see if we can set up livekit on the matrix server

2026-03-17 16:49:30 +01:00 · 2026-03-17 16:49:30 +01:00 · 842ec53f64
commit 842ec53f64
parent fc02e973fb
5 changed files with 102 additions and 10 deletions
--- a/nixos/server/package-configs/conduit/default.nix
+++ b/nixos/server/package-configs/conduit/default.nix
@ -19,6 +19,11 @@
    }
  '';

+  livekit-port = 64485;
+  livekit-rtc-start = 63400;
+  livekit-rtc-end = 63600;
+  livekit-url = "livekit.gladtherescake.eu";
+
  # Build a dervation that stores the content of `${server_name}/.well-known/matrix/client`
  well_known_client = pkgs.writeText "well-known-matrix-client" ''
    {
@ -28,6 +33,27 @@
    }
  '';
 in {
+  sops.secrets = {
+    "livekit-secret" = {
+      mode = "0440";
+      owner = "nginx";
+    };
+  };
+
+  services.livekit = {
+    enable = true;
+    keyFile = config.sops.secrets."livekit-secret".path;
+    openFirewall = true;
+    redis.port = 64484;
+    settings = {
+      port = livekit-port;
+      rtc = {
+        port_range_start = livekit-rtc-start;
+        port_range_end = livekit-rtc-end;
+        use_external_ip = true;
+      };
+    };
+  };
  # Configure continuwuity itself
  services.matrix-continuwuity = {
    enable = true;
@ -37,7 +63,12 @@ in {
      allow_registration = false;
      # emergency_password = "testpassword";
      turn_uris = ["turn:turn.gladtherescake.eu.url?transport=udp" "turn:turn.gladtherescake.eu?transport=tcp"];
-      turn_secret = "cPKWEn4Fo5TAJoE7iX3xeVOaMVE4afeRN1iRGWYfbkWbkaZMxTpnmazHyH6c6yXT";
+      matrix_rtc = {
+        foci = [
+          ''{type = "livekit", livekit_service_url = "https://${livekit-url}"},''
+        ];
+      };
+      turn-secret-file = config.sops.secrets."coturn-auth-secret".path;
      well_known = {
        server = "matrix.gladtherescake.eu:443";
        client = "https://matrix.gladtherescake.eu";
@ -63,7 +94,7 @@ in {
    enable = true;

    virtualHosts = {
-      "${server_name}" = {
+      "${livekit-url}" = {
        forceSSL = true;
        enableACME = true;

@ -90,6 +121,59 @@ in {
          }
        ];

+        locations."~ ^/(sfu/get|healthz|get_token)" = {
+          proxyPass = "http://127.0.0.1:${toString livekit-port}$request_uri";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $http_host;
+            proxy_buffering off;
+          '';
+        };
+
+        # for livekit
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString livekit-port}$request_uri;";
+          extraConfig = ''
+            X-Forwarded-For $remote_addr;"
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $http_host;
+            proxy_buffering off;
+
+            # websocket
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+          '';
+        };
+      };
+      "${server_name}" = {
+        forceSSL = true;
+        enableACME = true;
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = livekit-port;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = livekit-port;
+            ssl = true;
+          }
+        ];
+
        locations."/_matrix/" = {
          proxyPass = "http://backend_continuwuity";
          proxyWebsockets = true;