WIP: Livekit

2026-05-03 23:19:38 +02:00
parent 61e8a1e037
commit c91ed778d4
2 changed files with 63 additions and 3 deletions
@@ -9,7 +9,7 @@
    settings = {
      rtc = {
        tcp_port = 7881;
-        udp_port = 7882;
+        #udp_port = 7882;
        port_range_start = 50000;
        port_range_end = 60000;
        use_external_ip = true;
@@ -31,11 +31,24 @@

  systemd.services.livekit.serviceConfig = {
    PrivateUsers = lib.mkForce false;
+    DynamicUser = lib.mkForce false;
+    User = "livekit";
+    Group = "livekit";
    RestrictAddressFamilies = lib.mkForce [
      "AF_INET"
      "AF_INET6"
      "AF_NETLINK"
      "AF_UNIX"
    ];
+    SystemCallFilter = lib.mkForce [ "@system-service" ];
  };
+
+  users = {
+    users.livekit = {
+      isSystemUser = true;
+      group = "livekit";
+    };
+    groups.livekit = { };
+  };
+
 }
@@ -100,8 +100,46 @@ in

      "calvin.cyperpunk.de" = mkWsProxy 15006;
      "cinny.cyperpunk.de" = mkWsProxy 8009;
-      "element.cyperpunk.de" = mkWsProxy 8010;
-      "element-call.cyperpunk.de" = mkWsProxy 8013;
+
+      "element-call.cyperpunk.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://${upstream}:8013";
+          proxyWebsockets = true;
+          extraConfig = ''
+            add_header Cross-Origin-Opener-Policy "same-origin";
+            add_header Cross-Origin-Embedder-Policy "require-corp";
+            add_header Cross-Origin-Resource-Policy "cross-origin";
+          '';
+        };
+      };
+
+      "element.cyperpunk.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/" = {
+            proxyPass = "http://${upstream}:8010";
+            proxyWebsockets = true;
+          };
+          "/widgets/element-call/config.json" = {
+            extraConfig = ''
+              	default_type application/json;
+              	add_header Access-Control-Allow-Origin *;
+              	return 200 '{
+              	"livekit_service_url": "https://cyperpunk.de/livekit/jwt/",
+              	"default_server_config": {
+              			"m.homeserver": {
+              					"base_url": "https://matrix.cyperpunk.de",
+              					"server_name":"cyperpunk.de"
+              					}
+              			}
+              	}';
+            '';
+          };
+        };
+      };

      "cyperpunk.de" = {
        forceSSL = true;
@@ -132,6 +170,15 @@ in

            '';
          };
+          "/_matrix/client/unstable/org.matrix.msc4143/rtc/transports" = {
+            extraConfig = ''
+              default_type application/json;
+              add_header Access-Control-Allow-Origin *;
+              add_header Access-Control-Allow-Headers "Authorization, Content-Type";
+              add_header Access-Control-Allow-Methods "GET, OPTIONS";
+              return 200 '{"rtc_transports":[{"type":"livekit","livekit_service_url":"https://cyperpunk.de/livekit/jwt/"}]}';
+            '';
+          };
        };
      };
    };