+2

nixos/modules/module-list.nix

reviewed

··· 752 752 ./services/matrix/dendrite.nix 753 753 ./services/matrix/hebbot.nix 754 754 ./services/matrix/hookshot.nix 755 755 + ./services/matrix/lk-jwt-service.nix 755 756 ./services/matrix/matrix-alertmanager.nix 756 757 ./services/matrix/maubot.nix 757 758 ./services/matrix/mautrix-meta.nix ··· 1181 1182 ./services/networking/lambdabot.nix 1182 1183 ./services/networking/legit.nix 1183 1184 ./services/networking/libreswan.nix 1185 1185 + ./services/networking/livekit.nix 1184 1186 ./services/networking/lldpd.nix 1185 1187 ./services/networking/logmein-hamachi.nix 1186 1188 ./services/networking/lokinet.nix

+93

nixos/modules/services/matrix/lk-jwt-service.nix

reviewed

··· 1 1 + { 2 2 + config, 3 3 + lib, 4 4 + pkgs, 5 5 + ... 6 6 + }: 7 7 + let 8 8 + cfg = config.services.lk-jwt-service; 9 9 + in 10 10 + { 11 11 + meta.maintainers = [ lib.maintainers.quadradical ]; 12 12 + options.services.lk-jwt-service = { 13 13 + enable = lib.mkEnableOption "Enable lk-jwt-service"; 14 14 + package = lib.mkPackageOption pkgs "lk-jwt-service" { }; 15 15 + 16 16 + livekitUrl = lib.mkOption { 17 17 + type = lib.types.strMatching "^wss?://.*"; 18 18 + example = "wss://example.com/livekit/sfu"; 19 19 + description = '' 20 20 + The public websocket URL for livekit. 21 21 + The proto needs to be either `wss://` (recommended) or `ws://` (insecure). 22 22 + ''; 23 23 + }; 24 24 + 25 25 + keyFile = lib.mkOption { 26 26 + type = lib.types.path; 27 27 + description = '' 28 28 + Path to a file containing the credential mapping (`<keyname>: <secret>`) to access LiveKit. 29 29 + 30 30 + Example: 31 31 + ``` 32 32 + lk-jwt-service: f6lQGaHtM5HfgZjIcec3cOCRfiDqIine4CpZZnqdT5cE 33 33 + ``` 34 34 + 35 35 + For more information, see <https://github.com/element-hq/lk-jwt-service#configuration>. 36 36 + ''; 37 37 + }; 38 38 + 39 39 + port = lib.mkOption { 40 40 + type = lib.types.port; 41 41 + default = 8080; 42 42 + description = "Port that lk-jwt-service should listen on."; 43 43 + }; 44 44 + }; 45 45 + 46 46 + config = lib.mkIf cfg.enable { 47 47 + systemd.services.lk-jwt-service = { 48 48 + description = "Minimal service to issue LiveKit JWTs for MatrixRTC"; 49 49 + documentation = [ "https://github.com/element-hq/lk-jwt-service" ]; 50 50 + wantedBy = [ "multi-user.target" ]; 51 51 + wants = [ "network-online.target" ]; 52 52 + after = [ "network-online.target" ]; 53 53 + environment = { 54 54 + LIVEKIT_URL = cfg.livekitUrl; 55 55 + LIVEKIT_JWT_PORT = toString cfg.port; 56 56 + LIVEKIT_KEY_FILE = "/run/credentials/lk-jwt-service.service/livekit-secrets"; 57 57 + }; 58 58 + 59 59 + serviceConfig = { 60 60 + LoadCredential = [ "livekit-secrets:${cfg.keyFile}" ]; 61 61 + ExecStart = lib.getExe cfg.package; 62 62 + DynamicUser = true; 63 63 + LockPersonality = true; 64 64 + MemoryDenyWriteExecute = true; 65 65 + ProtectClock = true; 66 66 + ProtectControlGroups = true; 67 67 + ProtectHostname = true; 68 68 + ProtectKernelLogs = true; 69 69 + ProtectKernelModules = true; 70 70 + ProtectKernelTunables = true; 71 71 + PrivateDevices = true; 72 72 + PrivateMounts = true; 73 73 + PrivateUsers = true; 74 74 + RestrictAddressFamilies = [ 75 75 + "AF_INET" 76 76 + "AF_INET6" 77 77 + ]; 78 78 + RestrictNamespaces = true; 79 79 + RestrictRealtime = true; 80 80 + ProtectHome = true; 81 81 + SystemCallArchitectures = "native"; 82 82 + SystemCallFilter = [ 83 83 + "@system-service" 84 84 + "~@privileged" 85 85 + "~@resources" 86 86 + ]; 87 87 + Restart = "on-failure"; 88 88 + RestartSec = 5; 89 89 + UMask = "077"; 90 90 + }; 91 91 + }; 92 92 + }; 93 93 + }

