idk

2026-02-09 11:26:58 -06:00
parent 525cc60739
commit 9ad06425c8
23 changed files with 1612 additions and 1466 deletions
--- a/modules/nixos/services/matrix/default.nix
+++ b/modules/nixos/services/matrix/default.nix
@@ -59,6 +59,7 @@ let
        dataDir = "${cfg.configDir}/matrix-synapse";
        configureRedisLocally = true;
        enableRegistrationScript = true;
+        withJemalloc = true;
        extras = [
          "oidc"
          "redis"
@@ -118,6 +119,9 @@ let
              server_name = "matrix.org";
            }
          ];
+          turn_uris = ["turn:${config.services.coturn.realm}:3478?transport=udp" "turn:${config.services.coturn.realm}:3478?transport=tcp"];
+          turn_shared_secret = config.services.coturn.static-auth-secret;
+          turn_user_lifetime = "1h";
        };
      };

--- a/modules/nixos/services/matrix/livekit.nix
+++ b/modules/nixos/services/matrix/livekit.nix
@@ -0,0 +1,90 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.${namespace}.services.${name};
+
+  keyFile = "/run/livekit.key";
+
+  file = pkgs.writeText "file.txt" ''
+  {
+    "m.homeserver": {
+      "base_url": "https://matrix.mjallen.dev"
+    },
+    "m.identity_server": {
+      "base_url": "https://vector.im"
+    },
+    "org.matrix.msc3575.proxy": {
+      "url": "https://matrix.mjallen.dev"
+    },
+    "org.matrix.msc4143.rtc_foci": [
+      {
+        "type": "livekit",    "livekit_service_url": "https://mjallen.dev/livekit/jwt"
+      }
+    ]
+  }
+  '';
+in
+{
+  services.livekit = {
+    enable = true;
+    openFirewall = true;
+    settings.room.auto_create = false;
+    inherit keyFile;
+  };
+  services.lk-jwt-service = {
+    enable = true;
+    # can be on the same virtualHost as synapse
+    livekitUrl = "wss://mjallen.dev/livekit/sfu";
+    inherit keyFile;
+  };
+  config = lib.mkIf cfg.enable {
+    # generate the key when needed
+    systemd.services.livekit-key = {
+      before = [
+        "lk-jwt-service.service"
+        "livekit.service"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [
+        livekit
+        coreutils
+        gawk
+      ];
+      script = ''
+        echo "Key missing, generating key"
+        echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"
+      '';
+      serviceConfig.Type = "oneshot";
+      unitConfig.ConditionPathExists = "!${keyFile}";
+    };
+    # restrict access to livekit room creation to a homeserver
+    systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "mjallen.dev";
+    services.nginx.virtualHosts = {
+      "matrix.mjallen.dev".locations = {
+        "^~ /.well-known/matrix/client" = {
+          alias = file;
+          extraConfig = "default_type text/plain;";
+        };
+      "mjallen.dev".locations = {
+        "^~ /livekit/jwt/" = {
+          priority = 400;
+          proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
+        };
+        
+        "^~ /livekit/sfu/" = {
+          extraConfig = ''
+            proxy_send_timeout 120;
+            proxy_read_timeout 120;
+            proxy_buffering off;
+
+            proxy_set_header Accept-Encoding gzip;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+          '';
+          priority = 400;
+          proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/";
+          proxyWebsockets = true;
+        };
+      };
+    }
+  };
+}