sab

2026-02-09 16:35:51 -06:00
parent 9ad06425c8
commit 1731647367
8 changed files with 151 additions and 80 deletions
--- a/modules/nixos/services/matrix/default.nix
+++ b/modules/nixos/services/matrix/default.nix
@@ -68,7 +68,7 @@ let
        settings = {
          server_name = "mjallen.dev";
          public_baseurl = "https://matrix.mjallen.dev";
-          serve_server_wellknown = true;
+          serve_server_wellknown = false;

          listeners = [
            {
@@ -106,7 +106,7 @@ let

          # Registration settings
          enable_registration = false; # Set to true initially to create admin user
-          enable_registration_without_verification = false;
+          enable_registration_without_verification = lib.mkForce false;

          # Media settings
          max_upload_size = "50M";
@@ -119,7 +119,10 @@ let
              server_name = "matrix.org";
            }
          ];
-          turn_uris = ["turn:${config.services.coturn.realm}:3478?transport=udp" "turn:${config.services.coturn.realm}:3478?transport=tcp"];
+          turn_uris = [
+            "turn:${config.services.coturn.realm}:3478?transport=udp"
+            "turn:${config.services.coturn.realm}:3478?transport=tcp"
+          ];
          turn_shared_secret = config.services.coturn.static-auth-secret;
          turn_user_lifetime = "1h";
        };
@@ -144,5 +147,8 @@ let
  };
 in
 {
-  imports = [ matrixConfig ];
+  imports = [
+    matrixConfig
+    ./livekit.nix
+  ];
 }
--- a/modules/nixos/services/matrix/livekit.nix
+++ b/modules/nixos/services/matrix/livekit.nix
@@ -1,42 +1,49 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
 let
-  cfg = config.${namespace}.services.${name};
+  cfg = config.${namespace}.services.matrix;

  keyFile = "/run/livekit.key";

-  file = pkgs.writeText "file.txt" ''
-  {
-    "m.homeserver": {
-      "base_url": "https://matrix.mjallen.dev"
-    },
-    "m.identity_server": {
-      "base_url": "https://vector.im"
-    },
-    "org.matrix.msc3575.proxy": {
-      "url": "https://matrix.mjallen.dev"
-    },
-    "org.matrix.msc4143.rtc_foci": [
-      {
-        "type": "livekit",    "livekit_service_url": "https://mjallen.dev/livekit/jwt"
-      }
-    ]
-  }
+  file = pkgs.writeText ".well-known.json" ''
+    {
+      "m.homeserver": {
+        "base_url": "https://matrix.mjallen.dev"
+      },
+      "m.identity_server": {
+        "base_url": "https://vector.im"
+      },
+      "org.matrix.msc3575.proxy": {
+        "url": "https://matrix.mjallen.dev"
+      },
+      "org.matrix.msc4143.rtc_foci": [
+        {
+          "type": "livekit",    "livekit_service_url": "https://mjallen.dev/livekit/jwt"
+        }
+      ]
+    }
  '';
 in
 {
-  services.livekit = {
-    enable = true;
-    openFirewall = true;
-    settings.room.auto_create = false;
-    inherit keyFile;
-  };
-  services.lk-jwt-service = {
-    enable = true;
-    # can be on the same virtualHost as synapse
-    livekitUrl = "wss://mjallen.dev/livekit/sfu";
-    inherit keyFile;
-  };
  config = lib.mkIf cfg.enable {
+    services.livekit = {
+      enable = true;
+      openFirewall = true;
+      settings.room.auto_create = false;
+      inherit keyFile;
+    };
+    services.lk-jwt-service = {
+      enable = true;
+      port = 8585;
+      # can be on the same virtualHost as synapse
+      livekitUrl = "wss://mjallen.dev/livekit/sfu";
+      inherit keyFile;
+    };
    # generate the key when needed
    systemd.services.livekit-key = {
      before = [
@@ -58,33 +65,49 @@ in
    };
    # restrict access to livekit room creation to a homeserver
    systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "mjallen.dev";
-    services.nginx.virtualHosts = {
-      "matrix.mjallen.dev".locations = {
-        "^~ /.well-known/matrix/client" = {
-          alias = file;
-          extraConfig = "default_type text/plain;";
+    services.nginx = {
+      enable = true;
+      defaultHTTPListenPort = 8188;
+      virtualHosts = {
+        "matrix.mjallen.dev".locations = {
+          "= /.well-known/matrix/client" = {
+            alias = file;
+            extraConfig = ''
+              default_type application/json;
+              add_header Access-Control-Allow-Origin "*";
+            '';
+          };
        };
-      "mjallen.dev".locations = {
-        "^~ /livekit/jwt/" = {
-          priority = 400;
-          proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
-        };
-        
-        "^~ /livekit/sfu/" = {
-          extraConfig = ''
-            proxy_send_timeout 120;
-            proxy_read_timeout 120;
-            proxy_buffering off;
+        "mjallen.dev".locations = {
+          "= /.well-known/matrix/client" = {
+            alias = file;
+            extraConfig = ''
+              default_type application/json;
+              add_header Access-Control-Allow-Origin "*";
+            '';
+          };

-            proxy_set_header Accept-Encoding gzip;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "upgrade";
-          '';
-          priority = 400;
-          proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/";
-          proxyWebsockets = true;
+          "^~ /livekit/jwt/" = {
+            priority = 400;
+            proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
+          };
+
+          "^~ /livekit/sfu/" = {
+            extraConfig = ''
+              proxy_send_timeout 120;
+              proxy_read_timeout 120;
+              proxy_buffering off;
+
+              proxy_set_header Accept-Encoding gzip;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+            '';
+            priority = 400;
+            proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/";
+            proxyWebsockets = true;
+          };
        };
      };
-    }
+    };
  };
 }