feat(nixos): bfs: fix: element-rtc

2025-12-05 18:17:41 +00:00
parent 49bf4c6d91
commit 5177f9a1f6
4 changed files with 119 additions and 16 deletions
--- a/nixos/system/bfs/bfs.nix
+++ b/nixos/system/bfs/bfs.nix
@@ -21,8 +21,9 @@ in {
  imports = [
    self.nixosModules.hectic
    inputs.sops-nix.nixosModules.sops
-    #./voice-tune.nix
+    ./voice-tune.nix
    ./matrix.nix
+    ./element-rtc.nix
  ];

  currentServer = {
@@ -42,6 +43,7 @@ in {

  users.users.root.openssh.authorizedKeys.keys = [
    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOn1KflaIX1RU9YS/qLb0GInmndYxx2vTLZC9OA+eXZl''
+    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBKPbIJATVyAw7F7vBZbHkCODXFo5gvDyqhuU0gnNUNH''
  ];

  boot.loader.grub.device =  "/dev/vda";
--- a/nixos/system/bfs/element-rtc.nix
+++ b/nixos/system/bfs/element-rtc.nix
@@ -0,0 +1,96 @@
+{ pkgs, lib, config, ... }: let
+  cfg = config.currentServer.matrix;
+in {
+  config  = let 
+    keyFile = "/run/livekit.key";
+  in {
+    services.livekit = {
+      enable = true;
+      openFirewall = true;
+      settings.room.auto_create = false;
+      inherit keyFile;
+    };
+
+    services.lk-jwt-service = {
+      enable = true;
+      livekitUrl = "wss://${cfg.matrixDomain}/livekit/sfu";
+      inherit keyFile;
+    };
+
+    systemd.services.livekit-key = {
+      before = [ "lk-jwt-service.service" "livekit.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ livekit coreutils gawk ];
+      script = ''
+        echo "Key missing, generating key"
+        echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"
+      '';
+      serviceConfig.Type = "oneshot";
+      unitConfig.ConditionPathExists = "!${keyFile}";
+    };
+
+    systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS =
+      cfg.matrixDomain;
+
+    services.nginx = {
+      enable = true;
+      virtualHosts.${cfg.matrixDomain} = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8008";
+        };
+
+        locations."=/.well-known/matrix/client" = {
+          extraConfig = ''
+            default_type application/json;
+            add_header Access-Control-Allow-Origin *;
+          '';
+          return = "200 '{\
+            \"m.homeserver\": {\
+              \"base_url\": \"https://${cfg.matrixDomain}\"\
+            },\
+            \"m.identity_server\": {\
+              \"base_url\": \"https://vector.im\"\
+            },\
+            \"org.matrix.msc3575.proxy\": {\
+              \"url\": \"https://${cfg.matrixDomain}\"\
+            },\
+            \"org.matrix.msc4143.rtc_foci\": [\
+              {\
+                \"type\": \"livekit\",\
+                \"livekit_service_url\": \"https://${cfg.matrixDomain}/livekit/jwt\"\
+              }\
+            ]\
+          }'";
+        };
+
+        locations."^~ /livekit/jwt/" = {
+          priority = 400;
+          proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
+        };
+
+        locations."^~ /livekit/sfu/" = {
+          priority = 400;
+          proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_send_timeout 120;
+            proxy_read_timeout 120;
+            proxy_buffering off;
+            proxy_set_header Accept-Encoding gzip;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+          '';
+        };
+      };
+    };
+
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        8448
+      ];
+    };
+  };
+}
--- a/nixos/system/bfs/matrix.nix
+++ b/nixos/system/bfs/matrix.nix
@@ -46,8 +46,9 @@ in {
              { 
                names = [ 
                  "client" 
-                  # Ability speak between different matrix servers, requires .well-known
-                  #"federation"
+                  # Ability speak between different matrix servers and get
+                  # global id, requires .well-known
+                  "federation"
                ];
                compress = false; 
              }
@@ -127,6 +128,13 @@ in {
        locations."/" = {
          proxyPass = "http://127.0.0.1:8008";
        };
+        locations."=/.well-known/matrix/server" = {
+          extraConfig = ''
+            default_type application/json;
+            add_header Access-Control-Allow-Origin *;
+          '';
+          return = "200 '{\"m.server\": \"${cfg.matrixDomain}:443\"}'";
+        };
      };
    };

--- a/nixos/system/bfs/voice-tune.nix
+++ b/nixos/system/bfs/voice-tune.nix
@@ -1,14 +1,6 @@
 { lib, config, ... }: let
-  cfg = config.currentServer.matrixDomain;
+  cfg = config.currentServer.matrix;
 in {
-  options = {
-    currentServer.matrixDomain = lib.mkOption {
-      type = lib.types.str;
-      description = ''
-        domain
-      '';
-    };
-  };
  config = {
    services.coturn = {
      enable = true;
@@ -19,13 +11,18 @@ in {
      no-cli = true;
    };

-    networking.firewall.allowedUDPPorts = [ 3478 5349 ];
-    networking.firewall.allowedTCPPorts = [ 3478 5349 ];
+    networking.firewall = {
+      allowedUDPPorts = [ 3478 5349 ];
+      allowedTCPPorts = [ 3478 5349 ];
+      allowedUDPPortRanges = [
+        { from = 49152; to = 65535; }
+      ];
+    };

    services.matrix-synapse.settings = {
      turn_uris = [
-        "turn:your.domain:3478?transport=udp"
-        "turns:your.domain:5349?transport=tcp"
+        "turn:${cfg.matrixDomain}:3478?transport=udp"
+        "turns:${cfg.matrixDomain}:5349?transport=tcp"
      ];
      turn_shared_secret = "secret";
    };