline, level 4.0, 4:2:0, 8-bit
+# Feb 02 15:16:54 hp1 ffmpeg[394915]: Output #0, mpegts, to 'udp://239.0.0.1:6000?ttl=4&pkt_size=1326&localddr=172.16.40.142':
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:   Metadata:
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:     encoder         : Lavf61.7.100
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:   Stream #0:0: Video: h264, yuv420p(tv, progressive), 1920x1080 [SAR 1:1 DAR 16:9], q=2-31, 10240 kb/s, 25 fps, 90k tbn
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:       Metadata:
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:         encoder         : Lavc61.19.100 libx264
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:       Side data:
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:         cpb: bitrate max/min/avg: 10000000/0/10240000 buffer size: 10240000 vbv_delay: N/A
+
+# [das@hp1:~/nixos/hp/hp1]$ sudo tcpdump -ni eno1 -c 5 host 239.0.0.1
+# tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
+# listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+# 15:21:39.577834 IP 172.16.40.142.4032 > 239.0.0.1.6000: UDP, length 1326
+# 15:21:39.577866 IP 172.16.40.142.4032 > 239.0.0.1.6000: UDP, length 1326
+# 15:21:39.577885 IP 172.16.40.142.4032 > 239.0.0.1.6000: UDP, length 1326
+# 15:21:39.577907 IP 172.16.40.142.4032 > 239.0.0.1.6000: UDP, length 1326
+# 15:21:39.577927 IP 172.16.40.142.4032 > 239.0.0.1.6000: UDP, length 1326
+# 5 packets captured
+# 35 packets received by filter
+# 0 packets dropped by kernel
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+# ${pkgs.ffmpeg}/bin/ffmpeg \
+# ${home.packages.ffmpeg-full}/bin/ffmpeg \
+# ffmpeg -f lavfi -i "sine=frequency=1000:duration=10" -c:a aac -b:a 128k /home/das/test_audio.aac
+let
+  ffmpegCmd =
+
+  ''
+    ${pkgs.ffmpeg-full}/bin/ffmpeg -f lavfi -re -i testsrc2=rate=30:size=1920x1080 \
+      -f lavfi -i "sine=frequency=1000" \
+      -c:v libx264 -b:v 10000k -preset ultrafast -r 25 \
+      -x264-params "nal-hrd=cbr:force-cfr=1:aud=1:intra-refresh=1" \
+      -tune zerolatency \
+      -bsf:v h264_mp4toannexb \
+      -c:a aac -b:a 128k -ac 2 \
+      -max_delay 500000 -bufsize 2000000 -fflags +genpts \
+      -f rtp_mpegts "rtp://239.0.0.1:6000?pkt_size=1326&ttl=4&localaddr=172.16.40.142"
+  '';
+  # Ensures SPS/PPS is sent in every keyframe (prevents decoder from losing parameter sets).
+  # Forces constant frame rate (force-cfr=1), improving stream stability.
+
+  # ''
+  #   ${pkgs.ffmpeg-full}/bin/ffmpeg \
+  #     -f lavfi -re -i testsrc2=rate=30:size=1920x1080 \
+  #     -f lavfi -i "sine=frequency=1000" \
+  #     -c:v libx264 -b:v 10000k -preset ultrafast -r 25 \
+  #     -c:a aac -b:a 128k -ac 2 \
+  #     -x264opts "keyint=50:min-keyint=50:no-scenecut" \
+  #     -bsf:v h264_mp4toannexb \
+  #     -max_delay 500000 -bufsize 2000000 -fflags +genpts \
+  #     -f rtp_mpegts "rtp://239.0.0.1:6000?pkt_size=1326&ttl=4&localaddr=172.16.40.142"
+  # '';
+  #-x264opts "keyint=50:min-keyint=50:no-scenecut" ensures regular keyframes.
+  #-bsf:v h264_mp4toannexb converts H.264 to Annex B format, which is better for streaming.
+
+  # ''
+  #   ${pkgs.ffmpeg-full}/bin/ffmpeg \
+  #     -f lavfi -re -i testsrc2=rate=30:size=1920x1080 \
+  #     -f lavfi -i "sine=frequency=1000" \
+  #     -c:v libx264 -b:v 10000k -preset ultrafast -r 25 \
+  #     -c:a aac -b:a 128k -ac 2 \
+  #     -max_delay 500000 -bufsize 2000000 -fflags +genpts \
+  #     -f rtp_mpegts \
+  #     "rtp://239.0.0.1:6000?pkt_size=1326&ttl=4&localaddr=172.16.40.142"
+  # '';
+
+  # ''
+  #   ${pkgs.ffmpeg-full}/bin/ffmpeg \
+  #   -f lavfi -re -i testsrc2=rate=30:size=1920x1080 \
+  #   -re -i /home/das/test_audio/test_audio.aac \
+  #   -c:v libx264 -b:v 10240k -maxrate:v 10000k -bufsize:v 10240k -preset ultrafast -r 25 -g 50 -pix_fmt yuv420p -flags2 local_header \
+  #   -c:a aac -b:a 128k -ac 2 \
+  #   -max_delay 500000 -bufsize 2000000 -fflags +genpts \
+  #   -f rtp_mpegts \
+  #   "rtp://239.0.0.1:6000?ttl=4&pkt_size=1326&localaddr=172.16.40.142"
+  # '';
+  # ''
+  #   ${pkgs.ffmpeg}/bin/ffmpeg \
+  #   -f lavfi \
+  #   -re \
+  #   -i testsrc2=rate=30:size=1920x1080 \
+  #   -codec:v libx264 \
+  #   -b:v 10240k \
+  #   -maxrate:v 10000k \
+  #   -bufsize:v 10240k \
+  #   -preset ultrafast \
+  #   -r 25 \
+  #   -g 50 \
+  #   -pix_fmt yuv420p \
+  #   -flags2 local_header \
+  #   -f mpegts \
+  #   -transtype live \
+  #   "rtp://239.0.0.1:6000?ttl=4&pkt_size=1326&localddr=172.16.40.142"
+  # '';
+in
+{
+  systemd.user.services.ffmpeg-stream = {
+
+    Unit = {
+      description = "FFmpeg Multicast Service";
+    };
+
+    Service = {
+      ExecStart = "${ffmpegCmd}";
+      Restart = "always";
+      RestartSec = 2;
+      StandardOutput = "journal";
+      StandardError = "journal";
+
+      ### 🔐 Security Hardening Options ###
+      NoNewPrivileges = true;             # Prevents privilege escalation
+      PrivateTmp = true;                  # Isolates service temporary files
+      ProtectSystem = "strict";           # Restricts access to system files
+      ProtectHome = "read-only";          # Readonly access to home directory
+      #ProtectHome = "yes";               # Blocks access to home directory
+      ProtectKernelModules = true;        # Blocks module loading
+      ProtectKernelLogs = true;           # Prevents access to kernel logs
+      ProtectControlGroups = true;        # Restricts cgroup modifications
+      MemoryDenyWriteExecute = true;      # Prevents memory exploits
+      RestrictRealtime = true;            # Blocks real-time priority settings
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; # Restricts network access
+      SystemCallFilter = [ "~@mount" "~@privileged" "~@resources" ]; # Blocks dangerous system calls
+      LockPersonality = true;             # Prevents personality changes (defense against exploits)
+      ReadOnlyPaths = "/etc /usr /home/das/test_audio/";        # Makes important paths read-only
+      #wReadWritePaths = "/var/www/html";   # Only allow writing in this directory
+      ProtectClock = true;                # Blocks modification of system clock
+    };
+
+    Install = {
+      after = [ "network.target" ];
+      WantedBy = [ "default.target" ];
+    };
+  };
+}

