From 969b77a3a8268e66b15516ac2a0cea7d3031e521 Mon Sep 17 00:00:00 2001
From: Steffen Illium <steffen.illium@gmail.com>
Date: Mon, 21 Apr 2025 15:18:14 +0200
Subject: [PATCH] hw accell and device mapper container for dev/dri usage in
 swarm

---
 configuration.nix        | 12 +++++++++---
 docker-device-mapper.nix | 32 ++++++++++++++++++++++++++++++++
 docker.nix               |  3 +++
 hwaccel.nix              | 27 +++++++++++++++++++++++++++
 users.nix                |  2 +-
 5 files changed, 72 insertions(+), 4 deletions(-)
 create mode 100644 docker-device-mapper.nix
 create mode 100644 hwaccel.nix

diff --git a/configuration.nix b/configuration.nix
index 5c5c7ae..e56dbdf 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -8,19 +8,25 @@
   imports =
     [ # Include the results of the hardware scan...
       ./hardware-configuration.nix
+      
       # ...and additional configurations...
       ./var_reg.nix 
       ./vars.nix
+
+      # System
       ./users.nix
       ./program-homemanager.nix
       ./ssh.nix
-      ./docker.nix
-      ./keepalived.nix
 
+      # Hardware
       ./nfs-mount.nix
+      ./hwaccel.nix
 
+      # Services
+      ./keepalived.nix
       ./wireguard.nix
-         
+      ./docker.nix
+      ./docker-device-mapper.nix         
     ];
 
   # Use the systemd-boot EFI boot loader and enable that sweet zfs stuff.
diff --git a/docker-device-mapper.nix b/docker-device-mapper.nix
new file mode 100644
index 0000000..bff93fd
--- /dev/null
+++ b/docker-device-mapper.nix
@@ -0,0 +1,32 @@
+{ config, pkgs, ... }:
+
+{
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers = {
+    # Specify Docker as the backend engine
+    backend = "docker";
+
+    # Define your containers
+    containers = {
+      device-manager = {
+        image = "ndouba/device-mapping-manager";
+
+        # Equivalent to --restart always
+        autoStart = true;
+
+        privileged = true;
+        volumes = [
+          "/sys:/host/sys"
+          "/var/run/docker.sock:/var/run/docker.sock"
+        ];
+
+        # Use extraOptions for flags not directly mapped to NixOS options
+        extraOptions = [
+          "--pid=host"      # --pid=host
+          "--cgroupns=host" # --cgroupns=host
+          "--userns=host"   # --userns=host
+        ];
+      };
+    };
+  };
+}
\ No newline at end of file
diff --git a/docker.nix b/docker.nix
index 3dc63d0..3002dc5 100644
--- a/docker.nix
+++ b/docker.nix
@@ -5,6 +5,9 @@
       enable = true;
       dates = "daily";
     };
+    daemon.settings = {
+      data-root = "/data/docker";
+    };
     liveRestore = false;
     package = pkgs.docker_27;
   };
diff --git a/hwaccel.nix b/hwaccel.nix
new file mode 100644
index 0000000..a972af2
--- /dev/null
+++ b/hwaccel.nix
@@ -0,0 +1,27 @@
+{ pkgs, lib,config, ... }:
+{
+  # 1. enable vaapi on OS-level
+  nixpkgs.config.packageOverrides = pkgs: {
+    # Only set this if using intel-vaapi-driver
+    intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
+  };
+  systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD"; # Or "i965" if using older driver
+  environment.sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; };      # Same here
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver        # For Broadwell (2014) or newer processors. LIBVA_DRIVER_NAME=iHD
+      # intel-vaapi-driver        # For older processors. LIBVA_DRIVER_NAME=i965
+      libva-vdpau-driver        # Previously vaapiVdpau
+      intel-compute-runtime     # OpenCL filter support (hardware tonemapping and subtitle burn-in
+      intel-gpu-tools           # Provides 'intel_gpu_top'
+      vpl-gpu-rt                # QSV on 11th gen or newer
+      # intel-media-sdk           # QSV up to 11th gen
+      intel-ocl                 # OpenCL support
+
+      # OpenCL support for intel CPUs before 12th gen
+      # see: https://github.com/NixOS/nixpkgs/issues/356535
+      # intel-compute-runtime-legacy1 
+    ];
+  };
+}
\ No newline at end of file
diff --git a/users.nix b/users.nix
index 461cb6a..a0cf542 100644
--- a/users.nix
+++ b/users.nix
@@ -12,7 +12,7 @@
   };
   users.users.${config.vars.username} = {
     isNormalUser = true;
-    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ and allow 'Docker' for the user.
     openssh.authorizedKeys.keyFiles = [
       (builtins.toPath "/etc/nixos/ssh/auth_keys_${config.vars.username}")
     ];