refactor(matrix): simplify LiveKit configuration to use services.livekit and services.lk-jwt-service

2026-02-23 16:32:14 +05:30
parent bbeed99f43
commit 8d636ce194
1 changed files with 32 additions and 83 deletions
--- a/nixos/tako/services/matrix/tuwunel.nix
+++ b/nixos/tako/services/matrix/tuwunel.nix
@@ -1,20 +1,12 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: let
  port = 6167;
  base_domain = "darksailor.dev";
  client_id = "tuwunel";
  rtc_domain = "matrix-rtc.${base_domain}";
  livekit_port = 7880;
  livekit_rtc_tcp_port = 7881;
  livekit_rtc_port_start = 50100;
  livekit_rtc_port_end = 50200;
  livekit_turn_udp_port = 3478;
  livekit_turn_relay_start = 50300;
  livekit_turn_relay_end = 65535;
  jwt_port = 8081;
  elementConfig = builtins.toJSON {
    default_server_config = {
@@ -29,25 +21,6 @@
    };
  };
  elementConfigFile = pkgs.writeText "element-config.json" elementConfig;
  livekitConfigTemplate = pkgs.writeText "livekit.yaml.template" ''
    port: ${toString livekit_port}
    bind_addresses:
      - ""
    rtc:
      tcp_port: ${toString livekit_rtc_tcp_port}
      port_range_start: ${toString livekit_rtc_port_start}
      port_range_end: ${toString livekit_rtc_port_end}
      use_external_ip: true
      enable_loopback_candidate: false
    keys:
      LIVEKIT_KEY_PLACEHOLDER: LIVEKIT_SECRET_PLACEHOLDER
    turn:
      enabled: true
      udp_port: ${toString livekit_turn_udp_port}
      relay_range_start: ${toString livekit_turn_relay_start}
      relay_range_end: ${toString livekit_turn_relay_end}
      domain: ${rtc_domain}
  '';
 in {
  sops = {
    secrets."tuwunel/client_id" = {
@@ -63,6 +36,9 @@ in {
    secrets."tuwunel/registration_token".owner = config.services.matrix-tuwunel.user;
    secrets."livekit/key_name" = {};
    secrets."livekit/key_secret" = {};
    templates."livekit-keys".content = ''
      ${config.sops.placeholder."livekit/key_name"}: ${config.sops.placeholder."livekit/key_secret"}
    '';
  };
  services.matrix-tuwunel = {
    enable = true;
@@ -110,9 +86,6 @@ in {
    "${base_domain}".extraConfig = ''
      reverse_proxy /.well-known/* localhost:${toString port}
    '';
    # "matrix.${base_domain}:8448".extraConfig = ''
    #   reverse_proxy /_matrix/* localhost:${toString port}
    # '';
    "${rtc_domain}".extraConfig = ''
      @jwt_service {
        path /sfu/get* /healthz*
@@ -121,7 +94,7 @@ in {
        reverse_proxy localhost:${toString jwt_port}
      }
      handle {
-        reverse_proxy localhost:${toString livekit_port} {
+        reverse_proxy localhost:${toString config.services.livekit.settings.port} {
          header_up Connection "upgrade"
          header_up Upgrade {http.request.header.Upgrade}
        }
@@ -129,69 +102,45 @@ in {
    '';
  };
  networking.firewall = {
-    allowedTCPPorts = [8448 livekit_rtc_tcp_port];
+    allowedTCPPorts = [8448 7881];
-    allowedUDPPorts = [livekit_turn_udp_port];
+    allowedUDPPorts = [3478];
    allowedUDPPortRanges = [
      {
-        from = livekit_rtc_port_start;
+        from = 50300;
-        to = livekit_rtc_port_end;
+        to = 65535;
      }
      {
        from = livekit_turn_relay_start;
        to = livekit_turn_relay_end;
      }
    ];
  };
  users.users.${config.services.caddy.user}.extraGroups = [config.services.matrix-tuwunel.group];
-  # LiveKit server
+  services.livekit = {
-  systemd.services.livekit = {
+    enable = true;
-    description = "LiveKit SFU server";
+    keyFile = config.sops.templates."livekit-keys".path;
-    after = ["network-online.target"];
+    openFirewall = true;
-    wants = ["network-online.target"];
+    settings = {
-    wantedBy = ["multi-user.target"];
+      rtc = {
-    serviceConfig = {
+        tcp_port = 7881;
-      DynamicUser = true;
+        port_range_start = 50100;
-      StateDirectory = "livekit";
+        port_range_end = 50200;
-      RuntimeDirectory = "livekit";
+        use_external_ip = true;
-      ExecStartPre = let
+        enable_loopback_candidate = false;
-        script = pkgs.writeShellScript "livekit-config" ''
+      };
-          KEY_NAME=$(cat ${config.sops.secrets."livekit/key_name".path})
+      turn = {
-          KEY_SECRET=$(cat ${config.sops.secrets."livekit/key_secret".path})
+        enabled = true;
-          ${lib.getExe pkgs.gnused} \
+        udp_port = 3478;
-            -e "s|LIVEKIT_KEY_PLACEHOLDER|$KEY_NAME|g" \
+        relay_range_start = 50300;
-            -e "s|LIVEKIT_SECRET_PLACEHOLDER|$KEY_SECRET|g" \
+        relay_range_end = 65535;
-            ${livekitConfigTemplate} > /run/livekit/livekit.yaml
+        domain = rtc_domain;
-        '';
+      };
      in "${script}";
      ExecStart = "${lib.getExe pkgs.livekit} --config /run/livekit/livekit.yaml";
      Restart = "on-failure";
      RestartSec = 5;
      AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
    };
  };
-  # LiveKit JWT service for MatrixRTC
+  services.lk-jwt-service = {
-  systemd.services.lk-jwt-service = {
+    enable = true;
-    description = "LiveKit JWT service for MatrixRTC";
+    port = jwt_port;
-    after = ["network-online.target" "livekit.service"];
+    livekitUrl = "wss://${rtc_domain}";
-    wants = ["network-online.target"];
+    keyFile = config.sops.templates."livekit-keys".path;
    requires = ["livekit.service"];
    wantedBy = ["multi-user.target"];
    serviceConfig = {
      DynamicUser = true;
      ExecStart = "${lib.getExe pkgs.lk-jwt-service}";
      Restart = "on-failure";
      RestartSec = 5;
    };
    environment = {
      LIVEKIT_JWT_BIND = ":${toString jwt_port}";
      LIVEKIT_URL = "wss://${rtc_domain}";
      LIVEKIT_KEY_FILE = config.sops.secrets."livekit/key_name".path;
      LIVEKIT_SECRET_FILE = config.sops.secrets."livekit/key_secret".path;
      LIVEKIT_FULL_ACCESS_HOMESERVERS = base_domain;
    };
  };
  services = {