From 5177f9a1f6e0cafe39f6205f3464b5b29c1c2b16 Mon Sep 17 00:00:00 2001 From: yukkop Date: Fri, 5 Dec 2025 18:17:41 +0000 Subject: [PATCH] feat(nixos): `bfs`: fix: element-rtc --- nixos/system/bfs/bfs.nix | 4 +- nixos/system/bfs/element-rtc.nix | 96 ++++++++++++++++++++++++++++++++ nixos/system/bfs/matrix.nix | 12 +++- nixos/system/bfs/voice-tune.nix | 23 ++++---- 4 files changed, 119 insertions(+), 16 deletions(-) create mode 100644 nixos/system/bfs/element-rtc.nix diff --git a/nixos/system/bfs/bfs.nix b/nixos/system/bfs/bfs.nix index 39a47b0..c7f660b 100644 --- a/nixos/system/bfs/bfs.nix +++ b/nixos/system/bfs/bfs.nix @@ -21,8 +21,9 @@ in { imports = [ self.nixosModules.hectic inputs.sops-nix.nixosModules.sops - #./voice-tune.nix + ./voice-tune.nix ./matrix.nix + ./element-rtc.nix ]; currentServer = { @@ -42,6 +43,7 @@ in { users.users.root.openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOn1KflaIX1RU9YS/qLb0GInmndYxx2vTLZC9OA+eXZl'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBKPbIJATVyAw7F7vBZbHkCODXFo5gvDyqhuU0gnNUNH'' ]; boot.loader.grub.device = "/dev/vda"; diff --git a/nixos/system/bfs/element-rtc.nix b/nixos/system/bfs/element-rtc.nix new file mode 100644 index 0000000..4f0618d --- /dev/null +++ b/nixos/system/bfs/element-rtc.nix @@ -0,0 +1,96 @@ +{ pkgs, lib, config, ... }: let + cfg = config.currentServer.matrix; +in { + config = let + keyFile = "/run/livekit.key"; + in { + services.livekit = { + enable = true; + openFirewall = true; + settings.room.auto_create = false; + inherit keyFile; + }; + + services.lk-jwt-service = { + enable = true; + livekitUrl = "wss://${cfg.matrixDomain}/livekit/sfu"; + inherit keyFile; + }; + + systemd.services.livekit-key = { + before = [ "lk-jwt-service.service" "livekit.service" ]; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ livekit coreutils gawk ]; + script = '' + echo "Key missing, generating key" + echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}" + ''; + serviceConfig.Type = "oneshot"; + unitConfig.ConditionPathExists = "!${keyFile}"; + }; + + systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = + cfg.matrixDomain; + + services.nginx = { + enable = true; + virtualHosts.${cfg.matrixDomain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8008"; + }; + + locations."=/.well-known/matrix/client" = { + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + return = "200 '{\ + \"m.homeserver\": {\ + \"base_url\": \"https://${cfg.matrixDomain}\"\ + },\ + \"m.identity_server\": {\ + \"base_url\": \"https://vector.im\"\ + },\ + \"org.matrix.msc3575.proxy\": {\ + \"url\": \"https://${cfg.matrixDomain}\"\ + },\ + \"org.matrix.msc4143.rtc_foci\": [\ + {\ + \"type\": \"livekit\",\ + \"livekit_service_url\": \"https://${cfg.matrixDomain}/livekit/jwt\"\ + }\ + ]\ + }'"; + }; + + locations."^~ /livekit/jwt/" = { + priority = 400; + proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/"; + }; + + locations."^~ /livekit/sfu/" = { + priority = 400; + proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/"; + proxyWebsockets = true; + extraConfig = '' + proxy_send_timeout 120; + proxy_read_timeout 120; + proxy_buffering off; + proxy_set_header Accept-Encoding gzip; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + }; + }; + }; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ + 8448 + ]; + }; + }; +} diff --git a/nixos/system/bfs/matrix.nix b/nixos/system/bfs/matrix.nix index 31b9513..dc1056e 100644 --- a/nixos/system/bfs/matrix.nix +++ b/nixos/system/bfs/matrix.nix @@ -46,8 +46,9 @@ in { { names = [ "client" - # Ability speak between different matrix servers, requires .well-known - #"federation" + # Ability speak between different matrix servers and get + # global id, requires .well-known + "federation" ]; compress = false; } @@ -127,6 +128,13 @@ in { locations."/" = { proxyPass = "http://127.0.0.1:8008"; }; + locations."=/.well-known/matrix/server" = { + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + return = "200 '{\"m.server\": \"${cfg.matrixDomain}:443\"}'"; + }; }; }; diff --git a/nixos/system/bfs/voice-tune.nix b/nixos/system/bfs/voice-tune.nix index 34eb739..766f530 100644 --- a/nixos/system/bfs/voice-tune.nix +++ b/nixos/system/bfs/voice-tune.nix @@ -1,14 +1,6 @@ { lib, config, ... }: let - cfg = config.currentServer.matrixDomain; + cfg = config.currentServer.matrix; in { - options = { - currentServer.matrixDomain = lib.mkOption { - type = lib.types.str; - description = '' - domain - ''; - }; - }; config = { services.coturn = { enable = true; @@ -19,13 +11,18 @@ in { no-cli = true; }; - networking.firewall.allowedUDPPorts = [ 3478 5349 ]; - networking.firewall.allowedTCPPorts = [ 3478 5349 ]; + networking.firewall = { + allowedUDPPorts = [ 3478 5349 ]; + allowedTCPPorts = [ 3478 5349 ]; + allowedUDPPortRanges = [ + { from = 49152; to = 65535; } + ]; + }; services.matrix-synapse.settings = { turn_uris = [ - "turn:your.domain:3478?transport=udp" - "turns:your.domain:5349?transport=tcp" + "turn:${cfg.matrixDomain}:3478?transport=udp" + "turns:${cfg.matrixDomain}:5349?transport=tcp" ]; turn_shared_secret = "secret"; };