+141

nixos/modules/services/networking/livekit.nix

reviewed

··· 1 1 + { 2 2 + config, 3 3 + lib, 4 4 + pkgs, 5 5 + utils, 6 6 + ... 7 7 + }: 8 8 + let 9 9 + cfg = config.services.livekit; 10 10 + format = pkgs.formats.json { }; 11 11 + in 12 12 + { 13 13 + meta.maintainers = with lib.maintainers; [ quadradical ]; 14 14 + options.services.livekit = { 15 15 + enable = lib.mkEnableOption "Enable the livekit server"; 16 16 + package = lib.mkPackageOption pkgs "livekit" { }; 17 17 + 18 18 + keyFile = lib.mkOption { 19 19 + type = lib.types.path; 20 20 + description = '' 21 21 + LiveKit key file holding one or multiple application secrets. Use `livekit-server generate-keys` to generate a random key name and secret. 22 22 + 23 23 + The file should have the format `<keyname>: <secret>`. Example: 24 24 + ``` 25 25 + lk-jwt-service: f6lQGaHtM5HfgZjIcec3cOCRfiDqIine4CpZZnqdT5cE 26 26 + ``` 27 27 + 28 28 + Individual key/secret pairs need to be passed to clients to connect to this instance. 29 29 + ''; 30 30 + }; 31 31 + 32 32 + openFirewall = lib.mkOption { 33 33 + type = lib.types.bool; 34 34 + default = false; 35 35 + description = "Opens port range for LiveKit on the firewall."; 36 36 + }; 37 37 + 38 38 + settings = lib.mkOption { 39 39 + type = lib.types.submodule { 40 40 + freeformType = format.type; 41 41 + options = { 42 42 + port = lib.mkOption { 43 43 + type = lib.types.port; 44 44 + default = 7880; 45 45 + description = "Main TCP port for RoomService and RTC endpoint."; 46 46 + }; 47 47 + 48 48 + rtc = { 49 49 + port_range_start = lib.mkOption { 50 50 + type = lib.types.int; 51 51 + default = 50000; 52 52 + description = "Start of UDP port range for WebRTC"; 53 53 + }; 54 54 + 55 55 + port_range_end = lib.mkOption { 56 56 + type = lib.types.int; 57 57 + default = 51000; 58 58 + description = "End of UDP port range for WebRTC"; 59 59 + }; 60 60 + 61 61 + use_external_ip = lib.mkOption { 62 62 + type = lib.types.bool; 63 63 + default = false; 64 64 + description = '' 65 65 + When set to true, attempts to discover the host's public IP via STUN. 66 66 + This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one. 67 67 + ''; 68 68 + }; 69 69 + }; 70 70 + }; 71 71 + }; 72 72 + default = { }; 73 73 + description = '' 74 74 + LiveKit configuration file expressed in nix. 75 75 + 76 76 + For an example configuration, see <https://docs.livekit.io/home/self-hosting/deployment/#configuration>. 77 77 + For all possible values, see <https://github.com/livekit/livekit/blob/master/config-sample.yaml>. 78 78 + ''; 79 79 + }; 80 80 + }; 81 81 + 82 82 + config = lib.mkIf cfg.enable { 83 83 + networking.firewall = lib.mkIf cfg.openFirewall { 84 84 + allowedTCPPorts = [ 85 85 + cfg.settings.port 86 86 + ]; 87 87 + allowedUDPPortRanges = [ 88 88 + { 89 89 + from = cfg.settings.rtc.port_range_start; 90 90 + to = cfg.settings.rtc.port_range_end; 91 91 + } 92 92 + ]; 93 93 + }; 94 94 + 95 95 + systemd.services.livekit = { 96 96 + description = "LiveKit SFU server"; 97 97 + documentation = [ "https://docs.livekit.io" ]; 98 98 + wantedBy = [ "multi-user.target" ]; 99 99 + wants = [ "network-online.target" ]; 100 100 + after = [ "network-online.target" ]; 101 101 + 102 102 + serviceConfig = { 103 103 + LoadCredential = [ "livekit-secrets:${cfg.keyFile}" ]; 104 104 + ExecStart = utils.escapeSystemdExecArgs [ 105 105 + (lib.getExe cfg.package) 106 106 + "--config=${format.generate "livekit.json" cfg.settings}" 107 107 + "--key-file=/run/credentials/livekit.service/livekit-secrets" 108 108 + ]; 109 109 + DynamicUser = true; 110 110 + LockPersonality = true; 111 111 + MemoryDenyWriteExecute = true; 112 112 + ProtectClock = true; 113 113 + ProtectControlGroups = true; 114 114 + ProtectHostname = true; 115 115 + ProtectKernelLogs = true; 116 116 + ProtectKernelModules = true; 117 117 + ProtectKernelTunables = true; 118 118 + PrivateDevices = true; 119 119 + PrivateMounts = true; 120 120 + PrivateUsers = true; 121 121 + RestrictAddressFamilies = [ 122 122 + "AF_INET" 123 123 + "AF_INET6" 124 124 + "AF_NETLINK" 125 125 + ]; 126 126 + RestrictNamespaces = true; 127 127 + RestrictRealtime = true; 128 128 + ProtectHome = true; 129 129 + SystemCallArchitectures = "native"; 130 130 + SystemCallFilter = [ 131 131 + "@system-service" 132 132 + "~@privileged" 133 133 + "~@resources" 134 134 + ]; 135 135 + Restart = "on-failure"; 136 136 + RestartSec = 5; 137 137 + UMask = "077"; 138 138 + }; 139 139 + }; 140 140 + }; 141 141 + }

