From f4c89c2adfb19e220504694a10ab3891065e9e4c Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Tue, 17 Sep 2024 10:13:07 +0200
Subject: [PATCH 1/2] feat(gui): add support for Intel media driver and Wayland
 tweaks

Enabled Intel media driver support and set environment variables for better compatibility with Wayland. Also updated MPV configuration for hardware decoding and GPU settings.
---
 modules/nixos/services/gui/default.nix | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/modules/nixos/services/gui/default.nix b/modules/nixos/services/gui/default.nix
index db1b734..44b3039 100644
--- a/modules/nixos/services/gui/default.nix
+++ b/modules/nixos/services/gui/default.nix
@@ -59,12 +59,26 @@ in
     sound.enable = true;
     hardware.pulseaudio.enable = false;
     hardware.opengl = {
-        enable = true;
-        extraPackages = with pkgs; [
-            onevpl-intel-gpu
-            intel-compute-runtime
-        ];
+      enable = true;
+      extraPackages = with pkgs; [
+        onevpl-intel-gpu
+        intel-compute-runtime
+        intel-media-driver # LIBVA_DRIVER_NAME=iHD
+        #intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        libvdpau-va-gl
+      ];
     };
+    environment.sessionVariables = {
+      LIBVA_DRIVER_NAME = "iHD";
+      NIXOS_OZONE_WL = "1";
+    }; # Force intel-media-driver
+
+    metacfg.home.configFile."mpv/mpv.conf".text = ''
+      hwdec=auto-safe
+      vo=gpu
+      profile=gpu-hq
+      gpu-context=wayland
+    '';
 
     security.rtkit.enable = true;
 
@@ -123,8 +137,6 @@ in
       zellij
     ];
 
-    environment.sessionVariables.NIXOS_OZONE_WL = "1";
-
     #----=[ Fonts ]=----#
     fonts = {
       enableDefaultPackages = false;

From c894294ce3e79d7f5b0730da42d62d8a3b3123aa Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Tue, 17 Sep 2024 10:14:33 +0200
Subject: [PATCH 2/2] feat(coturn): introduce coturn configuration

Add coturn service definition for x86_64-linux systems with static-auth-secret and additional settings for Nextcloud integration. Includes secrets management via `sops` and secure TLS configurations.
---
 .secrets/hetzner/coturn.yaml       | 30 ++++++++++++++++++++++++++++++
 systems/x86_64-linux/mx/coturn.nix | 29 +++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 .secrets/hetzner/coturn.yaml
 create mode 100644 systems/x86_64-linux/mx/coturn.nix

diff --git a/.secrets/hetzner/coturn.yaml b/.secrets/hetzner/coturn.yaml
new file mode 100644
index 0000000..fe1f40e
--- /dev/null
+++ b/.secrets/hetzner/coturn.yaml
@@ -0,0 +1,30 @@
+static-auth-secret: ENC[AES256_GCM,data:8OM/rPPXZ/2y5JXZ9wIFkT8x1Wy8BG247mvieQXnsxACM6/FX+XLj7XWwvrekD6hwhJDO5fbb8n7dHDz9tefOw==,iv:sBq9m0F3ekeR8iWVF5ejV0oref2uzpWL/k3fG7b5cDM=,tag:81tZ0BXFbLLioTv7xNXpfw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1qur4kh3gay9ryk3jh2snvjp6x9eq94zdrmgkrfcv4fzsu7l6lumq4tr3uy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaDFlMEYxM1B0QTBCblkv
+            dnlxR1pXZDZOamZhbXp4cW9QelFUNDY0alZ3CmJtZmU2YVpzMFh6eXhQWngwQXlz
+            VW5IK3B1MnBZWjR2cmZGRjByNmVOSnMKLS0tIFBpMUZIcDFJbU5DYzZKdzlyVmgy
+            c285MmZINC9TOFdEcWpjaEFnWnhuMnMKniLkzEuEBOcrGVVk3z93VtAzYKkud5nB
+            lhNhqW7KbvXC05u20yPtYpD8z6pH4iulPG+yyvhahWBmc7gdgTZKdQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dwcz3fmp29ju4svy0t0wz4ylhpwlqa8xpw4l7t4gmgqr0ev37qrsfn840l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqNHYrVlJqeXVqQ0kzajlk
+            RmZ4SzRWOTlaUlpSV1dnM1VSQ25XTk1ydW5zCkgwcVhvVGhsdW5UNHdBVkkxQkdv
+            bXJVZjRSTzY5MjhoeXMzYlZqb1IrUGcKLS0tIHV6Y1AyV1hKZGdRZENEMlNlTlYw
+            WHRNMTY0WGVVWG1icFdqYVp1b2ZkR00KM5C2+YE99mWkIwaCLuGrdyymT7ujaxv4
+            MBU2TP2gYsN6bzt+LvyRC2OiOQcJ/2HgGimwK4FB5Y7L+uWiQIMpKA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-17T08:12:27Z"
+    mac: ENC[AES256_GCM,data:0IJtpdrvaRXGrrZdu3FZGdq3hBBTFm/bAhyhtB8x1003LMDMpI5upX8vpHb5mRDyPKgfKJsQFpf8UpXZt8ctBlpWk2j69FGnVE2ut81Dcfm41YfsMgQIwTQPxpGGERdDg+QG1/CHTmKGx6tiCwA+xTo/BeEBbNK6wJYbyewXPYE=,iv:q7EXYloQVJpfdeExgKzhhFldbw6QrIppR/l1woBaB2E=,tag:rFvwDtw9/yhsT1QMEnAsMg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/systems/x86_64-linux/mx/coturn.nix b/systems/x86_64-linux/mx/coturn.nix
new file mode 100644
index 0000000..9136f71
--- /dev/null
+++ b/systems/x86_64-linux/mx/coturn.nix
@@ -0,0 +1,29 @@
+{ pkgs, lib, config, ... }:
+{
+  sops.secrets."coturn/static-auth-secret" = {
+    sopsFile = ../../../.secrets/hetzner/coturn.yaml; # bring your own password file
+  };
+
+  coturn = {
+    enable = true;
+    realm = config.services.nextcloud.hostname;
+    static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
+    use-auth-secret = true;
+    lt-cred-mech = true;
+    cert = "/var/lib/acme/hoyer.xyz/fullchain.pem";
+    pkey = "/var/lib/acme/hoyer.xyz/key.pem";
+    extraConfig = ''
+      fingerprint
+      total-quota=100
+      bps-capacity=0
+      stale-nonce=600
+      cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
+      no-loopback-peers
+      no-multicast-peers
+      no-tlsv1
+      no-tlsv1_1
+      no-stdout-log
+      syslog
+    '';
+  };
+}