diff --git a/clients/quadraticserver/element-call.nix b/clients/quadraticserver/element-call.nix index 5ad7bea..ff64ba9 100644 --- a/clients/quadraticserver/element-call.nix +++ b/clients/quadraticserver/element-call.nix @@ -1,6 +1,40 @@ -{pkgs, ...}: { - services.caddy.virtualHosts."call.henryhiles.com". extraConfig = '' - root * ${pkgs.element-call} - file_server - ''; +{ + pkgs, + config, + ... +}: { + services = { + lk-jwt-service = { + enable = true; + livekit = { + keyFile = config.age.secrets."livekitKeys.age".path; + }; + }; + + livekit = { + enable = true; + keyFile = config.age.secrets."livekitKeys.age".path; + }; + + caddy.virtualHosts."call.henryhiles.com".extraConfig = '' + root * ${pkgs.element-call} + route { + respond /config.json `${builtins.toJSON { + default_server_config = { + "m.homeserver" = { + "base_url" = "https://matrix.henryhiles.com"; + "server_name" = "henryhiles.com"; + }; + }; + livekit.livekit_service_url = "https://call.henryhiles.com"; + }}` 200 + + reverse_proxy /livekit/sfu 127.0.0.1:7880 + reverse_proxy /livekit/jwt 127.0.0.1:8080 + + try_files {path} {path}/ /index.html + file_server + } + ''; + }; } diff --git a/modules/common/livekit.nix b/modules/common/livekit.nix deleted file mode 100644 index e3aa49e..0000000 --- a/modules/common/livekit.nix +++ /dev/null @@ -1,6 +0,0 @@ -{config, ...}: { - services.livekit = { - enable = true; - keyFile = config.age.secrets."livekitKeys.age".path; - }; -} diff --git a/modules/common/services/livekit.nix b/modules/common/services/livekit.nix index 7a1a9f3..57a88be 100644 --- a/modules/common/services/livekit.nix +++ b/modules/common/services/livekit.nix @@ -6,7 +6,7 @@ }: let cfg = config.services.livekit; in { - meta.maintainers = with lib.maintainers; [quadradical]; + meta.maintainers = [lib.maintainers.quadradical]; options.services.livekit = { enable = lib.mkEnableOption "Livekit SFU"; package = lib.mkPackageOption pkgs "livekit" {}; diff --git a/modules/common/services/lk-jwt-service.nix b/modules/common/services/lk-jwt-service.nix index 0967ef4..800a4f4 100644 --- a/modules/common/services/lk-jwt-service.nix +++ b/modules/common/services/lk-jwt-service.nix @@ -1 +1,85 @@ -{} +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.services.lk-jwt-service; +in { + meta.maintainers = [lib.maintainers.quadradical]; + options.services.lk-jwt-service = { + enable = lib.mkEnableOption "Enable lk-jwt-service"; + package = lib.mkPackageOption pkgs "lk-jwt-service" {}; + + livekit = { + url = lib.mkOption { + type = lib.types.str; + default = "127.0.0.1"; + description = "The URL that livekit runs on, prefixed with `ws://`."; + }; + + keyFile = lib.mkOption { + type = lib.types.path; + description = '' + Path to a file showing LiveKit keys, where you must declare some of: `LIVEKIT_KEY`, `LIVEKIT_SECRET`, `LIVEKIT_KEY_FROM_FILE`, `LIVEKIT_SECRET_FROM_FILE`, and/or `LIVEKIT_KEY_FILE`. + For more information see . + ''; + }; + }; + + port = lib.mkOption { + type = lib.types.port; + default = 8080; + description = "Port that lk-jwt-service should run on"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.lk-jwt-service = { + description = "Minimal service to issue LiveKit JWTs for MatrixRTC"; + documentation = ["https://github.com/element-hq/lk-jwt-service"]; + wantedBy = ["multi-user.target"]; + wants = ["network-online.target"]; + after = ["network-online.target"]; + environment.LIVEKIT_URL = cfg.livekit.url; + + serviceConfig = { + EnvironmentFile = cfg.livekit.keyFile; + DynamicUser = true; + User = "lk-jwt-service"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateUsers = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + ProtectHome = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ]; + ExecStart = "${cfg.package}/bin/lk-jwt-service"; + Restart = "on-failure"; + RestartSec = 5; + UMask = "077"; + }; + }; + }; +} diff --git a/secrets/livekitKeys.age b/secrets/livekitKeys.age index 11290bf..7fb830f 100644 --- a/secrets/livekitKeys.age +++ b/secrets/livekitKeys.age @@ -1,11 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSA0YlVy -aGI1NS9ZS0NtK0sySkhPcGIxRzR3dUp0UHltUlo4Zkp0NXNXVnd3CjJLaEh4bDdv -MGhoOHF6cjk5bUVNS0xvNnRyQVl4S3hzbjMxeUcwSGVlOFEKLT4gXWk5b2ItZ3Jl -YXNlIEkvNSBPLnY5Kwo3elZyWlhOa1gvZWxJUEdiRmNBRGYvUmVNeEFudnJBMXZV -Z3lJaHpKMkdQeWdadk9hc1RvVFhUUmI3UkFPMHcxCmI1T2Vjc3N0WDN2aWFQVmlU -QkJFbUdEOExnRlp2MjJaeXhkZzNGVEhxc21JQVk0R1U4MGtZU1EKLS0tIHBlTlVo -WFFUTjhkSnpRZXRwbWhHTm9HN21ZR0luNVNlRWZmNmE5MXpxUWsKXkQToeaUm3in -AKmPG75dH3GTggyAX78nFqt8JXcDzmGdUXt3bJ4G83Fs2XaY/irEAh1E8YQVznD8 -4eCoK2abkca64ADUKzvYYjc0AfWMUqCGVIeXY1ZvQZ1g +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSB0QU8r +VGtZaWU4cjBOaG8ya2ZoalFrb053MjQxS2ttajgwRDdVay8vVDM0CnpaenVhNVJh +dEU0V3RuQmxLTEV0RzBWWGFlOXJJaEROblRoV2RpMHlTZDgKLT4gUVBTLWdyZWFz +ZSBMN2piZn4rIGZ1ZWZaIGwKa1VQYVZWTjRHeWZwWHBQamEwdlFhb2NBOGswdDAr +WjRHRWszcHZ6TEpNdFJVRnRMa3dBCi0tLSB3SW53ZnZadHcySDZ6Szh5aGJ4eTlp +SklsTEN0dytUTTVDTTczbHFjRUtVCngKorWJWsl4T5Ko0IEh52VOUMPvvFXCFea1 +MsE2dWUwfYug3r6s/C+xVRbqTfyYj5+sZNRJGGaCxkL7E0f6tahCOOuBymJHAgiK +lyxnNSFBTman1WZQSYwiBwxPBVLBD28iVzmoPqwPhX50gMXMFfQtSJOsjnQ5xp52 +eperXjPRidTlQlApidQ5jCKMuXQJ/O0nuUHO7Gxob8QMSWMFbIyXSL0= -----END AGE ENCRYPTED FILE-----