From 7e0d58c0971f8bc61a6242cfb645a465034cdf19 Mon Sep 17 00:00:00 2001
From: "Wyatt J. Miller" <wyatt@wyattjmiller.com>
Date: Mon, 23 Feb 2026 21:29:11 -0600
Subject: [PATCH] wip: modified livekit-key service

---
 modules/machine/yshtola/configuration.nix | 30 +++++++++++++----------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix
index e774ec6..6032b42 100644
--- a/modules/machine/yshtola/configuration.nix
+++ b/modules/machine/yshtola/configuration.nix
@@ -1,4 +1,3 @@
-
 {
   pkgs,
   userName,
@@ -236,25 +235,30 @@ in {
 
   # Generate LiveKit key if it doesn't exist
   systemd.services.livekit-key = {
-    before = [
-      "lk-jwt-service.service"
-      "livekit.service"
-    ];
+    before = [ "lk-jwt-service.service" "livekit.service" ];
     wantedBy = [ "multi-user.target" ];
-    path = with pkgs; [
-      livekit
-      coreutils
-      gawk
-    ];
+    path = with pkgs; [ coreutils openssl ];
     script = ''
-      echo "Key missing, generating key"
-      echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}"
+      set -eu
+
+      if [ -f "${livekitKeyFile}" ]; then
+        exit 0
+      fi
+
+      install -d -m 0700 "$(dirname "${livekitKeyFile}")"
+
+      API_KEY="$(openssl rand -hex 8)"
+      API_SECRET="$(openssl rand -hex 32)"
+
+      # keyFile format for nixpkgs services.livekit.keyFile:
+      # a YAML map of apiKey -> apiSecret (no surrounding "keys:" key)
+      umask 077
+      printf '%s: %s\n' "$API_KEY" "$API_SECRET" > "${livekitKeyFile}"
     '';
     serviceConfig = {
       Type = "oneshot";
       User = "root";
     };
-    unitConfig.ConditionPathExists = "!${livekitKeyFile}";
   };
 
   system.stateVersion = "25.11";