nix-config/modules/nixos/services/matrix/livekit.nix

{
  config,
  lib,
  pkgs,
  namespace,
  ...
}:
let
  cfg = config.${namespace}.services.matrix;

  keyFile = "/run/livekit.key";

  file = pkgs.writeText ".well-known.json" ''
    {
      "m.homeserver": {
        "base_url": "https://matrix.mjallen.dev"
      },
      "m.identity_server": {
        "base_url": "https://vector.im"
      },
      "org.matrix.msc3575.proxy": {
        "url": "https://matrix.mjallen.dev"
      },
      "org.matrix.msc4143.rtc_foci": [
        {
          "type": "livekit",    "livekit_service_url": "https://mjallen.dev/livekit/jwt"
        }
      ]
    }
  '';
in
{
  config = lib.mkIf cfg.enable {
    services = {
      livekit = {
        enable = true;
        openFirewall = true;
        settings.room.auto_create = false;
        inherit keyFile;
      };
      lk-jwt-service = {
        enable = true;
        port = 8585;
        # can be on the same virtualHost as synapse
        livekitUrl = "wss://mjallen.dev/livekit/sfu";
        inherit keyFile;
      };
      nginx = {
        enable = true;
        defaultHTTPListenPort = 8188;
        virtualHosts = {
          "matrix.mjallen.dev".locations = {
            "= /.well-known/matrix/client" = {
              alias = file;
              extraConfig = ''
                default_type application/json;
                add_header Access-Control-Allow-Origin "*";
              '';
            };
          };
          "mjallen.dev".locations = {
            "= /.well-known/matrix/client" = {
              alias = file;
              extraConfig = ''
                default_type application/json;
                add_header Access-Control-Allow-Origin "*";
              '';
            };

            "^~ /livekit/jwt/" = {
              priority = 400;
              proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
            };

            "^~ /livekit/sfu/" = {
              extraConfig = ''
                proxy_send_timeout 120;
                proxy_read_timeout 120;
                proxy_buffering off;

                proxy_set_header Accept-Encoding gzip;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
              '';
              priority = 400;
              proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/";
              proxyWebsockets = true;
            };
          };
        };
      };
    };
    # generate the key when needed
    systemd = {
      services = {
        livekit-key = {
          before = [
            "lk-jwt-service.service"
            "livekit.service"
          ];
          wantedBy = [ "multi-user.target" ];
          path = with pkgs; [
            livekit
            coreutils
            gawk
          ];
          script = ''
            echo "Key missing, generating key"
            echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"
          '';
          serviceConfig.Type = "oneshot";
          unitConfig.ConditionPathExists = "!${keyFile}";
        };
        # restrict access to livekit room creation to a homeserver
        lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "mjallen.dev";
      };
    };
  };
}