fix!: matrix-cluster: +jitsy

2026-05-27 18:51:18 +00:00
parent 8625000952
commit a68f3a329a
6 changed files with 37 additions and 5 deletions
--- a/nixos/module/generic/matrix-cluster.nix
+++ b/nixos/module/generic/matrix-cluster.nix
@@ -231,6 +231,15 @@ in {
        description = "File containing PORKBUN_SECRET_API_KEY value.";
      };
    };
+
+    jitsi.preferredDomain = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = ''
+        Optional self-hosted Jitsi Meet domain to advertise to Matrix/Element
+        clients alongside the cluster-managed homeserver.
+      '';
+    };
  };

  config = lib.mkIf cfg.enable (lib.mkMerge [
--- a/nixos/module/hectic/service/element.nix
+++ b/nixos/module/hectic/service/element.nix
@@ -16,6 +16,10 @@
    && (if clusterCfg.overrideEnableSynapse != null then clusterCfg.overrideEnableSynapse else clusterCfg.role == "primary");
  enabled = legacyCfg.enable || clusterSynapseEnabled;
  matrixDomain = if legacyCfg.enable then legacyCfg.matrixDomain else clusterCfg.matrixDomain;
+  jitsiPreferredDomain =
+    if legacyCfg.enable && config.hectic.services.jitsi.enable
+    then config.hectic.services.jitsi.hostName
+    else clusterCfg.jitsi.preferredDomain;
 in {
  config = lib.mkIf enabled {
    services.nginx.virtualHosts."element.${matrixDomain}" = {
@@ -36,6 +40,10 @@ in {
            matrixDomain
          ];

+          jitsi = lib.optionalAttrs (jitsiPreferredDomain != null) {
+            preferred_domain = jitsiPreferredDomain;
+          };
+
          default_theme = "dark";
          show_labs_settings = true;
        };
--- a/nixos/module/hectic/service/jitsi.nix
+++ b/nixos/module/hectic/service/jitsi.nix
@@ -82,8 +82,8 @@ in {
    security.acme = {
      acceptTerms = true;
      defaults = {
-        email          = "hectic.yukkop.it@gmail.com";
-        enableDebugLogs = true;
+        email           = lib.mkDefault "hectic.yukkop.it@gmail.com";
+        enableDebugLogs = lib.mkDefault true;
      };
    };

--- a/nixos/system/bfs.poland.xray/bfs.poland.xray.nix
+++ b/nixos/system/bfs.poland.xray/bfs.poland.xray.nix
@@ -11,6 +11,7 @@
 }: let
  matrixBackend = "https://128.140.75.58";
  matrixHost = "accord.tube";
+  jitsiHost = "meet.bfs.band";
  elementEntryDomain = "element.bfs.band";
  polandEntryDomain = "bfs.band";
  backendProxyConfig = ''
@@ -53,6 +54,12 @@ in {
      porkbunApiKeyFile       = config.sops.secrets."matrix/porkbun-api-key".path;
      porkbunSecretApiKeyFile = config.sops.secrets."matrix/porkbun-secret-api-key".path;
    };
+    jitsi.preferredDomain = jitsiHost;
+  };
+
+  hectic.services.jitsi = {
+    enable = true;
+    hostName = jitsiHost;
  };

  security.acme = {
@@ -156,6 +163,10 @@ in {
            "m.identity_server".base_url = "https://vector.im";
          };

+          jitsi = {
+            preferred_domain = jitsiHost;
+          };
+
          room_directory.servers = [ matrixHost ];

          default_theme = "dark";
--- a/nixos/system/bfs.poland.xray/default.nix
+++ b/nixos/system/bfs.poland.xray/default.nix
@@ -13,6 +13,10 @@ in self.lib.nixpkgs-lib.nixosSystem {
  pkgs = import inputs.nixpkgs {
    inherit system;
    overlays = [ self.overlays.default ];
+    # jitsi-meet depends on libolm which is marked insecure (CVE-2024-4519x)
+    config.permittedInsecurePackages = [
+      "jitsi-meet-1.0.8792"
+    ];
  };
  modules = [
    { networking.hostName = hostName; }
--- a/sus/matrix-cluster.yaml
+++ b/sus/matrix-cluster.yaml
@@ -17,7 +17,7 @@ matrix:
        vismajor:
            password: ENC[AES256_GCM,data:AOAxZgY6mmw=,iv:RCEqeI/jL1n9oGREFR3zUTcQRQuupqMsoTVxBWaMvf0=,tag:tYv4X1iXkol3I2Qr0oaY5g==,type:str]
        snuff:
-            password: ENC[AES256_GCM,data:gM2BV4xD2lZ860c7VSYRlcgFIwyD,iv:pMb0dzCfYcsrx4ReeI4/4jsCoUj+BKucP9eOFag+vWI=,tag:dPVvXIWOqPi0yAxjmaPE8g==,type:str]
+            password: ENC[AES256_GCM,data:vP7fc0DlhM559c38KIHQswd4WV2RGCtQk/I=,iv:FAsdJz85AklfAKL8K6SrBsZ1wMIFebj0mS7noB7HkfA=,tag:9z5edXIeCDz7mGTZG9Vx5A==,type:str]
        MrAlex0O:
            password: ENC[AES256_GCM,data:aq6wYy1OxXPmHVdE926Q79pARzwaKX1ieE0=,iv:vNV0Gm2DlgLuZpEDm1q4+iltNJOtRechdaXUNfDrfpc=,tag:bECr7NWnOEv7DgZ7OIQMcg==,type:str]
        Антоша:
@@ -87,7 +87,7 @@ sops:
            cGtrUDRlUUliSVVjU1o4VUVMOE0ySFEKnjBAqifgYnaJ6LPWzDcopqQxUJ0d9vhe
            F2fIVq8LmO0Nuu7JMhJAvTJgkEyVUAQVTTAtrnhUf2RmILOb72BTKQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-27T12:45:32Z"
-    mac: ENC[AES256_GCM,data:a0Tr6uAP8tPma7ErK57L4pJUMp29e4+Q+HzsZjGVhIonpmlhAkBDUZz4Mny7kAb9HHW8TKUzsTkvp/PV/hi3EG7OAYQk00D976bDvbMo6bwm/IXFjS9G0ecrN8x+tR8huaApiQyZCseU2I8JtzyFVBIrOsDUFzwUIPbNtmE50h8=,iv:fSB0ATCYdR/Ldsh353OquCFE3IGW64g9qNW5EOXd/1w=,tag:W+6gVxon6xL/LtgYKF/Cxw==,type:str]
+    lastmodified: "2026-05-27T18:49:35Z"
+    mac: ENC[AES256_GCM,data:HHjUJxE+iSwoM7YjwV4djlvFwtt9/xw/2kQ8otoCsoGieuUh+NFL5FUJsz3vYOhxsWcN3sC5y6PxEjH6/DuJvt15CLR3bjZ5ZBj8db3gBHApTBm87D31zPbpZFtyT5EBUcA+MwiFhMfE5TLRvx8g2eO2mOG2o7Ve63tVNoPvVYQ=,iv:VblCJjE4oDrekbDis8YITqnVD7DpjcowlvusxwXvf9E=,tag:dfXoMODelKDQN7uiPv1a9g==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2