diff --git a/configuration.nix b/configuration.nix index 0292a3b..9927373 100644 --- a/configuration.nix +++ b/configuration.nix @@ -10,7 +10,6 @@ ./modules/hardware.nix ./modules/services.nix ./modules/proxy.nix - ./modules/matrix.nix ./modules/fail2ban.nix ]; diff --git a/modules/matrix.nix b/modules/matrix.nix deleted file mode 100644 index 6999997..0000000 --- a/modules/matrix.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ pkgs, ... }: - -let - livekitKeyFile = "/var/lib/livekit/livekit.key"; - serverName = "atri.dad"; - matrixRtcDomain = "matrixrtc.atri.dad"; -in -{ - services.livekit = { - enable = true; - openFirewall = true; - settings = { - port = 7880; - rtc = { - port_range_start = 50000; - port_range_end = 60000; - tcp_port = 7881; - use_external_ip = true; - allow_tcp_fallback = true; - }; - room.auto_create = true; - turn = { - enabled = true; - domain = matrixRtcDomain; - tls_port = 5349; - udp_port = 3478; - relay_range_start = 50000; - relay_range_end = 60000; - cert_file = "/run/credentials/livekit.service/turn-cert"; - key_file = "/run/credentials/livekit.service/turn-key"; - }; - }; - keyFile = livekitKeyFile; - }; - - services.lk-jwt-service = { - enable = true; - livekitUrl = "wss://${matrixRtcDomain}"; - keyFile = livekitKeyFile; - }; - - systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = serverName; - - systemd.services.livekit.serviceConfig.LoadCredential = [ - "turn-cert:/var/lib/acme/${matrixRtcDomain}/fullchain.pem" - "turn-key:/var/lib/acme/${matrixRtcDomain}/key.pem" - ]; - systemd.services.livekit.after = [ "acme-${matrixRtcDomain}.service" ]; - systemd.services.livekit.requires = [ "acme-${matrixRtcDomain}.service" ]; - - systemd.services.livekit-key = { - before = [ - "lk-jwt-service.service" - "livekit.service" - ]; - wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ - livekit - coreutils - gawk - ]; - script = '' - echo "Key missing, generating key" - install -d -m 0700 "$(dirname "${livekitKeyFile}")" - install -m 0600 /dev/null "${livekitKeyFile}" - echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}" - ''; - serviceConfig = { - Type = "oneshot"; - UMask = "0177"; - }; - unitConfig.ConditionPathExists = "!${livekitKeyFile}"; - }; - - networking.firewall = { - allowedTCPPorts = [ - 7880 - 7881 - 5349 - ]; - allowedUDPPorts = [ 3478 ]; - allowedUDPPortRanges = [ - { - from = 50000; - to = 60000; - } - ]; - }; -} diff --git a/modules/proxy.nix b/modules/proxy.nix index 1432ad7..6792409 100644 --- a/modules/proxy.nix +++ b/modules/proxy.nix @@ -1,5 +1,4 @@ { - config, lib, pkgs, ... @@ -10,7 +9,6 @@ let atashDotDev = "atash.dev"; matrixDomain = "matrix.${atriDotDad}"; - matrixRtcDomain = "matrixrtc.${atriDotDad}"; upstream = "lloyd.tadpole-pain.ts.net"; streamPorts = [ @@ -162,33 +160,10 @@ in max_size 1GB } - handle_path /livekit/jwt/* { - @allowed path /sfu/get /get_token /healthz - handle @allowed { - reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} - } - handle { - respond 404 - } - } - handle { reverse_proxy http://${upstream}:30394 } } - - ${matrixRtcDomain} { - handle /.well-known/acme-challenge/* { - root * /var/lib/acme/acme-challenge - file_server - } - - handle { - reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} { - flush_interval -1 - } - } - } ''; }; @@ -205,13 +180,4 @@ in ++ streamPorts; allowedUDPPorts = streamPorts; }; - - security.acme = { - acceptTerms = true; - defaults.email = "me@${atriDotDad}"; - - certs."${matrixRtcDomain}" = { - webroot = "/var/lib/acme/acme-challenge"; - }; - }; }