From 0a9d28abdb196fa467341642eb0adbbced26d819 Mon Sep 17 00:00:00 2001
From: Henry-Hiles <henry@henryhiles.com>
Date: Mon, 14 Apr 2025 14:32:54 -0400
Subject: [PATCH] Fix tmpfiles

---
 clients/quadraticserver/forgejo.nix        |   4 +-
 modules/common/livekit.nix                 |  97 +---------------
 modules/common/services/livekit.nix        | 122 +++++++++++++++++++++
 modules/common/services/lk-jwt-service.nix |   1 +
 modules/desktop/firefox/default.nix        |   2 +-
 modules/desktop/qmk.nix                    |   8 +-
 modules/desktop/vscodium.nix               |   8 +-
 secrets/livekitKeys.age                    |  11 ++
 8 files changed, 146 insertions(+), 107 deletions(-)
 create mode 100644 modules/common/services/livekit.nix
 create mode 100644 modules/common/services/lk-jwt-service.nix
 create mode 100644 secrets/livekitKeys.age

diff --git a/clients/quadraticserver/forgejo.nix b/clients/quadraticserver/forgejo.nix
index 6b79469..9bf1d34 100644
--- a/clients/quadraticserver/forgejo.nix
+++ b/clients/quadraticserver/forgejo.nix
@@ -39,9 +39,7 @@
         name = "monolith";
         url = "https://git.henryhiles.com";
         tokenFile = config.age.secrets."runnerToken.age".path;
-        labels = [
-          "native:host"
-        ];
+        labels = ["native:host"];
       };
     };
 