hp/hp1/flake.nix

@@ -1,8 +1,10 @@
 {
   description = "HP1 Flake";
 
+  # https://nix.dev/manual/nix/2.24/command-ref/new-cli/nix3-flake.html#flake-inputs
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+
     # https://nixos-and-flakes.thiscute.world/nixos-with-flakes/start-using-home-manager
     home-manager = {
       url = "github:nix-community/home-manager/release-24.11";

hp/hp1/home.nix

@@ -7,6 +7,10 @@
   home.username = "das";
   home.homeDirectory = "/home/das";
 
+  imports = [
+    ./ffmpeg_systemd_service.nix
+  ];
+
   # https://nix-community.github.io/home-manager/index.xhtml#ch-installation
   #home-manager.users.das = { pkgs, ... }: {
 
@@ -100,7 +104,7 @@
     graphviz
     #
     #ffmpeg
-    ffmpeg-full
+    #ffmpeg-full
   ];
 
   programs.bash = {
@@ -134,7 +138,7 @@
 
   nixpkgs.config.allowUnfree = true;
 
-  home.stateVersion = "24.05";
   programs.home-manager.enable = true;
+  home.stateVersion = "24.11";
   #};
 }

hp/hp1/not.ffmpeg_service.nix.not

@@ -0,0 +1,31 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+{
+  systemd.user.services.onedrive-UMFC = {
+    Unit = {
+      Description = "start ffmpeg";
+    };
+    Service = {
+      ProtectSystem = "full";
+      ProtectHostname = true;
+      ProtectKernelTunables = true;
+      ProtectControlGroups = true;
+      RestrictRealtime = true;
+      Group = "users";
+      ExecStartPre = "${pkgs.coreutils}/bin/sleep 15";
+      ExecStart= "${pkgs.ffmpeg}/bin/onedrive --monitor --confdir=/home/kazimierzkrauze/.config/onedrive/onedrive-UMFC";
+      Restart = "on-failure";
+      RestartSec = 3;
+      # Do not restart the service if a --resync is required which is done via a 126 exit code
+      RestartPreventExitStatus = 126;
+      # Time to wait for the service to stop gracefully before forcefully terminating it
+      TimeoutStopSec = 90;
+    };
+    Install = {
+      WantedBy = [ "default.target" ];
+    };
+  };
+};

hp/hp1/systemPackages.nix

@@ -25,5 +25,8 @@
     #snmp seems to be needed by lldpd
     net-snmp
     neofetch
+    #
+    ffmpeg-full
+    radeontop  # GPU monitoring tool
   ];
 }

hp/hp5/Makefile

@@ -20,9 +20,19 @@ rebuild:
 	#sudo cp ./*.nix /etc/nixos/
 	#sudo nix-channel --update
 	#sudo nixos-rebuild switch
-	sudo nix flake update;
 	#sudo nix-channel --update;
 	sudo nixos-rebuild switch --flake .
+	sudo systemctl daemon-reexec
+	sudo systemctl restart create-stream-sdp.service
+	sudo systemctl restart create-stream-m3u8.service
+	sudo systemctl restart ffmpeg-hls
+
+
+rebuild_trace:
+	sudo nixos-rebuild switch --show-trace --flake .
+
+update:
+	sudo nix flake update;
 
 sync:
 	rsync -av /home/das/nixos/hp/hp5/ hp5:/home/das/nixos/hp/hp5/