Daholli/nixos-config
1
0
Fork 0
Code Issues 2 Pull requests Releases Packages Activity Actions

loptland: init element-call

Browse source
This commit is contained in:
Christoph Hollizeck 2026-03-26 17:43:07 +01:00
parent 8fab0c421c
commit a2ebdf9884
4 changed files with 106 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/hosts/loptland/default.nix
View file

@ -33,6 +33,7 @@ topLevel: {
# services # services
matrix-synapse matrix-synapse
mautrix-discord mautrix-discord
element-call
# game server # game server
minecraft-server minecraft-server

58
modules/hosts/loptland/nginx.nix
View file

@ -8,6 +8,9 @@
}: }:
let let
domainName = "christophhollizeck.dev"; domainName = "christophhollizeck.dev";
matrixDomain = "alwayssleepy.online";
livekitPort = 7880;
lkJwtPort = 8089;
in in
{ {
services.nginx = { services.nginx = {
@ -50,9 +53,9 @@
}; };
}; };
"matrix.alwayssleepy.online" = lib.mkIf config.services.matrix-synapse.enable { "matrix.${matrixDomain}" = lib.mkIf config.services.matrix-synapse.enable {
forceSSL = true; forceSSL = true;
useACMEHost = "alwayssleepy.online"; useACMEHost = matrixDomain;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:${toString 8008}"; proxyPass = "http://localhost:${toString 8008}";
@ -62,15 +65,60 @@
}; };
}; };
"call.${matrixDomain}" = lib.mkIf config.services.lk-jwt-service.enable {
forceSSL = true;
useACMEHost = matrixDomain;
locations."= /config.json" = {
extraConfig = ''
default_type application/json;
return 200 '${builtins.toJSON {
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.${matrixDomain}";
server_name = matrixDomain;
};
};
livekit = {
livekit_service_url = "https://call.${matrixDomain}/livekit/jwt";
};
}}';
'';
};
locations."/" = {
root = "${pkgs.element-call}";
tryFiles = "$uri /index.html";
extraConfig = ''
add_header Cache-Control "no-cache" always;
'';
};
# Proxy lk-jwt-service for token generation
locations."/livekit/jwt" = {
proxyPass = "http://localhost:${toString lkJwtPort}";
};
# Proxy LiveKit SFU websocket
locations."/livekit/sfu" = {
proxyPass = "http://localhost:${toString livekitPort}";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
# .well-known Matrix delegation so Matrix IDs are @user:alwayssleepy.online # .well-known Matrix delegation so Matrix IDs are @user:alwayssleepy.online
"alwayssleepy.online" = { "alwayssleepy.online" = {
forceSSL = true; forceSSL = true;
useACMEHost = "alwayssleepy.online"; useACMEHost = matrixDomain;
locations."/.well-known/matrix/server" = { locations."/.well-known/matrix/server" = {
extraConfig = '' extraConfig = ''
default_type application/json; default_type application/json;
return 200 '{"m.server":"matrix.alwayssleepy.online:443"}'; return 200 '{"m.server":"matrix.${matrixDomain}:443"}';
''; '';
}; };
@ -78,7 +126,7 @@
extraConfig = '' extraConfig = ''
default_type application/json; default_type application/json;
add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Origin' '*';
return 200 '{"m.homeserver":{"base_url":"https://matrix.alwayssleepy.online"}}'; return 200 '{"m.homeserver":{"base_url":"https://matrix.${matrixDomain}"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://call.${matrixDomain}/livekit/jwt"}]}';
''; '';
}; };
}; };

48
modules/server/element-call.nix Normal file
View file

@ -0,0 +1,48 @@
topLevel: {
flake.modules.nixos.element-call =
{ config, lib, pkgs, ... }:
let
matrixDomain = "alwayssleepy.online";
livekitPort = 7880;
livekitRtcPortStart = 50000;
livekitRtcPortEnd = 50200;
lkJwtPort = 8089;
sopsFile = ../../secrets/secrets-loptland.yaml;
in
{
sops.secrets."matrix/livekit/keyFile" = {
inherit sopsFile;
# livekit and lk-jwt-service both read this file
mode = "0440";
group = "livekit-secrets";
};
users.groups.livekit-secrets = { };
# LiveKit SFU media server
services.livekit = {
enable = true;
openFirewall = true;
keyFile = config.sops.secrets."matrix/livekit/keyFile".path;
settings = {
port = livekitPort;
rtc = {
port_range_start = livekitRtcPortStart;
port_range_end = livekitRtcPortEnd;
};
};
};
# lk-jwt-service: bridges Matrix OpenID tokens to LiveKit JWTs
services.lk-jwt-service = {
enable = true;
livekitUrl = "wss://call.${matrixDomain}/livekit/sfu";
keyFile = config.sops.secrets."matrix/livekit/keyFile".path;
port = lkJwtPort;
};
# Allow lk-jwt-service (DynamicUser) to read the secrets file
systemd.services.lk-jwt-service.serviceConfig.SupplementaryGroups = [ "livekit-secrets" ];
};
}

