Merge pull request #15 from randomizedcoder/2025_04_17

2025 04 17

Author: randomizedcoder

containers/nginx/flake.nix

@@ -2,7 +2,7 @@
   description = "OpenTechLab Docker Example";
 
   inputs = {
-    nixpkgs.url = github:NixOS/nixpkgs/nixos-24.05;
+    nixpkgs.url = github:NixOS/nixpkgs/nixos-24.11;
   };
 
   outputs = { self, nixpkgs }: {

containers/nginx/old.flake.nix.old

@@ -0,0 +1,68 @@
+{
+  description = "OpenTechLab Docker Example";
+
+  inputs = {
+    nixpkgs.url = github:NixOS/nixpkgs/nixos-24.05;
+  };
+
+  outputs = { self, nixpkgs }: {
+    packages."x86_64-linux" =
+      let
+        pkgs = import nixpkgs { system = "x86_64-linux"; };
+      in
+      rec {
+        dockerImage =
+          pkgs.dockerTools.buildLayeredImage (let
+            nginxPort = "80";
+            nginxConf = pkgs.writeText "nginx.conf" ''
+              user nginx nginx;
+              daemon off;
+              events {}
+              http {
+                server {
+                  listen ${nginxPort};
+                  location / {
+                    root ${./html};
+                  }
+                }
+              }
+            '';
+
+          in rec {
+            name = "otl-nix-demo";
+            tag = "latest";
+
+            contents = with pkgs; [
+              # Set up users and groups
+              (writeTextDir "etc/shadow" ''
+                root:!x:::::::
+                nginx:!:::::::
+              '')
+              (writeTextDir "etc/passwd" ''
+                root:x:0:0::/root:${runtimeShell}
+                nginx:x:999:999::/home/nginx:
+              '')
+              (writeTextDir "etc/group" ''
+                root:x:0:
+                nginx:x:999:
+              '')
+              (writeTextDir "etc/gshadow" ''
+                root:x::
+                nginx:x::
+              '')
+
+              # Workaround: create directories required by nginx
+              (writeTextDir "var/cache/nginx/.placeholder" "")
+              (writeTextDir "var/log/nginx/.placeholder" "")
+            ];
+
+            config = {
+              Cmd = [ "${pkgs.nginx}/bin/nginx" "-c" nginxConf ];
+              ExposedPorts = {
+                "${nginxPort}/tcp" = { };
+              };
+            };
+          };
+      };
+  };
+}

go/konnect/flake.nix

@@ -0,0 +1,15 @@
+{
+  description = "A very basic flake";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+  };
+
+  outputs = { self, nixpkgs }: {
+
+    packages.x86_64-linux.hello = nixpkgs.legacyPackages.x86_64-linux.hello;
+
+    packages.x86_64-linux.default = self.packages.x86_64-linux.hello;
+
+  };
+}

go/konnect/readme.md

@@ -20,9 +20,15 @@ rebuild:
 	#sudo cp ./*.nix /etc/nixos/
 	#sudo nix-channel --update
 	#sudo nixos-rebuild switch
-	sudo nix flake update;
 	#sudo nix-channel --update;
 	sudo nixos-rebuild switch --flake .
+	sudo systemctl restart ffmpeg-stream
+
+rebuild_trace:
+	sudo nixos-rebuild switch --show-trace --flake .
+
+update:
+	sudo nix flake update;
 
 sync:
 	rsync -av /home/das/nixos/hp/hp1/ hp1:/home/das/nixos/hp/hp1/

hp/hp1/Makefile

@@ -33,6 +33,7 @@
       #./k3s_node.nix
       ./systemd.services.ethtool-enp3s0f0.nix
       ./systemd.services.ethtool-enp3s0f1.nix
+      ./ffmpeg_systemd_service.nix
     ];
 
 # https://nixos.wiki/wiki/Kubernetes#reset_to_a_clean_state
@@ -41,17 +42,22 @@
 # rm -rf /var/lib/kubernetes/ /var/lib/etcd/ /var/lib/cfssl/ /var/lib/kubelet/ /etc/kube-flannel/ /etc/kubernetes/
 
