diff --git a/hosts/cyper-proxy/configuration.nix b/hosts/cyper-proxy/configuration.nix index 3611dc8..d2c0f1c 100644 --- a/hosts/cyper-proxy/configuration.nix +++ b/hosts/cyper-proxy/configuration.nix @@ -3,7 +3,7 @@ imports = [ ./hardware-configuration.nix ../../nixos/roles/nginx.nix - ../../nixos/roles/jitsi.nix + ../../nixos/roles/livekit.nix ]; networking = { diff --git a/nixos/roles/livekit.nix b/nixos/roles/livekit.nix new file mode 100644 index 0000000..4bd504b --- /dev/null +++ b/nixos/roles/livekit.nix @@ -0,0 +1,45 @@ +{ pkgs, ... }: + +let + keyFile = "/run/livekit/livekit.key"; + domain = "cyperpunk.de"; + synapseUrl = "http://100.109.179.25:8008"; # Tailscale IP of cyper-controller +in +{ + services.livekit = { + enable = true; + openFirewall = true; + inherit keyFile; + settings.room.auto_create = false; + }; + + services.lk-jwt-service = { + enable = true; + livekitUrl = "wss://${domain}/livekit/sfu"; + inherit keyFile; + }; + + systemd.services.livekit-key = { + before = [ + "lk-jwt-service.service" + "livekit.service" + ]; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ + livekit + coreutils + gawk + ]; + script = '' + mkdir -p /run/livekit + echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}" + ''; + serviceConfig.Type = "oneshot"; + unitConfig.ConditionPathExists = "!${keyFile}"; + }; + + systemd.services.lk-jwt-service.environment = { + LIVEKIT_FULL_ACCESS_HOMESERVERS = domain; + MATRIX_BASE_URL = synapseUrl; # tells lk-jwt-service where to validate tokens + }; +} diff --git a/nixos/roles/matrix/clients.nix b/nixos/roles/matrix/clients.nix index 9080901..e0ba613 100644 --- a/nixos/roles/matrix/clients.nix +++ b/nixos/roles/matrix/clients.nix @@ -122,6 +122,13 @@ let server_name = "cyperpunk.de"; }; }; + jitsi = { + preferred_domain = "jitsi.cyperpunk.de"; + }; + element_call = { + url = "https://cyperpunk.de/livekit/jwt"; + use_exclusively = true; + }; setting_defaults = { custom_themes = catppuccinThemes; feature_custom_themes = true; diff --git a/nixos/roles/matrix/synapse.nix b/nixos/roles/matrix/synapse.nix index af19e66..4ef23dd 100644 --- a/nixos/roles/matrix/synapse.nix +++ b/nixos/roles/matrix/synapse.nix @@ -32,6 +32,7 @@ macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}"; experimental_features = { "msc3266_enabled" = true; + "msc3779_enabled" = true; }; listeners = [ { diff --git a/nixos/roles/nginx.nix b/nixos/roles/nginx.nix index c4e3dd4..d61f342 100644 --- a/nixos/roles/nginx.nix +++ b/nixos/roles/nginx.nix @@ -34,7 +34,7 @@ let extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; - return 200 '{"m.homeserver":{"base_url":"https://matrix.cyperpunk.de"}}'; + return 200 '{"m.homeserver":{"base_url":"https://matrix.cyperpunk.de"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://cyperpunk.de/livekit/jwt"}]}'; ''; }; "/.well-known/matrix/server" = { @@ -102,6 +102,15 @@ in proxyPass = "http://${upstream}:8008"; proxyWebsockets = true; }; + "^~ /livekit/jwt/" = { + priority = 400; + proxyPass = "http://127.0.0.1:8080"; + }; + "^~ /livekit/sfu" = { + priority = 400; + proxyPass = "http://127.0.0.1:7880"; + proxyWebsockets = true; + }; }; }; };