gpu-screen-recorder: Add program module for creating setcap wrappers

Co-authored-by: oddlama <oddlama@oddlama.org>
Co-authored-by: ash <ash@sorrel.sh>

nixos/modules/module-list.nix

@@ -204,6 +204,7 @@
   ./programs/goldwarden.nix
   ./programs/gpaste.nix
   ./programs/gphoto2.nix
+  ./programs/gpu-screen-recorder.nix
   ./programs/haguichi.nix
   ./programs/hamster.nix
   ./programs/htop.nix

nixos/modules/programs/gpu-screen-recorder.nix

@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.programs.gpu-screen-recorder;
+  package = cfg.package.override {
+    inherit (config.security) wrapperDir;
+  };
+in {
+  options = {
+    programs.gpu-screen-recorder = {
+      package = lib.mkPackageOption pkgs "gpu-screen-recorder" {};
+
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = ''
+          Whether to install gpu-screen-recorder and generate setcap
+          wrappers for promptless recording.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.wrappers."gsr-kms-server" = {
+      owner = "root";
+      group = "root";
+      capabilities = "cap_sys_admin+ep";
+      source = "${package}/bin/gsr-kms-server";
+    };
+    security.wrappers."gpu-screen-recorder" = {
+      owner = "root";
+      group = "root";
+      capabilities = "cap_sys_nice+ep";
+      source = "${package}/bin/gpu-screen-recorder";
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ timschumi ];
+}

pkgs/applications/video/gpu-screen-recorder/default.nix

@@ -16,6 +16,7 @@
 , libXi
 , libXrandr
 , libXfixes
+, wrapperDir ? "/run/wrappers/bin"
 }:
 
 stdenv.mkDerivation {
@@ -57,7 +58,7 @@ stdenv.mkDerivation {
   mesonFlags = [
     "-Dsystemd=true"
 
-    # FIXME: Capabilities can not be set if not running the build with root permissions.
+    # Capabilities are handled by security.wrappers if possible.
     "-Dcapabilities=false"
   ];
 
@@ -66,6 +67,7 @@ stdenv.mkDerivation {
     mv $out/bin/gpu-screen-recorder $out/bin/.wrapped/
     makeWrapper "$out/bin/.wrapped/gpu-screen-recorder" "$out/bin/gpu-screen-recorder" \
     --prefix LD_LIBRARY_PATH : ${libglvnd}/lib \
+    --prefix PATH : ${wrapperDir} \
     --suffix PATH : $out/bin
   '';
 

pkgs/applications/video/gpu-screen-recorder/gpu-screen-recorder-gtk.nix

@@ -9,6 +9,7 @@
 , gpu-screen-recorder
 , libglvnd
 , wrapGAppsHook3
+, wrapperDir ? "/run/wrappers/bin"
 }:
 
 stdenv.mkDerivation {
@@ -37,11 +38,16 @@ stdenv.mkDerivation {
     ./build.sh
   '';
 
-  installPhase = ''
+  installPhase = let
+    gpu-screen-recorder-wrapped = gpu-screen-recorder.override {
+      inherit wrapperDir;
+    };
+  in ''
     install -Dt $out/bin/ gpu-screen-recorder-gtk
     install -Dt $out/share/applications/ gpu-screen-recorder-gtk.desktop
 
-    gappsWrapperArgs+=(--prefix PATH : ${lib.makeBinPath [ gpu-screen-recorder ]})
+    gappsWrapperArgs+=(--prefix PATH : ${wrapperDir})
+    gappsWrapperArgs+=(--suffix PATH : ${lib.makeBinPath [ gpu-screen-recorder-wrapped ]})
     # we also append /run/opengl-driver/lib as it otherwise fails to find libcuda.
     gappsWrapperArgs+=(--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ libglvnd ]}:/run/opengl-driver/lib)
   '';