Update modules

2025-04-18 17:34:15 -04:00 · 2025-04-18 17:34:15 -04:00 · 476016706d
commit 476016706d
parent 1d46cb69fc
4 changed files with 56 additions and 53 deletions
--- a/clients/quadraticserver/element-call.nix
+++ b/clients/quadraticserver/element-call.nix
@ -6,17 +6,15 @@
  services = let
    domain = "call.henryhiles.com";
  in {
-    lk-jwt-service = {
-      enable = true;
    livekit = {
-        url = "wss://${domain}/livekit/sfu";
-        environmentFile = config.age.secrets."livekitKeys.age".path;
-      };
+      enable = true;
+      keyFile = config.age.secrets."livekitKeys.age".path;
    };

-    livekit = {
+    lk-jwt-service = {
      enable = true;
-      environmentFile = config.age.secrets."livekitKeys.age".path;
+      livekitUrl = "wss://${domain}/livekit/sfu";
+      keyFile = config.services.livekit.keyFile;
    };

    caddy.virtualHosts."${domain}".extraConfig = ''
--- a/modules/common/services/livekit.nix
+++ b/modules/common/services/livekit.nix
@ -2,6 +2,7 @@
  config,
  lib,
  pkgs,
+  utils,
  ...
 }: let
  cfg = config.services.livekit;
@ -12,10 +13,10 @@ in {
    enable = lib.mkEnableOption "Enable the livekit server";
    package = lib.mkPackageOption pkgs "livekit" {};

-    environmentFile = lib.mkOption {
+    keyFile = lib.mkOption {
      type = lib.types.path;
      description = ''
-        LiveKit key file, with syntax `LIVEKIT_KEYS=\"key: secret\"`
+        LiveKit key file, with syntax `APIkey: secret`.
        The key and secret are used by other clients or services to connect to your Livekit instance.
      '';
    };
@ -23,16 +24,7 @@ in {
    openFirewall = lib.mkOption {
      type = lib.types.bool;
      default = false;
-      description = "Opens ports 50000 to 51000 on the firewall.";
-    };
-
-    useExternalIP = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = ''
-        When set to true, attempts to discover the host's public IP via STUN.
-        This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one
-      '';
+      description = "Opens port range for LiveKit on the firewall.";
    };

    settings = lib.mkOption {
@ -57,6 +49,15 @@ in {
              default = 51000;
              description = "End of UDP port range for WebRTC";
            };
+
+            use_external_ip = lib.mkOption {
+              type = lib.types.bool;
+              default = false;
+              description = ''
+                When set to true, attempts to discover the host's public IP via STUN.
+                This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one
+              '';
+            };
          };
        };
      };
@ -73,12 +74,12 @@ in {
  config = lib.mkIf cfg.enable {
    networking.firewall = lib.mkIf cfg.openFirewall {
      allowedTCPPorts = [
-        cfg.port
+        cfg.settings.port
      ];
      allowedUDPPortRanges = [
        {
-          from = cfg.rtc.port_range_start;
-          to = cfg.rtc.port_range_end;
+          from = cfg.settings.rtc.port_range_start;
+          to = cfg.settings.rtc.port_range_end;
        }
      ];
    };
@ -91,7 +92,6 @@ in {
      after = ["network-online.target"];

      serviceConfig = {
-        EnvironmentFile = cfg.environmentFile;
        DynamicUser = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
@ -118,7 +118,12 @@ in {
          "~@privileged"
          "~@resources"
        ];
-        ExecStart = "${lib.getExe cfg.package} --config ${format.generate "livekit.json" cfg.settings}";
+        LoadCredential = ["livekit-secrets:${cfg.keyFile}"];
+        ExecStart = utils.escapeSystemdExecArgs [
+          (lib.getExe cfg.package)
+          "--config=${format.generate "livekit.json" cfg.settings}"
+          "--key-file=/run/credentials/livekit.service/livekit-secrets"
+        ];
        Restart = "on-failure";
        RestartSec = 5;
        UMask = "077";
--- a/modules/common/services/lk-jwt-service.nix
+++ b/modules/common/services/lk-jwt-service.nix
@ -11,23 +11,22 @@ in {
    enable = lib.mkEnableOption "Enable lk-jwt-service";
    package = lib.mkPackageOption pkgs "lk-jwt-service" {};