   # Bootloader.
-  boot.loader.systemd-boot = {
-    enable = true;
-    #consoleMode = "max"; # Sets the console mode to the highest resolution supported by the firmware.
-    memtest86.enable = true;
-  };
+  boot = {
+    loader.systemd-boot = {
+      enable = true;
+      #consoleMode = "max"; # Sets the console mode to the highest resolution supported by the firmware.
+      memtest86.enable = true;
+    };
 
-  boot.loader.efi.canTouchEfiVariables = true;
+    loader.efi.canTouchEfiVariables = true;
 
-  # https://nixos.wiki/wiki/Linux_kernel
-  boot.kernelPackages = pkgs.linuxPackages_latest;
-  #boot.kernelPackages = pkgs.linuxPackages_rpi4
+    # https://nixos.wiki/wiki/AMD_GPU
+    initrd.kernelModules = [ "amdgpu" ];
+
+    # https://nixos.wiki/wiki/Linux_kernel
+    kernelPackages = pkgs.linuxPackages_latest;
+    #boot.kernelPackages = pkgs.linuxPackages_rpi4
+  };
 
   nix = {
     gc = {
@@ -67,6 +73,20 @@
     };
   };
 
+  # find /run/opengl-driver -name "libamfrt64.so.1"
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      amdvlk  # AMD Vulkan driver, includes AMF runtime
+      #rocm-opencl-runtime  # Optional: ROCm OpenCL support
+      #rocm-smi  # AMD System Management Interface (for monitoring GPU)
+      # https://nixos.wiki/wiki/AMD_GPU#OpenCL
+      rocmPackages.clr.icd
+    ];
+  };
+
+  services.xserver.videoDrivers = [ "amdgpu" ];
+
   # https://nixos.wiki/wiki/Networking
   # https://nlewo.github.io/nixos-manual-sphinx/configuration/ipv4-config.xml.html
   networking.hostName = "hp1";
@@ -95,7 +115,7 @@
   users.users.das = {
     isNormalUser = true;
     description = "das";
-    extraGroups = [ "wheel" "libvirtd" "docker" "kubernetes" ];
+    extraGroups = [ "wheel" "libvirtd" "docker" "kubernetes" "video" ];
     packages = with pkgs; [
     ];
     # https://nixos.wiki/wiki/SSH_public_key_authentication
@@ -122,6 +142,9 @@
 
   services.fstrim.enable = true;
 
+  # AMD GPU power management
+  #services.udev.packages = with pkgs; [ rocm-smi ];
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