+2

nixos/tests/all-tests.nix

reviewed

··· 729 729 lidarr = handleTest ./lidarr.nix { }; 730 730 lightdm = handleTest ./lightdm.nix { }; 731 731 lighttpd = runTest ./lighttpd.nix; 732 732 + livekit = runTest ./networking/livekit.nix; 732 733 limesurvey = handleTest ./limesurvey.nix { }; 733 734 limine = import ./limine { inherit runTest; }; 734 735 listmonk = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./listmonk.nix { }; 735 736 litellm = runTest ./litellm.nix; 736 737 litestream = handleTest ./litestream.nix { }; 738 738 + lk-jwt-service = runTest ./matrix/lk-jwt-service.nix; 737 739 lldap = handleTest ./lldap.nix { }; 738 740 localsend = handleTest ./localsend.nix { }; 739 741 locate = handleTest ./locate.nix { };

+26

nixos/tests/matrix/lk-jwt-service.nix

reviewed

··· 1 1 + { 2 2 + pkgs, 3 3 + lib, 4 4 + ... 5 5 + }: 6 6 + { 7 7 + name = "lk-jwt-service"; 8 8 + meta.maintainers = [ lib.maintainers.quadradical ]; 9 9 + 10 10 + nodes.machine = { 11 11 + services.lk-jwt-service = { 12 12 + enable = true; 13 13 + keyFile = pkgs.writers.writeYAML "keys.yaml" { 14 14 + key = "f6lQGaHtM5HfgZjIcec3cOCRfiDqIine4CpZZnqdT5cE"; 15 15 + }; 16 16 + livekitUrl = "wss://127.0.0.1:8100"; 17 17 + port = 8000; 18 18 + }; 19 19 + }; 20 20 + 21 21 + testScript = '' 22 22 + machine.wait_for_unit("lk-jwt-service.service") 23 23 + machine.wait_for_open_port(8000) 24 24 + machine.succeed('curl 127.0.0.1:8000/sfu/get -sLX POST -w "%{http_code}" | grep -q "^400"') 25 25 + ''; 26 26 + }

+25

nixos/tests/networking/livekit.nix

reviewed

··· 1 1 + { 2 2 + pkgs, 3 3 + lib, 4 4 + ... 5 5 + }: 6 6 + { 7 7 + name = "livekit"; 8 8 + meta.maintainers = [ lib.maintainers.quadradical ]; 9 9 + 10 10 + nodes.machine = { 11 11 + services.livekit = { 12 12 + enable = true; 13 13 + keyFile = pkgs.writers.writeYAML "keys.yaml" { 14 14 + key = "f6lQGaHtM5HfgZjIcec3cOCRfiDqIine4CpZZnqdT5cE"; 15 15 + }; 16 16 + settings.port = 8000; 17 17 + }; 18 18 + }; 19 19 + 20 20 + testScript = '' 21 21 + machine.wait_for_unit("livekit.service") 22 22 + machine.wait_for_open_port(8000) 23 23 + machine.succeed("curl 127.0.0.1:8000 -L --fail") 24 24 + ''; 25 25 + }

+3

pkgs/by-name/li/livekit/package.nix

reviewed

··· 2 2 lib, 3 3 buildGoModule, 4 4 fetchFromGitHub, 5 5 + nixosTests, 5 6 }: 6 7 7 8 buildGoModule rec { ··· 22 23 postInstall = '' 23 24 mv $out/bin/server $out/bin/livekit-server 24 25 ''; 26 26 + 27 27 + passthru.tests = nixosTests.livekit; 25 28 26 29 meta = with lib; { 27 30 description = "End-to-end stack for WebRTC. SFU media server and SDKs";

+3

pkgs/by-name/lk/lk-jwt-service/package.nix

reviewed

··· 2 2 lib, 3 3 buildGoModule, 4 4 fetchFromGitHub, 5 5 + nixosTests, 5 6 }: 6 7 7 8 buildGoModule (finalAttrs: { ··· 16 17 }; 17 18 18 19 vendorHash = "sha256-47eJO1Ai78RuhlEPn/J1cd+YSqvmfUD8cuPZIqsdxvI="; 20 20 + 21 21 + passthru.tests = nixosTests.lk-jwt-service; 19 22 20 23 meta = with lib; { 21 24 changelog = "https://github.com/element-hq/lk-jwt-service/releases/tag/${finalAttrs.src.tag}";