haschel/modules/matrix.nix

{ config, pkgs, lib, ... }:

let
  livekitKeyFile = "/run/livekit.key";
  serverName = "atri.dad";
  matrixDomain = "chat.atri.dad";
  matrixRtcDomain = "matrixrtc.atri.dad";
in
{
  services.matrix-synapse = {
    enable = true;
    settings = {
      server_name = serverName;
      public_baseurl = "https://${matrixDomain}";

      listeners = [
        {
          port = 8008;
          bind_addresses = [ "::1" "127.0.0.1" ];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
              names = [ "client" "federation" ];
              compress = true;
            }
          ];
        }
      ];

      database = {
        name = "psycopg2";
        args = {
          database = "matrix-synapse";
          user = "matrix-synapse";
          host = "/run/postgresql";
        };
      };

      max_upload_size = "100M";

      url_preview_enabled = true;
      url_preview_ip_range_blacklist = [
        "127.0.0.0/8"
        "10.0.0.0/8"
        "172.16.0.0/12"
        "192.168.0.0/16"
        "100.64.0.0/10"
        "192.0.0.0/24"
        "169.254.0.0/16"
        "198.18.0.0/15"
        "::1/128"
        "fe80::/10"
        "fc00::/7"
      ];

      enable_registration = false;
    };
  };

  services.postgresql = {
    enable = true;
    ensureDatabases = [ "matrix-synapse" ];
    ensureUsers = [
      {
        name = "matrix-synapse";
        ensureDBOwnership = true;
      }
    ];
  };

  services.livekit = {
    enable = true;
    openFirewall = true;
    settings = {
      port = 7880;
      rtc = {
        port_range_start = 50000;
        port_range_end = 60000;
        use_external_ip = true;
      };
      room.auto_create = false;
    };
    keyFile = livekitKeyFile;
  };

  services.lk-jwt-service = {
    enable = true;
    livekitUrl = "wss://${matrixDomain}/livekit/sfu";
    keyFile = livekitKeyFile;
  };

  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = serverName;

  systemd.services.livekit-key = {
    before = [ "lk-jwt-service.service" "livekit.service" ];
    wantedBy = [ "multi-user.target" ];
    path = with pkgs; [ livekit coreutils gawk ];
    script = ''
      echo "Key missing, generating key"
      echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}"
    '';
    serviceConfig.Type = "oneshot";
    unitConfig.ConditionPathExists = "!${livekitKeyFile}";
  };

  networking.firewall = {
    allowedTCPPorts = [ 7880 7881 ];
    allowedUDPPortRanges = [
      { from = 50000; to = 60000; }
    ];
  };
}