atridad/haschel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1191e9c39c4b75e7db1fba1b8f1ff0fca2dfbc0a
haschel/modules/matrix.nix
Atridad Lahiji 1191e9c39c
All checks were successful
Deploy NixOS / deploy (push) Successful in 36s
Details
Added some extra config back in for tuwunel
2026-02-14 12:36:14 -07:00

122 lines
3.3 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
let
livekitKeyFile = "/run/livekit.key";
serverName = "atri.dad";
matrixDomain = "matrix.atri.dad";
matrixRtcDomain = "matrixrtc.atri.dad";
in
{
services.matrix-tuwunel = {
enable = true;
settings = {
global = {
server_name = serverName;
address = [ "127.0.0.1" "::1" ];
port = [ 6167 ];
max_request_size = 104857600;
allow_registration = false;
allow_encryption = true;
allow_federation = true;
trusted_servers = [ "matrix.org" "chat.blahaj.zone" ];
ip_range_denylist = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"192.0.0.0/24"
"169.254.0.0/16"
"198.18.0.0/15"
"::1/128"
"fe80::/10"
"fc00::/7"
];
zstd_compression = true;
gzip_compression = true;
brotli_compression = true;
url_preview_domain_contains_allowlist = [ "*" ];
allow_local_presence = true;
allow_incoming_presence = true;
allow_outgoing_presence = true;
well_known = {
server = "${matrixDomain}:443";
client = "https://${matrixDomain}";
rtc_transports = [
{
type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt";
}
];
};
};
};
};
services.livekit = {
enable = true;
openFirewall = true;
settings = {
port = 7880;
rtc = {
port_range_start = 50000;
port_range_end = 60000;
tcp_port = 7881;
use_external_ip = true;
allow_tcp_fallback = true;
};
room.auto_create = true;
turn = {
enabled = true;
domain = matrixRtcDomain;
tls_port = 5349;
udp_port = 3478;
relay_range_start = 50000;
relay_range_end = 60000;
cert_file = "/run/credentials/livekit.service/turn-cert";
key_file = "/run/credentials/livekit.service/turn-key";
};
};
keyFile = livekitKeyFile;
};
services.lk-jwt-service = {
enable = true;
livekitUrl = "wss://${matrixRtcDomain}";
keyFile = livekitKeyFile;
};
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = serverName;
systemd.services.livekit.serviceConfig.LoadCredential = [
"turn-cert:/var/lib/acme/${matrixRtcDomain}/fullchain.pem"
"turn-key:/var/lib/acme/${matrixRtcDomain}/key.pem"
];
systemd.services.livekit.after = [ "acme-${matrixRtcDomain}.service" ];
systemd.services.livekit.requires = [ "acme-${matrixRtcDomain}.service" ];
systemd.services.livekit-key = {
before = [ "lk-jwt-service.service" "livekit.service" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ livekit coreutils gawk ];
script = ''
echo "Key missing, generating key"
echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}"
'';
serviceConfig.Type = "oneshot";
unitConfig.ConditionPathExists = "!${livekitKeyFile}";
};
networking.firewall = {
allowedTCPPorts = [ 7880 7881 5349 ];
allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [
{ from = 50000; to = 60000; }
];
};
}
Reference in New Issue View Git Blame Copy Permalink