diff --git a/modules/common/livekit.nix b/modules/common/livekit.nix
index d7a4e38..e3aa49e 100644
--- a/modules/common/livekit.nix
+++ b/modules/common/livekit.nix
@@ -1,95 +1,6 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  cfg = config.services.livekit;
-in {
-  services.livekit.enable = true;
-  meta.maintainers = with lib.maintainers; [quadradical];
-  options.services.livekit = {
-    package = lib.mkPackageOption pkgs "livekit" {};
-
-    keyFile = lib.mkOption {
-      type = lib.types.path;
-      description = "LiveKit key file";
-    };
-
-    useExternalIP = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = ''
-        When set to true, attempts to discover the host's public IP via STUN.
-        This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one
-      '';
-    };
-
-    port = lib.mkOption {
-      type = lib.types.port;
-      default = 7880;
-      description = "Main TCP port for RoomService and RTC endpoint.";
-    };
-
-    rtc = {
-      portRangeStart = lib.mkOption {
-        type = lib.types.int;
-        default = 50000;
-        description = "Start of UDP port range for WebRTC";
-      };
-
-      portRangeEnd = lib.mkOption {
-        type = lib.types.int;
-        default = 51000;
-        description = "End of UDP port range for WebRTC";
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services.livekit = {
-      description = "LiveKit SFU server";
-      documentation = ["https://docs.livekit.io"];
-      wantedBy = ["multi-user.target"];
-      wants = ["network-online.target"];
-      after = ["network-online.target"];
-
-      serviceConfig = {
-        DynamicUser = true;
-        User = "livekit";
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        PrivateDevices = true;
-        PrivateMounts = true;
-        PrivateUsers = true;
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-        ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = [
-          "@system-service"
-          "~@privileged"
-        ];
-        ExecStart = "${cfg.package}/bin/livekit-server --config=${lib.generators.toJSON {
-          port = cfg.port;
-          rtc = {
-            port_range_start = cfg.rtc.portRangeStart;
-            port_range_end = cfg.rtc.portRangeEnd;
-            use_external_ip = cfg.useExternalIP;
-          };
-        }} --key-file=${cfg.keyFile}";
-        Restart = "on-failure";
-        RestartSec = 5;
-      };
-    };
+{config, ...}: {
+  services.livekit = {
+    enable = true;
+    keyFile = config.age.secrets."livekitKeys.age".path;
   };
 }
diff --git a/modules/common/services/livekit.nix b/modules/common/services/livekit.nix
new file mode 100644
index 0000000..7a1a9f3
--- /dev/null
+++ b/modules/common/services/livekit.nix
@@ -0,0 +1,122 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.livekit;
+in {
+  meta.maintainers = with lib.maintainers; [quadradical];
+  options.services.livekit = {
+    enable = lib.mkEnableOption "Livekit SFU";
+    package = lib.mkPackageOption pkgs "livekit" {};
+
+    keyFile = lib.mkOption {
+      type = lib.types.path;
+      description = "LiveKit key file, with syntax `LIVEKIT_KEYS=\"key: secret\"`;";
+    };
+
+    openFirewall = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Opens ports 50000 to 51000 on the firewall.";
+    };
+
+    useExternalIP = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        When set to true, attempts to discover the host's public IP via STUN.
+        This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one
+      '';
+    };
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 7880;
+      description = "Main TCP port for RoomService and RTC endpoint.";
+    };
+
+    rtc = {
+      portRangeStart = lib.mkOption {
+        type = lib.types.int;
+        default = 50000;
+        description = "Start of UDP port range for WebRTC";
+      };
+
+      portRangeEnd = lib.mkOption {
+        type = lib.types.int;
+        default = 51000;
+        description = "End of UDP port range for WebRTC";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall = lib.mkIf cfg.openFirewall {
+      allowedTCPPorts = [
+        cfg.port
+      ];
+      allowedUDPPortRanges = [
+        {
+          from = cfg.rtc.port_range_start;
+          to = cfg.rtc.port_range_end;
+        }
+      ];
+    };
+
+    systemd.services.livekit = {
+      description = "LiveKit SFU server";
+      documentation = ["https://docs.livekit.io"];
+      wantedBy = ["multi-user.target"];
+      wants = ["network-online.target"];
+      after = ["network-online.target"];
+
+      serviceConfig = {
+        EnvironmentFile = cfg.keyFile;
+        DynamicUser = true;
+        User = "livekit";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateUsers = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        ProtectHome = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+        CapabilityBoundingSet = [
+          "CAP_NET_BIND_SERVICE"
+          "CAP_NET_RAW"
+        ];
+        ExecStart = "${cfg.package}/bin/livekit-server --config-body=${builtins.toJSON (builtins.toJSON {
+          port = cfg.port;
+          rtc = {
+            port_range_start = cfg.rtc.portRangeStart;
+            port_range_end = cfg.rtc.portRangeEnd;
+            use_external_ip = cfg.useExternalIP;
+          };
+        })}";
+        Restart = "on-failure";
+        RestartSec = 5;
+        UMask = "077";
+      };
+    };
+  };
+}
diff --git a/modules/common/services/lk-jwt-service.nix b/modules/common/services/lk-jwt-service.nix
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/modules/common/services/lk-jwt-service.nix
@@ -0,0 +1 @@
+{}
diff --git a/modules/desktop/firefox/default.nix b/modules/desktop/firefox/default.nix
index 8790190..080a9ae 100644
--- a/modules/desktop/firefox/default.nix
+++ b/modules/desktop/firefox/default.nix
@@ -31,7 +31,7 @@
 
   systemd.tmpfiles.settings.firefox = {
     # "/home/quadradical/.mozilla/firefox/quadradical"."d".user = "quadradical";
-    "/home/quadradical/.mozilla/firefox/profiles.ini"."f+".argument = builtins.toJSON (lib.generators.toINI {} {
+    "/home/quadradical/.mozilla/firefox/profiles.ini"."L+".argument = toString ((pkgs.formats.ini {}).generate "profiles.ini" {
       General = {
         StartWithLastProfile = 1;
       };
diff --git a/modules/desktop/qmk.nix b/modules/desktop/qmk.nix
index f2e393d..037a9be 100644
--- a/modules/desktop/qmk.nix
+++ b/modules/desktop/qmk.nix
@@ -1,8 +1,4 @@
-{
-  pkgs,
-  lib,
-  ...
-}: {
+{pkgs, ...}: {
   hardware.keyboard.qmk.enable = true;
   environment.systemPackages = [
     (pkgs.qmk.overrideAttrs (oldAttrs: {
@@ -12,7 +8,7 @@
 
