Infra/proxy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
proxy/services/livekit.nix
Katharina Heidenreich 7d55e4e40a fix: update livekit endpoints and add TURN server configuration
2026-04-08 11:42:43 +02:00

94 lines
2.9 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
serviceConfig = import ../config/services.nix;
cfg = serviceConfig.livekit;
keyFile = cfg.keyFile;
acmeDir = config.security.acme.certs.${cfg.domain}.directory;
publicUrl = "wss://${cfg.domain}";
trustedHomeservers =
if builtins.isList cfg.trusted_homeservers then
cfg.trusted_homeservers
else
throw "config/services.nix livekit.trusted_homeservers must be a list of domains.";
trustedHomeserversEnv = builtins.concatStringsSep "," trustedHomeservers;
in
{
services.livekit = lib.mkIf cfg.enable {
enable = true;
settings.room.auto_create = false;
inherit keyFile;
openFirewall = true;
settings = {
port = cfg.port;
rtc = {
port_range_start = cfg.rtc_port_range_start;
port_range_end = cfg.rtc_port_range_end;
};
turn = {
enabled = true;
udp_port = cfg.turn_port;
tls_port = cfg.turn_tls_port;
relay_range_start = cfg.turn_relay_range_start;
relay_range_end = cfg.turn_relay_range_end;
domain = cfg.domain;
cert_file = "/run/credentials/livekit.service/turn-cert";
key_file = "/run/credentials/livekit.service/turn-key";
};
};
};
# Provide ACME cert/key to livekit via systemd credentials.
systemd.services.livekit.serviceConfig.LoadCredential = lib.mkIf cfg.enable (lib.mkAfter [
"turn-cert:${acmeDir}/full.pem"
"turn-key:${acmeDir}/key.pem"
]);
# Restart livekit when ACME renews the cert used for built-in TURN TLS.
security.acme.certs.${cfg.domain}.postRun = lib.mkIf cfg.enable "systemctl restart livekit.service";
services.lk-jwt-service = lib.mkIf cfg.enable {
enable = true;
livekitUrl = publicUrl;
inherit keyFile;
port = cfg.jwt_port;
};
systemd.services.livekit-key = lib.mkIf cfg.enable {
before = [
"lk-jwt-service.service"
"livekit.service"
];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [
livekit
coreutils
gawk
];
script = ''
echo "Key missing, generating key"
mkdir -p "$(dirname "${keyFile}")"
echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"
'';
serviceConfig.Type = "oneshot";
unitConfig.ConditionPathExists = "!${keyFile}";
};
systemd.services.lk-jwt-service = lib.mkIf cfg.enable {
environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = trustedHomeserversEnv;
};
# Open firewall for livekit RTC ports
networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable (
(lib.range cfg.rtc_port_range_start cfg.rtc_port_range_end)
++ (lib.range cfg.turn_relay_range_start cfg.turn_relay_range_end)
++ [ cfg.turn_port ]
);
# Open firewall for livekit API/JWT and TURN TCP/TLS ports
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [
7880
7881
cfg.turn_port
cfg.turn_tls_port
];
}
Reference in a new issue View git blame Copy permalink