wip: modified livekit-key service

modules/machine/yshtola/configuration.nix

@@ -1,4 +1,3 @@
-
 {
   pkgs,
   userName,
@@ -236,25 +235,30 @@ in {
 
   # Generate LiveKit key if it doesn't exist
   systemd.services.livekit-key = {
-    before = [
+    before = [ "lk-jwt-service.service" "livekit.service" ];
-      "lk-jwt-service.service"
-      "livekit.service"
-    ];
     wantedBy = [ "multi-user.target" ];
-    path = with pkgs; [
+    path = with pkgs; [ coreutils openssl ];
-      livekit
-      coreutils
-      gawk
-    ];
     script = ''
-      echo "Key missing, generating key"
+      set -eu
-      echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}"
+
+      if [ -f "${livekitKeyFile}" ]; then
+        exit 0
+      fi
+
+      install -d -m 0700 "$(dirname "${livekitKeyFile}")"
+
+      API_KEY="$(openssl rand -hex 8)"
+      API_SECRET="$(openssl rand -hex 32)"
+
+      # keyFile format for nixpkgs services.livekit.keyFile:
+      # a YAML map of apiKey -> apiSecret (no surrounding "keys:" key)
+      umask 077
+      printf '%s: %s\n' "$API_KEY" "$API_SECRET" > "${livekitKeyFile}"
     '';
     serviceConfig = {
       Type = "oneshot";
       User = "root";
     };
-    unitConfig.ConditionPathExists = "!${livekitKeyFile}";
   };
 
   system.stateVersion = "25.11";