   systemd.tmpfiles.settings.qmk = {
     "/home/quadradical/.config/qmk"."d".user = "quadradical";
-    "/home/quadradical/.config/qmk/qmk.ini"."f+".argument = lib.replaceStrings ["\n"] ["\\n"] (lib.generators.toINI {} {
+    "/home/quadradical/.config/qmk/qmk.ini"."L+".argument = toString ((pkgs.formats.ini {}).generate "qmk.ini" {
       user = {
         qmk_home = "/home/quadradical/Documents/Code/qmk_firmware";
         overlay_dir = "/home/quadradical/Documents/Code/qmk_userspace";
diff --git a/modules/desktop/vscodium.nix b/modules/desktop/vscodium.nix
index 0d2e7ac..449d806 100644
--- a/modules/desktop/vscodium.nix
+++ b/modules/desktop/vscodium.nix
@@ -38,7 +38,7 @@
 
   systemd.tmpfiles.settings.vscodium = {
     # "/home/quadradical/.config/VSCodium/User"."d".user = "quadradical";
-    "/home/quadradical/.config/VSCodium/User/settings.json"."f+".argument = builtins.toJSON {
+    "/home/quadradical/.config/VSCodium/User/settings.json"."L+".argument = toString ((pkgs.formats.json {}).generate "settings.json" {
       "arb-editor.suppressedWarnings" = ["missing_metadata_for_key"];
       "dart.debugExternalPackageLibraries" = true;
       "dart.debugSdkLibraries" = true;
@@ -105,9 +105,9 @@
       };
       "indentRainbow.ignoreErrorLanguages" = ["*"];
       "dart.runPubGetOnPubspecChanges" = "never";
-    };
+    });
 
-    "/home/quadradical/.config/VSCodium/User/keybindings.json"."f+".argument = builtins.toJSON [
+    "/home/quadradical/.config/VSCodium/User/keybindings.json"."L+".argument = toString ((pkgs.formats.json {}).generate "settings.json" [
       {
         key = "ctrl+s";
         command = "workbench.action.files.saveAll";
@@ -116,6 +116,6 @@
         key = "ctrl+s";
         command = "-workbench.action.files.save";
       }
-    ];
+    ]);
   };
 }
diff --git a/secrets/livekitKeys.age b/secrets/livekitKeys.age
new file mode 100644
index 0000000..11290bf
--- /dev/null
+++ b/secrets/livekitKeys.age
@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSA0YlVy
+aGI1NS9ZS0NtK0sySkhPcGIxRzR3dUp0UHltUlo4Zkp0NXNXVnd3CjJLaEh4bDdv
+MGhoOHF6cjk5bUVNS0xvNnRyQVl4S3hzbjMxeUcwSGVlOFEKLT4gXWk5b2ItZ3Jl
+YXNlIEkvNSBPLnY5Kwo3elZyWlhOa1gvZWxJUEdiRmNBRGYvUmVNeEFudnJBMXZV
+Z3lJaHpKMkdQeWdadk9hc1RvVFhUUmI3UkFPMHcxCmI1T2Vjc3N0WDN2aWFQVmlU
+QkJFbUdEOExnRlp2MjJaeXhkZzNGVEhxc21JQVk0R1U4MGtZU1EKLS0tIHBlTlVo
+WFFUTjhkSnpRZXRwbWhHTm9HN21ZR0luNVNlRWZmNmE5MXpxUWsKXkQToeaUm3in
+AKmPG75dH3GTggyAX78nFqt8JXcDzmGdUXt3bJ4G83Fs2XaY/irEAh1E8YQVznD8
+4eCoK2abkca64ADUKzvYYjc0AfWMUqCGVIeXY1ZvQZ1g
+-----END AGE ENCRYPTED FILE-----