From 476016706daa6cd0f5c0571e38c94a202c1fa6d0 Mon Sep 17 00:00:00 2001 From: Henry-Hiles Date: Fri, 18 Apr 2025 17:34:15 -0400 Subject: [PATCH] Update modules --- clients/quadraticserver/element-call.nix | 16 ++++----- modules/common/services/livekit.nix | 39 ++++++++++++---------- modules/common/services/lk-jwt-service.nix | 37 ++++++++++---------- secrets/livekitKeys.age | 17 ++++------ 4 files changed, 56 insertions(+), 53 deletions(-) diff --git a/clients/quadraticserver/element-call.nix b/clients/quadraticserver/element-call.nix index bcf8376..1596a96 100644 --- a/clients/quadraticserver/element-call.nix +++ b/clients/quadraticserver/element-call.nix @@ -6,17 +6,15 @@ services = let domain = "call.henryhiles.com"; in { - lk-jwt-service = { - enable = true; - livekit = { - url = "wss://${domain}/livekit/sfu"; - environmentFile = config.age.secrets."livekitKeys.age".path; - }; - }; - livekit = { enable = true; - environmentFile = config.age.secrets."livekitKeys.age".path; + keyFile = config.age.secrets."livekitKeys.age".path; + }; + + lk-jwt-service = { + enable = true; + livekitUrl = "wss://${domain}/livekit/sfu"; + keyFile = config.services.livekit.keyFile; }; caddy.virtualHosts."${domain}".extraConfig = '' diff --git a/modules/common/services/livekit.nix b/modules/common/services/livekit.nix index 7f2c05b..91acdc2 100644 --- a/modules/common/services/livekit.nix +++ b/modules/common/services/livekit.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + utils, ... }: let cfg = config.services.livekit; @@ -12,10 +13,10 @@ in { enable = lib.mkEnableOption "Enable the livekit server"; package = lib.mkPackageOption pkgs "livekit" {}; - environmentFile = lib.mkOption { + keyFile = lib.mkOption { type = lib.types.path; description = '' - LiveKit key file, with syntax `LIVEKIT_KEYS=\"key: secret\"` + LiveKit key file, with syntax `APIkey: secret`. The key and secret are used by other clients or services to connect to your Livekit instance. ''; }; @@ -23,16 +24,7 @@ in { openFirewall = lib.mkOption { type = lib.types.bool; default = false; - description = "Opens ports 50000 to 51000 on the firewall."; - }; - - useExternalIP = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - When set to true, attempts to discover the host's public IP via STUN. - This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one - ''; + description = "Opens port range for LiveKit on the firewall."; }; settings = lib.mkOption { @@ -57,6 +49,15 @@ in { default = 51000; description = "End of UDP port range for WebRTC"; }; + + use_external_ip = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + When set to true, attempts to discover the host's public IP via STUN. + This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one + ''; + }; }; }; }; @@ -73,12 +74,12 @@ in { config = lib.mkIf cfg.enable { networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ - cfg.port + cfg.settings.port ]; allowedUDPPortRanges = [ { - from = cfg.rtc.port_range_start; - to = cfg.rtc.port_range_end; + from = cfg.settings.rtc.port_range_start; + to = cfg.settings.rtc.port_range_end; } ]; }; @@ -91,7 +92,6 @@ in { after = ["network-online.target"]; serviceConfig = { - EnvironmentFile = cfg.environmentFile; DynamicUser = true; LockPersonality = true; MemoryDenyWriteExecute = true; @@ -118,7 +118,12 @@ in { "~@privileged" "~@resources" ]; - ExecStart = "${lib.getExe cfg.package} --config ${format.generate "livekit.json" cfg.settings}"; + LoadCredential = ["livekit-secrets:${cfg.keyFile}"]; + ExecStart = utils.escapeSystemdExecArgs [ + (lib.getExe cfg.package) + "--config=${format.generate "livekit.json" cfg.settings}" + "--key-file=/run/credentials/livekit.service/livekit-secrets" + ]; Restart = "on-failure"; RestartSec = 5; UMask = "077"; diff --git a/modules/common/services/lk-jwt-service.nix b/modules/common/services/lk-jwt-service.nix index c4bfdd4..6038b0c 100644 --- a/modules/common/services/lk-jwt-service.nix +++ b/modules/common/services/lk-jwt-service.nix @@ -11,22 +11,21 @@ in { enable = lib.mkEnableOption "Enable lk-jwt-service"; package = lib.mkPackageOption pkgs "lk-jwt-service" {}; - livekit = { - url = lib.mkOption { - type = lib.types.str; - description = '' - The URL that livekit runs on, prefixed with `ws://` or `wss://` (recommended). - For example, `wss://example.com/livekit/sfu` - ''; - }; + livekitUrl = lib.mkOption { + type = lib.types.strMatching "^wss?://.*"; + example = "wss://example.com/livekit/sfu"; + description = '' + The public websocket URL for livekit. + The proto needs to be either `wss://` (recommended) or `ws://` (insecure). + ''; + }; - environmentFile = lib.mkOption { - type = lib.types.path; - description = '' - Path to a file of environment variables, where you must declare some of: `LIVEKIT_KEY`, `LIVEKIT_SECRET`, `LIVEKIT_KEY_FROM_FILE`, `LIVEKIT_SECRET_FROM_FILE`, and/or `LIVEKIT_KEY_FILE`. - For more information, see . - ''; - }; + keyFile = lib.mkOption { + type = lib.types.path; + description = '' + Path to your LiveKit key file, with syntax `APIkey: secret`. + For more information, see . + ''; }; port = lib.mkOption { @@ -43,10 +42,13 @@ in { wantedBy = ["multi-user.target"]; wants = ["network-online.target"]; after = ["network-online.target"]; - environment.LIVEKIT_URL = cfg.livekit.url; + environment = { + LIVEKIT_URL = cfg.livekitUrl; + LIVEKIT_JWT_PORT = toString cfg.port; + LIVEKIT_KEY_FILE = "/run/credentials/lk-jwt-service.service/livekit-secrets"; + }; serviceConfig = { - EnvironmentFile = cfg.livekit.environmentFile; DynamicUser = true; LockPersonality = true; MemoryDenyWriteExecute = true; @@ -72,6 +74,7 @@ in { "~@privileged" "~@resources" ]; + LoadCredential = ["livekit-secrets:${cfg.keyFile}"]; ExecStart = lib.getExe cfg.package; Restart = "on-failure"; RestartSec = 5; diff --git a/secrets/livekitKeys.age b/secrets/livekitKeys.age index 26874dc..c52510e 100644 --- a/secrets/livekitKeys.age +++ b/secrets/livekitKeys.age @@ -1,12 +1,9 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBEb3hG -alZjckJtLzFxTGtzZkRwSlMwUWxjbEUrY0RhTUVKTzhNMGJ6LzEwCjZGY01MV3Vz -SXVkTGJadHlHRnBjL0xBWTU4SElrQjBibnBvQ0pqeE50VkUKLT4gc2JVLWdyZWFz -ZSBqd3wgOi0gYCxkIFpkbURYClZkRGw3NHhYanBJbEZGUzloMDdkQ1BsWnlNNC82 -blVPUkZxV0pFZ0tleERtekVSUEt6YXRvUjhqQ2VLMGVUODMKVXdSdDNGSTNRb1NL -clEzV1JpZnFXMGtrVVhPQllTWQotLS0gMDFDV0xGY0tSTWgxWklaZit1bFlkRmkr -SWd1TmRzbGlzK0Fsc3JPa21Sdwq1tIFHOqPsd1rNPpJRWvxOXE1EJ09PBqXiZ5a5 -k8S4NuHaRj/7LI82GRT3ELRdWcU06KFKaKie63vX73WGcXgT0kJocRG1khy/cyuP -Sfk/1H0eo9GVixwPwQhlOCVGUPJqcPMtM4/cQ1oA3A0VX3g3AkznFhoD2zR7OBH0 -RWhsh4iDFT4a4bIMlPe5JBRMdTwRTCjRHVOm +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBEbVA2 +ZzR2ZmEvUGN0WkZCd2t3OE01YTFoZ2VUa0N6MGlod3U4eExNM0VvClFwaDRRWDdQ +QXV5eStQd3p5RGl4OXJwZVNCbzVVZTRNQm4rM2JsUi9VeWMKLT4gVSs/X0gtZ3Jl +YXNlCnp2czR4ZDJUOW43TGRKNk5Ec2RNRGZjY0tjZHZyYmUzNWRhbkJDMUlwaXRt +WWZ6YgotLS0gVkNvMktaeUs0cTYrRS8yalBYcmRmdldHQzFFQW5ITGxMNFVZcDMy +NnpRbwocpvA4YiRuPofpFlYM9WBSv9yDsBQLYoYX+4HsYwGtW4sEALfd+5be4/ri +5OrLU00KdQTWjuUSFFO+/DWF2+XD3on6Qr8= -----END AGE ENCRYPTED FILE-----