Henry-Hiles/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update modules

Browse source
This commit is contained in:
Henry Hiles 2025-04-18 17:34:15 -04:00
parent 1d46cb69fc
commit 476016706d
Signed by: Henry-Hiles
SSH key fingerprint: SHA256:VKQUdS31Q90KvX7EkKMHMBpUspcmItAh86a+v7PGiIs
4 changed files with 56 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
clients/quadraticserver/element-call.nix
View file

@ -6,17 +6,15 @@
services = let services = let
domain = "call.henryhiles.com"; domain = "call.henryhiles.com";
in { in {
lk-jwt-service = {
enable = true;
livekit = {
url = "wss://${domain}/livekit/sfu";
environmentFile = config.age.secrets."livekitKeys.age".path;
};
};
livekit = { livekit = {
enable = true; enable = true;
environmentFile = config.age.secrets."livekitKeys.age".path; keyFile = config.age.secrets."livekitKeys.age".path;
};
lk-jwt-service = {
enable = true;
livekitUrl = "wss://${domain}/livekit/sfu";
keyFile = config.services.livekit.keyFile;
}; };
caddy.virtualHosts."${domain}".extraConfig = '' caddy.virtualHosts."${domain}".extraConfig = ''

39
modules/common/services/livekit.nix
View file

@ -2,6 +2,7 @@
config, config,
lib, lib,
pkgs, pkgs,
utils,
... ...
}: let }: let
cfg = config.services.livekit; cfg = config.services.livekit;
@ -12,10 +13,10 @@ in {
enable = lib.mkEnableOption "Enable the livekit server"; enable = lib.mkEnableOption "Enable the livekit server";
package = lib.mkPackageOption pkgs "livekit" {}; package = lib.mkPackageOption pkgs "livekit" {};
environmentFile = lib.mkOption { keyFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
description = '' description = ''
LiveKit key file, with syntax `LIVEKIT_KEYS=\"key: secret\"` LiveKit key file, with syntax `APIkey: secret`.
The key and secret are used by other clients or services to connect to your Livekit instance. The key and secret are used by other clients or services to connect to your Livekit instance.
''; '';
}; };
@ -23,16 +24,7 @@ in {
openFirewall = lib.mkOption { openFirewall = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = false; default = false;
description = "Opens ports 50000 to 51000 on the firewall."; description = "Opens port range for LiveKit on the firewall.";
};
useExternalIP = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
When set to true, attempts to discover the host's public IP via STUN.
This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one
'';
}; };
settings = lib.mkOption { settings = lib.mkOption {
@ -57,6 +49,15 @@ in {
default = 51000; default = 51000;
description = "End of UDP port range for WebRTC"; description = "End of UDP port range for WebRTC";
}; };
use_external_ip = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
When set to true, attempts to discover the host's public IP via STUN.
This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one
'';
};
}; };
}; };
}; };
@ -73,12 +74,12 @@ in {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
networking.firewall = lib.mkIf cfg.openFirewall { networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [ allowedTCPPorts = [
cfg.port cfg.settings.port
]; ];
allowedUDPPortRanges = [ allowedUDPPortRanges = [
{ {
from = cfg.rtc.port_range_start; from = cfg.settings.rtc.port_range_start;
to = cfg.rtc.port_range_end; to = cfg.settings.rtc.port_range_end;
} }
]; ];
}; };
@ -91,7 +92,6 @@ in {
after = ["network-online.target"]; after = ["network-online.target"];
serviceConfig = { serviceConfig = {
EnvironmentFile = cfg.environmentFile;
DynamicUser = true; DynamicUser = true;
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
@ -118,7 +118,12 @@ in {
"~@privileged" "~@privileged"
"~@resources" "~@resources"
]; ];
ExecStart = "${lib.getExe cfg.package} --config ${format.generate "livekit.json" cfg.settings}"; LoadCredential = ["livekit-secrets:${cfg.keyFile}"];
ExecStart = utils.escapeSystemdExecArgs [
(lib.getExe cfg.package)
"--config=${format.generate "livekit.json" cfg.settings}"
"--key-file=/run/credentials/livekit.service/livekit-secrets"
];
Restart = "on-failure"; Restart = "on-failure";
RestartSec = 5; RestartSec = 5;
UMask = "077"; UMask = "077";

