Daholli/nixos-config
1
0
Fork 0
Code Issues 2 Pull requests Releases Packages Activity Actions

loptland: init element-call

Browse source
This commit is contained in:
Christoph Hollizeck 2026-03-26 17:43:07 +01:00
parent f908c909e5
commit 8576262aca
4 changed files with 106 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/hosts/loptland/default.nix
View file

@ -33,6 +33,7 @@ topLevel: {
# services
matrix-synapse
mautrix-discord
element-call
# game server
minecraft-server

58
modules/hosts/loptland/nginx.nix
View file

@ -8,6 +8,9 @@
}:
let
domainName = "christophhollizeck.dev";
matrixDomain = "alwayssleepy.online";
livekitPort = 7880;
lkJwtPort = 8089;
in
{
services.nginx = {
@ -50,9 +53,9 @@
};
};
"matrix.alwayssleepy.online" = lib.mkIf config.services.matrix-synapse.enable {
"matrix.${matrixDomain}" = lib.mkIf config.services.matrix-synapse.enable {
forceSSL = true;
useACMEHost = "alwayssleepy.online";
useACMEHost = matrixDomain;
locations."/" = {
proxyPass = "http://localhost:${toString 8008}";
@ -62,15 +65,60 @@
};
};
"call.${matrixDomain}" = lib.mkIf config.services.lk-jwt-service.enable {
forceSSL = true;
useACMEHost = matrixDomain;
locations."= /config.json" = {
extraConfig = ''
default_type application/json;
return 200 '${builtins.toJSON {
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.${matrixDomain}";
server_name = matrixDomain;
};
};
livekit = {
livekit_service_url = "https://call.${matrixDomain}/livekit/jwt";
};
}}';
'';
};
locations."/" = {
root = "${pkgs.element-call}";
tryFiles = "$uri /index.html";
extraConfig = ''
add_header Cache-Control "no-cache" always;
'';
};
# Proxy lk-jwt-service for token generation
locations."/livekit/jwt" = {
proxyPass = "http://localhost:${toString lkJwtPort}";
};
# Proxy LiveKit SFU websocket
locations."/livekit/sfu" = {
proxyPass = "http://localhost:${toString livekitPort}";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
# .well-known Matrix delegation so Matrix IDs are @user:alwayssleepy.online
"alwayssleepy.online" = {
forceSSL = true;
useACMEHost = "alwayssleepy.online";
useACMEHost = matrixDomain;
locations."/.well-known/matrix/server" = {
extraConfig = ''
default_type application/json;
return 200 '{"m.server":"matrix.alwayssleepy.online:443"}';
return 200 '{"m.server":"matrix.${matrixDomain}:443"}';
'';
};
@ -78,7 +126,7 @@
extraConfig = ''
default_type application/json;
add_header 'Access-Control-Allow-Origin' '*';
return 200 '{"m.homeserver":{"base_url":"https://matrix.alwayssleepy.online"}}';
return 200 '{"m.homeserver":{"base_url":"https://matrix.${matrixDomain}"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://call.${matrixDomain}/livekit/jwt"}]}';
'';
};
};

48
modules/server/element-call.nix Normal file
View file

@ -0,0 +1,48 @@
topLevel: {
flake.modules.nixos.element-call =
{ config, lib, pkgs, ... }:
let
matrixDomain = "alwayssleepy.online";
livekitPort = 7880;
livekitRtcPortStart = 50000;
livekitRtcPortEnd = 50200;
lkJwtPort = 8089;
sopsFile = ../../secrets/secrets-loptland.yaml;
in
{
sops.secrets."matrix/livekit/keyFile" = {
inherit sopsFile;
# livekit and lk-jwt-service both read this file
mode = "0440";
group = "livekit-secrets";
};
users.groups.livekit-secrets = { };
# LiveKit SFU media server
services.livekit = {
enable = true;
openFirewall = true;
keyFile = config.sops.secrets."matrix/livekit/keyFile".path;
settings = {
port = livekitPort;
rtc = {
port_range_start = livekitRtcPortStart;
port_range_end = livekitRtcPortEnd;
};
};
};
# lk-jwt-service: bridges Matrix OpenID tokens to LiveKit JWTs
services.lk-jwt-service = {
enable = true;
livekitUrl = "wss://call.${matrixDomain}/livekit/sfu";
keyFile = config.sops.secrets."matrix/livekit/keyFile".path;
port = lkJwtPort;
};
# Allow lk-jwt-service (DynamicUser) to read the secrets file
systemd.services.lk-jwt-service.serviceConfig.SupplementaryGroups = [ "livekit-secrets" ];
};
}