haschel/modules/matrix.nix

{ config, pkgs, lib, ... }:

let
  livekitKeyFile = "/run/livekit.key";
  serverName = "atri.dad";
  matrixDomain = "matrix.atri.dad";
  matrixRtcDomain = "matrixrtc.atri.dad";
in
{
  services.matrix-tuwunel = {
    enable = true;
    settings = {
      global = {
        server_name = serverName;
        address = [ "127.0.0.1" "::1" ];
        port = [ 6167 ];
        max_request_size = 104857600;
        allow_registration = true;
        allow_encryption = true;
        allow_federation = true;
        trusted_servers = [ "matrix.org" ];
        ip_range_denylist = [
          "127.0.0.0/8"
          "10.0.0.0/8"
          "172.16.0.0/12"
          "192.168.0.0/16"
          "100.64.0.0/10"
          "192.0.0.0/24"
          "169.254.0.0/16"
          "198.18.0.0/15"
          "::1/128"
          "fe80::/10"
          "fc00::/7"
        ];

        well_known = {
          server = "${matrixDomain}:443";
          client = "https://${matrixDomain}";
          rtc_transports = [
            {
              type = "livekit";
              livekit_service_url = "https://${matrixRtcDomain}";
            }
          ];
        };
      };
    };
  };

  services.livekit = {
    enable = true;
    openFirewall = true;
    settings = {
      port = 7880;
      rtc = {
        port_range_start = 50000;
        port_range_end = 60000;
        use_external_ip = true;
      };
      room.auto_create = false;
    };
    keyFile = livekitKeyFile;
  };

  services.lk-jwt-service = {
    enable = true;
    livekitUrl = "wss://${matrixRtcDomain}";
    keyFile = livekitKeyFile;
  };

  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = serverName;

  systemd.services.livekit-key = {
    before = [ "lk-jwt-service.service" "livekit.service" ];
    wantedBy = [ "multi-user.target" ];
    path = with pkgs; [ livekit coreutils gawk ];
    script = ''
      echo "Key missing, generating key"
      echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}"
    '';
    serviceConfig.Type = "oneshot";
    unitConfig.ConditionPathExists = "!${livekitKeyFile}";
  };

  networking.firewall = {
    allowedTCPPorts = [ 7880 7881 ];
    allowedUDPPortRanges = [
      { from = 50000; to = 60000; }
    ];
  };
}