DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Matrix Stack working!

Browse Source
This commit is contained in:
DerGrumpf
2026-05-06 23:45:13 +02:00
parent 870ead1994
commit a32a2800f7
8 changed files with 210 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixos/roles/matrix/livekit.nix
+9 -54
View File
@@ -1,64 +1,19 @@
{ config, lib, ... }:
{ config, ... }:
{
# Shared key file — same secret used by lk-jwt-service (see lk-jwt.nix)
sops.secrets.livekit_key = { };
sops.secrets.livekit_key_file = { };
services.livekit = {
enable = true;
openFirewall = true;
keyFile = config.sops.secrets.livekit_key.path;
settings = {
rtc = {
tcp_port = 7881;
port_range_start = 50000;
port_range_end = 60000;
use_external_ip = true;
node_ip = "178.254.8.35";
};
room = {
# Must be false — rooms are created by the JWT service on demand
auto_create = false;
enabled_codecs = [
{ mime = "video/VP8"; }
{ mime = "video/VP9"; }
{ mime = "video/H264"; }
{ mime = "audio/opus"; }
];
enable_remote_unmute = true;
};
};
settings.room.auto_create = false;
keyFile = config.sops.secrets.livekit_key_file.path;
};
networking.firewall = {
allowedTCPPorts = [ 7881 ];
# WebRTC media relay — must be open or calls connect then immediately drop
allowedUDPPortRanges = [
{
from = 50000;
to = 60000;
}
];
services.lk-jwt-service = {
enable = true;
livekitUrl = "wss://cyperpunk.de/livekit/sfu";
keyFile = config.sops.secrets.livekit_key_file.path;
};
systemd.services.livekit.serviceConfig = {
PrivateUsers = lib.mkForce false;
DynamicUser = lib.mkForce false;
User = "livekit";
Group = "livekit";
RestrictAddressFamilies = lib.mkForce [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
];
SystemCallFilter = lib.mkForce [ "@system-service" ];
};
users = {
users.livekit = {
isSystemUser = true;
group = "livekit";
};
groups.livekit = { };
};
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "cyperpunk.de";
}