haschel/modules/matrix.nix

{ pkgs, ... }:

let
  livekitKeyFile = "/var/lib/livekit/livekit.key";
  serverName = "atri.dad";
  matrixDomain = "matrix.atri.dad";
  matrixRtcDomain = "matrixrtc.atri.dad";
in
{
  services.matrix-tuwunel = {
    enable = true;
    settings = {
      global = {
        server_name = serverName;
        address = [
          "127.0.0.1"
          "::1"
        ];
        port = [ 6167 ];
        max_request_size = 104857600;
        allow_registration = false;
        allow_encryption = true;
        allow_federation = true;
        trusted_servers = [
          "matrix.org"
          "chat.blahaj.zone"
        ];
        ip_range_denylist = [
          "127.0.0.0/8"
          "10.0.0.0/8"
          "172.16.0.0/12"
          "192.168.0.0/16"
          "100.64.0.0/10"
          "192.0.0.0/24"
          "169.254.0.0/16"
          "198.18.0.0/15"
          "::1/128"
          "fe80::/10"
          "fc00::/7"
        ];

        zstd_compression = true;
        gzip_compression = true;
        brotli_compression = true;

        allow_local_presence = true;
        allow_incoming_presence = true;
        allow_outgoing_presence = true;

        well_known = {
          server = "${matrixDomain}:443";
          client = "https://${matrixDomain}";
          rtc_transports = [
            {
              type = "livekit";
              livekit_service_url = "https://${matrixDomain}/livekit/jwt";
            }
          ];
        };
      };
    };
  };

  services.livekit = {
    enable = true;
    openFirewall = true;
    settings = {
      port = 7880;
      rtc = {
        port_range_start = 50000;
        port_range_end = 60000;
        tcp_port = 7881;
        use_external_ip = true;
        allow_tcp_fallback = true;
      };
      room.auto_create = true;
      turn = {
        enabled = true;
        domain = matrixRtcDomain;
        tls_port = 5349;
        udp_port = 3478;
        relay_range_start = 50000;
        relay_range_end = 60000;
        cert_file = "/run/credentials/livekit.service/turn-cert";
        key_file = "/run/credentials/livekit.service/turn-key";
      };
    };
    keyFile = livekitKeyFile;
  };

  services.lk-jwt-service = {
    enable = true;
    livekitUrl = "wss://${matrixRtcDomain}";
    keyFile = livekitKeyFile;
  };

  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = serverName;

  systemd.services.livekit.serviceConfig.LoadCredential = [
    "turn-cert:/var/lib/acme/${matrixRtcDomain}/fullchain.pem"
    "turn-key:/var/lib/acme/${matrixRtcDomain}/key.pem"
  ];
  systemd.services.livekit.after = [ "acme-${matrixRtcDomain}.service" ];
  systemd.services.livekit.requires = [ "acme-${matrixRtcDomain}.service" ];

  systemd.services.livekit-key = {
    before = [
      "lk-jwt-service.service"
      "livekit.service"
    ];
    wantedBy = [ "multi-user.target" ];
    path = with pkgs; [
      livekit
      coreutils
      gawk
    ];
    script = ''
      echo "Key missing, generating key"
      install -d -m 0700 "$(dirname "${livekitKeyFile}")"
      install -m 0600 /dev/null "${livekitKeyFile}"
      echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}"
    '';
    serviceConfig = {
      Type = "oneshot";
      UMask = "0177";
    };
    unitConfig.ConditionPathExists = "!${livekitKeyFile}";
  };

  networking.firewall = {
    allowedTCPPorts = [
      7880
      7881
      5349
    ];
    allowedUDPPorts = [ 3478 ];
    allowedUDPPortRanges = [
      {
        from = 50000;
        to = 60000;
      }
    ];
  };
}