6
secrets/secrets-loptland.yaml
View file

@ -24,6 +24,8 @@ matrix:
registrationSharedSecret: ENC[AES256_GCM,data:6IBlAfQhWlywWo/l8u5gAfW7bTgXwrAyk8WBBWkJQK+FL9LvUU5hDscozHrPIiRRzZdyeoAZ7phirDk3kN9E6Q==,iv:arZaxnIEUU3psaV8PqKAb46nlq73r2SAVlmCY+y+HB0=,tag:X/zsAtryEfl2PHKQ6GQfbg==,type:str] registrationSharedSecret: ENC[AES256_GCM,data:6IBlAfQhWlywWo/l8u5gAfW7bTgXwrAyk8WBBWkJQK+FL9LvUU5hDscozHrPIiRRzZdyeoAZ7phirDk3kN9E6Q==,iv:arZaxnIEUU3psaV8PqKAb46nlq73r2SAVlmCY+y+HB0=,tag:X/zsAtryEfl2PHKQ6GQfbg==,type:str]
mautrix-discord: mautrix-discord:
botToken: ENC[AES256_GCM,data:IrYMnUNorLK8853LXubpaXX2LwKbtlsdQzDHoeUq1VLyeH6Kz2CdnOV7UfuR4I0oEXBvw16PS+aBqjQCLcWGgXdTInEmq7lJ,iv:FmPlP1ZTdTTVcJeO0sKwiyaJ9KrZ8jbbyEiCK+O2XuI=,tag:Z+gVRNC34XV2OAUJcburIQ==,type:str] botToken: ENC[AES256_GCM,data:IrYMnUNorLK8853LXubpaXX2LwKbtlsdQzDHoeUq1VLyeH6Kz2CdnOV7UfuR4I0oEXBvw16PS+aBqjQCLcWGgXdTInEmq7lJ,iv:FmPlP1ZTdTTVcJeO0sKwiyaJ9KrZ8jbbyEiCK+O2XuI=,tag:Z+gVRNC34XV2OAUJcburIQ==,type:str]
livekit:
keyFile: ENC[AES256_GCM,data:h7pIrLswWJhS5vkcvVquMCFC/prCVavCJWUck7W6x7emH+qalXxmMxPnkCskFr163re+Y04PuOsrtFe4,iv:8BDrFPDhC5UHAzGUZ77hzNQh2RuMzdWphLXt9WI54gk=,tag:66MGl67bpOF/3n/vzYUOuw==,type:str]
sops: sops:
age: age:
- recipient: age1pc92kl38mfr0j68dxww7tpzvqp3lpw6lwfylj6hn2k3rf4rddgtsjxdx47 - recipient: age1pc92kl38mfr0j68dxww7tpzvqp3lpw6lwfylj6hn2k3rf4rddgtsjxdx47
@ -44,7 +46,7 @@ sops:
czdSTjNGSEpURlZEUTlIaUtGQUk5cW8KvylMTgtmHNvGnN7DonAsYQZB31mVli75 czdSTjNGSEpURlZEUTlIaUtGQUk5cW8KvylMTgtmHNvGnN7DonAsYQZB31mVli75
3OTN+mOetq2YNxh/Se7vqzwbZnshfTDk9nJi9bKZQhBt2nYR8eLRkg== 3OTN+mOetq2YNxh/Se7vqzwbZnshfTDk9nJi9bKZQhBt2nYR8eLRkg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-26T12:52:45Z" lastmodified: "2026-03-26T15:57:42Z"
mac: ENC[AES256_GCM,data:ObHBFxdJlDrJJY9y+yRAJ+7lnBbIpAzV53Jc6BR5lvuwywu1LgPTigqs2YgK8Nnl7GSsW84s4ewN+aYj5UANx47iylSCyIQmfLz56d8r6REjNtH/hnRyoR7s2tFHE8FYlsW9P2PNSNBkjkPovWrPBejZ4ZmZdhaXbCx/13tJXU8=,iv:X6FyE7S5uo0fwluFtpUraiLJQ4FMbAMBiMaaggPaWdY=,tag:VEHWZ8QMGulYs0h+Q1CAvA==,type:str] mac: ENC[AES256_GCM,data:gyiA6KTHS6I/geGuAldEHibD9TXKSW25k5hF+Ay1vFHdvjBqwvZ2ExOh/mgTz9qvE3FC24R2le8BTQbRvymWaE6wulzNEuzh3KoQHdsJpVWUIfizESj3Nt83WmJPr4jW7suTslhXdFHU3a1RTOHkiqARZtg9HdWg/Wo8gsLkXLU=,iv:L0aEQkQ5pyPKzVxbWrOYtIszV/AapdsdSI0yH7+xqrI=,tag:xvKEcWMfy1GnU4p1OfH1lA==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.2 version: 3.12.2