-    livekit = {
-      url = lib.mkOption {
-        type = lib.types.str;
+    livekitUrl = lib.mkOption {
+      type = lib.types.strMatching "^wss?://.*";
+      example = "wss://example.com/livekit/sfu";
      description = ''
-          The URL that livekit runs on, prefixed with `ws://` or `wss://` (recommended).
-          For example, `wss://example.com/livekit/sfu`
+        The public websocket URL for livekit.
+        The proto needs to be either  `wss://` (recommended) or `ws://` (insecure).
      '';
    };

-      environmentFile = lib.mkOption {
+    keyFile = lib.mkOption {
      type = lib.types.path;
      description = ''
-          Path to a file of environment variables, where you must declare some of: `LIVEKIT_KEY`, `LIVEKIT_SECRET`, `LIVEKIT_KEY_FROM_FILE`, `LIVEKIT_SECRET_FROM_FILE`, and/or `LIVEKIT_KEY_FILE`.
+        Path to your LiveKit key file, with syntax `APIkey: secret`.
        For more information, see <https://github.com/element-hq/lk-jwt-service#configuration>.
      '';
    };
-    };

    port = lib.mkOption {
      type = lib.types.port;
@ -43,10 +42,13 @@ in {
      wantedBy = ["multi-user.target"];
      wants = ["network-online.target"];
      after = ["network-online.target"];
-      environment.LIVEKIT_URL = cfg.livekit.url;
+      environment = {
+        LIVEKIT_URL = cfg.livekitUrl;
+        LIVEKIT_JWT_PORT = toString cfg.port;
+        LIVEKIT_KEY_FILE = "/run/credentials/lk-jwt-service.service/livekit-secrets";
+      };

      serviceConfig = {
-        EnvironmentFile = cfg.livekit.environmentFile;
        DynamicUser = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
@ -72,6 +74,7 @@ in {
          "~@privileged"
          "~@resources"
        ];
+        LoadCredential = ["livekit-secrets:${cfg.keyFile}"];
        ExecStart = lib.getExe cfg.package;
        Restart = "on-failure";
        RestartSec = 5;
--- a/secrets/livekitKeys.age
+++ b/secrets/livekitKeys.age
@ -1,12 +1,9 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBEb3hG
-alZjckJtLzFxTGtzZkRwSlMwUWxjbEUrY0RhTUVKTzhNMGJ6LzEwCjZGY01MV3Vz
-SXVkTGJadHlHRnBjL0xBWTU4SElrQjBibnBvQ0pqeE50VkUKLT4gc2JVLWdyZWFz
-ZSBqd3wgOi0gYCxkIFpkbURYClZkRGw3NHhYanBJbEZGUzloMDdkQ1BsWnlNNC82
-blVPUkZxV0pFZ0tleERtekVSUEt6YXRvUjhqQ2VLMGVUODMKVXdSdDNGSTNRb1NL
-clEzV1JpZnFXMGtrVVhPQllTWQotLS0gMDFDV0xGY0tSTWgxWklaZit1bFlkRmkr
-SWd1TmRzbGlzK0Fsc3JPa21Sdwq1tIFHOqPsd1rNPpJRWvxOXE1EJ09PBqXiZ5a5
-k8S4NuHaRj/7LI82GRT3ELRdWcU06KFKaKie63vX73WGcXgT0kJocRG1khy/cyuP
-Sfk/1H0eo9GVixwPwQhlOCVGUPJqcPMtM4/cQ1oA3A0VX3g3AkznFhoD2zR7OBH0
-RWhsh4iDFT4a4bIMlPe5JBRMdTwRTCjRHVOm
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBEbVA2
+ZzR2ZmEvUGN0WkZCd2t3OE01YTFoZ2VUa0N6MGlod3U4eExNM0VvClFwaDRRWDdQ
+QXV5eStQd3p5RGl4OXJwZVNCbzVVZTRNQm4rM2JsUi9VeWMKLT4gVSs/X0gtZ3Jl
+YXNlCnp2czR4ZDJUOW43TGRKNk5Ec2RNRGZjY0tjZHZyYmUzNWRhbkJDMUlwaXRt
+WWZ6YgotLS0gVkNvMktaeUs0cTYrRS8yalBYcmRmdldHQzFFQW5ITGxMNFVZcDMy
+NnpRbwocpvA4YiRuPofpFlYM9WBSv9yDsBQLYoYX+4HsYwGtW4sEALfd+5be4/ri
+5OrLU00KdQTWjuUSFFO+/DWF2+XD3on6Qr8=
 -----END AGE ENCRYPTED FILE-----