From 8f0c07c9503092fa890e2e70b3e15a92c57af150 Mon Sep 17 00:00:00 2001
From: Henry-Hiles <henry@henryhiles.com>
Date: Thu, 17 Apr 2025 18:24:40 -0400
Subject: [PATCH] Fix insecure issue

---
 clients/quadraticserver/element-call.nix   | 46 +++++++++++-----------
 modules/common/services/lk-jwt-service.nix |  2 +-
 2 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/clients/quadraticserver/element-call.nix b/clients/quadraticserver/element-call.nix
index dfd604d..966d0a7 100644
--- a/clients/quadraticserver/element-call.nix
+++ b/clients/quadraticserver/element-call.nix
@@ -7,7 +7,7 @@
     lk-jwt-service = {
       enable = true;
       livekit = {
-        url = "ws://livekit.henryhiles.com/sfu";
+        url = "wss://call.henryhiles.com/livekit/sfu";
         keyFile = config.age.secrets."livekitKeys.age".path;
       };
     };
@@ -17,29 +17,31 @@
       keyFile = config.age.secrets."livekitKeys.age".path;
     };
 
-    caddy.virtualHosts = {
-      "call.henryhiles.com".extraConfig = ''
-          root * ${pkgs.element-call}
-          respond /config.json `${builtins.toJSON {
-          default_server_config = {
-            "m.homeserver" = {
-              "base_url" = "https://matrix.henryhiles.com";
-              "server_name" = "henryhiles.com";
-            };
+    caddy.virtualHosts."call.henryhiles.com".extraConfig = ''
+      root * ${pkgs.element-call}
+      route {
+      	respond /config.json `${builtins.toJSON {
+        default_server_config = {
+          "m.homeserver" = {
+            "base_url" = "https://matrix.henryhiles.com";
+            "server_name" = "henryhiles.com";
           };
-          livekit.livekit_service_url = "https://livekit.henryhiles.com";
-        }}` 200
+        };
+        livekit.livekit_service_url = "https://call.henryhiles.com/livekit";
+      }}` 200
 
-        try_files {path} {path}/ /index.html
-        file_server
-      '';
-      "livekit.henryhiles.com".extraConfig = ''
-        handle_path /sfu/get {
-          reverse_proxy 127.0.0.1:8080
-        }
+      	handle /livekit/sfu/get {
+      	  uri strip_prefix /livekit
+      	  reverse_proxy 127.0.0.1:8080
+      	}
 
-        reverse_proxy 127.0.0.1:7880
-      '';
-    };
+      	handle_path /livekit/sfu* {
+      	  reverse_proxy 127.0.0.1:7880
+      	}
+
+      	try_files {path} {path}/ /index.html
+      	file_server
+      }
+    '';
   };
 }
diff --git a/modules/common/services/lk-jwt-service.nix b/modules/common/services/lk-jwt-service.nix
index 0f71129..90e17a5 100644
--- a/modules/common/services/lk-jwt-service.nix
+++ b/modules/common/services/lk-jwt-service.nix
@@ -14,7 +14,7 @@ in {
     livekit = {
       url = lib.mkOption {
         type = lib.types.str;
-        description = "The URL that livekit runs on, prefixed with `ws://`.";
+        description = "The URL that livekit runs on, prefixed with `ws://` or `wss://` (recommended).";
       };
 
       keyFile = lib.mkOption {