fix!: matrix-cluster: +jitsy

2026-05-27 18:51:18 +00:00
parent 8625000952
commit a68f3a329a
6 changed files with 37 additions and 5 deletions
--- a/nixos/module/generic/matrix-cluster.nix
+++ b/nixos/module/generic/matrix-cluster.nix
@@ -231,6 +231,15 @@ in {
        description = "File containing PORKBUN_SECRET_API_KEY value.";
      };
    };
+
+    jitsi.preferredDomain = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = ''
+        Optional self-hosted Jitsi Meet domain to advertise to Matrix/Element
+        clients alongside the cluster-managed homeserver.
+      '';
+    };
  };

  config = lib.mkIf cfg.enable (lib.mkMerge [
--- a/nixos/module/hectic/service/element.nix
+++ b/nixos/module/hectic/service/element.nix
@@ -16,6 +16,10 @@
    && (if clusterCfg.overrideEnableSynapse != null then clusterCfg.overrideEnableSynapse else clusterCfg.role == "primary");
  enabled = legacyCfg.enable || clusterSynapseEnabled;
  matrixDomain = if legacyCfg.enable then legacyCfg.matrixDomain else clusterCfg.matrixDomain;
+  jitsiPreferredDomain =
+    if legacyCfg.enable && config.hectic.services.jitsi.enable
+    then config.hectic.services.jitsi.hostName
+    else clusterCfg.jitsi.preferredDomain;
 in {
  config = lib.mkIf enabled {
    services.nginx.virtualHosts."element.${matrixDomain}" = {
@@ -36,6 +40,10 @@ in {
            matrixDomain
          ];

+          jitsi = lib.optionalAttrs (jitsiPreferredDomain != null) {
+            preferred_domain = jitsiPreferredDomain;
+          };
+
          default_theme = "dark";
          show_labs_settings = true;
        };
--- a/nixos/module/hectic/service/jitsi.nix
+++ b/nixos/module/hectic/service/jitsi.nix
@@ -82,8 +82,8 @@ in {
    security.acme = {
      acceptTerms = true;
      defaults = {
-        email          = "hectic.yukkop.it@gmail.com";
-        enableDebugLogs = true;
+        email           = lib.mkDefault "hectic.yukkop.it@gmail.com";
+        enableDebugLogs = lib.mkDefault true;
      };
    };

--- a/nixos/system/bfs.poland.xray/bfs.poland.xray.nix
+++ b/nixos/system/bfs.poland.xray/bfs.poland.xray.nix
@@ -11,6 +11,7 @@
 }: let
  matrixBackend = "https://128.140.75.58";
  matrixHost = "accord.tube";
+  jitsiHost = "meet.bfs.band";
  elementEntryDomain = "element.bfs.band";
  polandEntryDomain = "bfs.band";
  backendProxyConfig = ''
@@ -53,6 +54,12 @@ in {
      porkbunApiKeyFile       = config.sops.secrets."matrix/porkbun-api-key".path;
      porkbunSecretApiKeyFile = config.sops.secrets."matrix/porkbun-secret-api-key".path;
    };
+    jitsi.preferredDomain = jitsiHost;
+  };
+
+  hectic.services.jitsi = {
+    enable = true;
+    hostName = jitsiHost;
  };

  security.acme = {
@@ -156,6 +163,10 @@ in {
            "m.identity_server".base_url = "https://vector.im";
          };

+          jitsi = {
+            preferred_domain = jitsiHost;
+          };
+
          room_directory.servers = [ matrixHost ];

          default_theme = "dark";
--- a/nixos/system/bfs.poland.xray/default.nix
+++ b/nixos/system/bfs.poland.xray/default.nix
@@ -13,6 +13,10 @@ in self.lib.nixpkgs-lib.nixosSystem {
  pkgs = import inputs.nixpkgs {
    inherit system;
    overlays = [ self.overlays.default ];
+    # jitsi-meet depends on libolm which is marked insecure (CVE-2024-4519x)
+    config.permittedInsecurePackages = [
+      "jitsi-meet-1.0.8792"
+    ];
  };
  modules = [
    { networking.hostName = hostName; }