hp/hp1/configuration.nix

@@ -0,0 +1,172 @@
+#
+# nixos/hp/hp1/ffmpeg_systemd_service.nix
+#
+# systemctl --user restart ffmpeg-stream
+# systemctl --user status ffmpeg-stream
+#
+# [das@hp1:~/nixos/hp/hp1]$ systemctl --user restart ffmpeg-stream
+
+# [das@hp1:~/nixos/hp/hp1]$ systemctl --user status ffmpeg-stream
+# ● ffmpeg-stream.service
+#      Loaded: loaded (/home/das/.config/systemd/user/ffmpeg-stream.service; enabled; preset: ignored)
+#      Active: active (running) since Sun 2025-02-02 15:16:54 PST; 3min 41s ago
+#  Invocation: ac9c5b7820cd40fe85f95d610a184c46
+#    Main PID: 394915 (ffmpeg)
+#       Tasks: 37 (limit: 37129)
+#      Memory: 230.4M (peak: 230.9M)
+#         CPU: 2min 13.669s
+#      CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/ffmpeg-stream.service
+#              └─394915 /nix/store/hk1a30i7a4nhc16sc407z0fi1yxgfgjp-ffmpeg-7.1-bin/bin/ffmpeg -f lavfi -re -i testsrc2=rate=30:size=1920x1080 -codec:v libx264 -b:v 10240k -maxrate:v 10000k -bu>
+
+# [das@hp1:~/nixos/hp/hp1]$ journalctl --user -u ffmpeg-stream -f
+# Feb 02 15:16:54 hp1 ffmpeg[394915]: [libx264 @ 0x352394c0] using cpu capabilities: MMX2 SSE2Fast SSSE3 SSE4.2 AVX FMA3 BMI2 AVX2
+# Feb 02 15:16:54 hp1 ffmpeg[394915]: [libx264 @ 0x352394c0] profile Constrained Baseline, level 4.0, 4:2:0, 8-bit
+# Feb 02 15:16:54 hp1 ffmpeg[394915]: Output #0, mpegts, to 'udp://239.0.0.1:6000?ttl=4&pkt_size=1326&localddr=172.16.40.142':
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:   Metadata:
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:     encoder         : Lavf61.7.100
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:   Stream #0:0: Video: h264, yuv420p(tv, progressive), 1920x1080 [SAR 1:1 DAR 16:9], q=2-31, 10240 kb/s, 25 fps, 90k tbn
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:       Metadata:
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:         encoder         : Lavc61.19.100 libx264
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:       Side data:
+# Feb 02 15:16:54 hp1 ffmpeg[394915]:         cpb: bitrate max/min/avg: 10000000/0/10240000 buffer size: 10240000 vbv_delay: N/A
+
+# [das@hp1:~/nixos/hp/hp1]$ sudo tcpdump -ni eno1 -c 5 host 239.0.0.1
+# tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
+# listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+# 15:21:39.577834 IP 172.16.40.142.4032 > 239.0.0.1.6000: UDP, length 1326
+# 15:21:39.577866 IP 172.16.40.142.4032 > 239.0.0.1.6000: UDP, length 1326
+# 15:21:39.577885 IP 172.16.40.142.4032 > 239.0.0.1.6000: UDP, length 1326
+# 15:21:39.577907 IP 172.16.40.142.4032 > 239.0.0.1.6000: UDP, length 1326
+# 15:21:39.577927 IP 172.16.40.142.4032 > 239.0.0.1.6000: UDP, length 1326
+# 5 packets captured
+# 35 packets received by filter
+# 0 packets dropped by kernel
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+# ${pkgs.ffmpeg}/bin/ffmpeg \
+# ${home.packages.ffmpeg-full}/bin/ffmpeg \
+# ffmpeg -f lavfi -i "sine=frequency=1000:duration=10" -c:a aac -b:a 128k /home/das/test_audio.aac
+let
+  ffmpegCmd =
+  ''
+    ${pkgs.ffmpeg-full}/bin/ffmpeg -f lavfi -re -i testsrc2=rate=30:size=1920x1080 \
+      -f lavfi -i "sine=frequency=1000" \
+      -c:v libx264 -b:v 10000k -preset ultrafast -r 25 \
+      -x264-params "nal-hrd=cbr:force-cfr=1:aud=1:intra-refresh=1" \
+      -tune zerolatency \
+      -bsf:v h264_mp4toannexb \
+      -c:a aac -b:a 128k -ac 2 \
+      -max_delay 500000 -bufsize 2000000 -fflags +genpts \
+      -f rtp_mpegts "rtp://239.0.0.2:6000?pkt_size=1326&ttl=4&localaddr=172.16.40.142"
+  '';
+  # Ensures SPS/PPS is sent in every keyframe (prevents decoder from losing parameter sets).
+  # Forces constant frame rate (force-cfr=1), improving stream stability.
+
+  # ''
+  #   ${pkgs.ffmpeg-full}/bin/ffmpeg \
+  #     -f lavfi -re -i testsrc2=rate=30:size=1920x1080 \
+  #     -f lavfi -i "sine=frequency=1000" \
+  #     -c:v libx264 -b:v 10000k -preset ultrafast -r 25 \
+  #     -c:a aac -b:a 128k -ac 2 \
+  #     -x264opts "keyint=50:min-keyint=50:no-scenecut" \
+  #     -bsf:v h264_mp4toannexb \
+  #     -max_delay 500000 -bufsize 2000000 -fflags +genpts \
+  #     -f rtp_mpegts "rtp://239.0.0.1:6000?pkt_size=1326&ttl=4&localaddr=172.16.40.142"