37
modules/common/services/lk-jwt-service.nix
View file

@ -11,22 +11,21 @@ in {
enable = lib.mkEnableOption "Enable lk-jwt-service"; enable = lib.mkEnableOption "Enable lk-jwt-service";
package = lib.mkPackageOption pkgs "lk-jwt-service" {}; package = lib.mkPackageOption pkgs "lk-jwt-service" {};
livekit = { livekitUrl = lib.mkOption {
url = lib.mkOption { type = lib.types.strMatching "^wss?://.*";
type = lib.types.str; example = "wss://example.com/livekit/sfu";
description = '' description = ''
The URL that livekit runs on, prefixed with `ws://` or `wss://` (recommended). The public websocket URL for livekit.
For example, `wss://example.com/livekit/sfu` The proto needs to be either `wss://` (recommended) or `ws://` (insecure).
''; '';
}; };
environmentFile = lib.mkOption { keyFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
description = '' description = ''
Path to a file of environment variables, where you must declare some of: `LIVEKIT_KEY`, `LIVEKIT_SECRET`, `LIVEKIT_KEY_FROM_FILE`, `LIVEKIT_SECRET_FROM_FILE`, and/or `LIVEKIT_KEY_FILE`. Path to your LiveKit key file, with syntax `APIkey: secret`.
For more information, see <https://github.com/element-hq/lk-jwt-service#configuration>. For more information, see <https://github.com/element-hq/lk-jwt-service#configuration>.
''; '';
};
}; };
port = lib.mkOption { port = lib.mkOption {
@ -43,10 +42,13 @@ in {
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
wants = ["network-online.target"]; wants = ["network-online.target"];
after = ["network-online.target"]; after = ["network-online.target"];
environment.LIVEKIT_URL = cfg.livekit.url; environment = {
LIVEKIT_URL = cfg.livekitUrl;
LIVEKIT_JWT_PORT = toString cfg.port;
LIVEKIT_KEY_FILE = "/run/credentials/lk-jwt-service.service/livekit-secrets";
};
serviceConfig = { serviceConfig = {
EnvironmentFile = cfg.livekit.environmentFile;
DynamicUser = true; DynamicUser = true;
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
@ -72,6 +74,7 @@ in {
"~@privileged" "~@privileged"
"~@resources" "~@resources"
]; ];
LoadCredential = ["livekit-secrets:${cfg.keyFile}"];
ExecStart = lib.getExe cfg.package; ExecStart = lib.getExe cfg.package;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = 5; RestartSec = 5;

17
secrets/livekitKeys.age
View file

@ -1,12 +1,9 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBEb3hG YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBEbVA2
alZjckJtLzFxTGtzZkRwSlMwUWxjbEUrY0RhTUVKTzhNMGJ6LzEwCjZGY01MV3Vz ZzR2ZmEvUGN0WkZCd2t3OE01YTFoZ2VUa0N6MGlod3U4eExNM0VvClFwaDRRWDdQ
SXVkTGJadHlHRnBjL0xBWTU4SElrQjBibnBvQ0pqeE50VkUKLT4gc2JVLWdyZWFz QXV5eStQd3p5RGl4OXJwZVNCbzVVZTRNQm4rM2JsUi9VeWMKLT4gVSs/X0gtZ3Jl
ZSBqd3wgOi0gYCxkIFpkbURYClZkRGw3NHhYanBJbEZGUzloMDdkQ1BsWnlNNC82 YXNlCnp2czR4ZDJUOW43TGRKNk5Ec2RNRGZjY0tjZHZyYmUzNWRhbkJDMUlwaXRt
blVPUkZxV0pFZ0tleERtekVSUEt6YXRvUjhqQ2VLMGVUODMKVXdSdDNGSTNRb1NL WWZ6YgotLS0gVkNvMktaeUs0cTYrRS8yalBYcmRmdldHQzFFQW5ITGxMNFVZcDMy
clEzV1JpZnFXMGtrVVhPQllTWQotLS0gMDFDV0xGY0tSTWgxWklaZit1bFlkRmkr NnpRbwocpvA4YiRuPofpFlYM9WBSv9yDsBQLYoYX+4HsYwGtW4sEALfd+5be4/ri
SWd1TmRzbGlzK0Fsc3JPa21Sdwq1tIFHOqPsd1rNPpJRWvxOXE1EJ09PBqXiZ5a5 5OrLU00KdQTWjuUSFFO+/DWF2+XD3on6Qr8=
k8S4NuHaRj/7LI82GRT3ELRdWcU06KFKaKie63vX73WGcXgT0kJocRG1khy/cyuP
Sfk/1H0eo9GVixwPwQhlOCVGUPJqcPMtM4/cQ1oA3A0VX3g3AkznFhoD2zR7OBH0
RWhsh4iDFT4a4bIMlPe5JBRMdTwRTCjRHVOm
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----