+  # '';
+  #-x264opts "keyint=50:min-keyint=50:no-scenecut" ensures regular keyframes.
+  #-bsf:v h264_mp4toannexb converts H.264 to Annex B format, which is better for streaming.
+
+  # ''
+  #   ${pkgs.ffmpeg-full}/bin/ffmpeg \
+  #     -f lavfi -re -i testsrc2=rate=30:size=1920x1080 \
+  #     -f lavfi -i "sine=frequency=1000" \
+  #     -c:v libx264 -b:v 10000k -preset ultrafast -r 25 \
+  #     -c:a aac -b:a 128k -ac 2 \
+  #     -max_delay 500000 -bufsize 2000000 -fflags +genpts \
+  #     -f rtp_mpegts \
+  #     "rtp://239.0.0.1:6000?pkt_size=1326&ttl=4&localaddr=172.16.40.142"
+  # '';
+
+  # ''
+  #   ${pkgs.ffmpeg-full}/bin/ffmpeg \
+  #   -f lavfi -re -i testsrc2=rate=30:size=1920x1080 \
+  #   -re -i /home/das/test_audio/test_audio.aac \
+  #   -c:v libx264 -b:v 10240k -maxrate:v 10000k -bufsize:v 10240k -preset ultrafast -r 25 -g 50 -pix_fmt yuv420p -flags2 local_header \
+  #   -c:a aac -b:a 128k -ac 2 \
+  #   -max_delay 500000 -bufsize 2000000 -fflags +genpts \
+  #   -f rtp_mpegts \
+  #   "rtp://239.0.0.1:6000?ttl=4&pkt_size=1326&localaddr=172.16.40.142"
+  # '';
+  # ''
+  #   ${pkgs.ffmpeg}/bin/ffmpeg \
+  #   -f lavfi \
+  #   -re \
+  #   -i testsrc2=rate=30:size=1920x1080 \
+  #   -codec:v libx264 \
+  #   -b:v 10240k \
+  #   -maxrate:v 10000k \
+  #   -bufsize:v 10240k \
+  #   -preset ultrafast \
+  #   -r 25 \
+  #   -g 50 \
+  #   -pix_fmt yuv420p \
+  #   -flags2 local_header \
+  #   -f mpegts \
+  #   -transtype live \
+  #   "rtp://239.0.0.1:6000?ttl=4&pkt_size=1326&localddr=172.16.40.142"
+  # '';
+in
+{
+  # sudo systemctl status ffmpeg-stream.service
+  # sudo journalctl -u ffmpeg-stream.service
+  # cat /etc/systemd/system/ffmpeg-stream.service
+  systemd.services.ffmpeg-stream = {
+
+    description = "FFmpeg Multicast Service";
+    after = [ "network.target" ];
+
+    serviceConfig = {
+      ExecStart = "${ffmpegCmd}";
+      Restart = "always";
+      RestartSec = 10;
+      StandardOutput = "journal";
+      StandardError = "journal";
+
+      # https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Scheduling
+      Nice = "-20";
+      #CPUSchedulingPriority = "99";
+
+      ### 🔐 Security Hardening Options ###
+      NoNewPrivileges = true;             # Prevents privilege escalation
+      PrivateTmp = true;                  # Isolates service temporary files
+      ProtectSystem = "full";           # Restricts access to system files
+      #ProtectSystem = "strict";           # Restricts access to system files
+      #ProtectHome = "read-only";          # Readonly access to home directory
+      ProtectHome = "yes";               # Blocks access to home directory
+      ProtectKernelModules = true;        # Blocks module loading
+      ProtectKernelLogs = true;           # Prevents access to kernel logs
+      ProtectControlGroups = true;        # Restricts cgroup modifications
+      MemoryDenyWriteExecute = true;      # Prevents memory exploits
+      RestrictRealtime = true;            # Blocks real-time priority settings
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; # Restricts network access
+      SystemCallFilter = [ "~@mount" "~@privileged" "~@resources" ]; # Blocks dangerous system calls
+      LockPersonality = true;             # Prevents personality changes (defense against exploits)
+      ReadOnlyPaths = "/usr";        # Makes important paths read-only
+      #ReadOnlyPaths = "/etc /usr /home/das/test_audio/";        # Makes important paths read-only
+      #wReadWritePaths = "/var/www/html";   # Only allow writing in this directory
+      ProtectClock = true;                # Blocks modification of system clock
+    };
+
+  # # systemctl list-units --type target
+  #   Install = {
+  #     after = [ "network.target" ];
+  #     #WantedBy = [ "default.target" ];
+  #   };
+  };
+}

hp/hp1/ffmpeg_systemd_service.nix

@@ -1,8 +1,10 @@
 {
   description = "HP1 Flake";
 
+  # https://nix.dev/manual/nix/2.24/command-ref/new-cli/nix3-flake.html#flake-inputs
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+
     # https://nixos-and-flakes.thiscute.world/nixos-with-flakes/start-using-home-manager
     home-manager = {
       url = "github:nix-community/home-manager/release-24.11";