wymiller/nix-config-v2
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

wip: added configuration changes to tuwunel, livekit, lk-jwt-service

Browse Source
This commit is contained in:
Wyatt J. Miller
2026-02-23 21:53:20 -05:00
parent aea71bb49b
commit f2ae159c67
3 changed files with 112 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
home/packages/linux.nix
View File

@@ -1,18 +1,4 @@
{ lib, pkgs, isNixOS ? true, ... }: { lib, pkgs, isNixOS ? true, ... }:
lib.mkIf pkgs.stdenv.isLinux { lib.mkIf pkgs.stdenv.isLinux {
home.packages = with pkgs; [
imv
xdg-utils
] ++ lib.optionals isNixOS [
betterdiscordctl
vesktop
xfce.thunar
pavucontrol
godot
aseprite
zathura
gpu-screen-recorder
gpu-screen-recorder-gtk
inetutils
];
} }

105
modules/machine/yshtola/configuration.nix
View File

@@ -3,19 +3,25 @@
pkgs, pkgs,
userName, userName,
... ...
}: { }:let
livekitKeyFile = "/var/lib/livekit/livekit.key";
matrixRegistrationTokenFile = "/var/lib/matrix.key";
in {
imports = [ imports = [
../../pwrMgmt ../../pwrMgmt
../../networking/core.nix
]; ];
# Enable flakes for NixOS # Enable flakes for NixOS
nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings.experimental-features = ["nix-command" "flakes"];
nix.settings = {
download-buffer-size = 134217728; # 128 MiB in bytes
};
# Custom kernel/boot stuff # Custom kernel/boot stuff
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
boot.loader.systemd-boot.enable = true; # TODO: check on this # boot.loader.systemd-boot.enable = true; # TODO: check on this
boot.loader.efi.canTouchEfiVariables = true; # boot.loader.efi.canTouchEfiVariables = true;
# Set your timezone # Set your timezone
time.timeZone = "America/Detroit"; time.timeZone = "America/Detroit";
@@ -23,8 +29,8 @@
# Enable OpenSSH # Enable OpenSSH
services.openssh = { services.openssh = {
enable = true; enable = true;
PermitRootLogin = "no"; settings.PermitRootLogin = "no";
PasswordAuthentication = "no"; settings.PasswordAuthentication = false;
}; };
# Enable keyring # Enable keyring
@@ -49,32 +55,34 @@
powertop.enable = false; powertop.enable = false;
}; };
# Core networking module (see ../../networking/core.nix)
network = {
networkManager.enable = true;
};
# Firewall settings (fallback, upstream way of doing things) # Firewall settings (fallback, upstream way of doing things)
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
80
443
8448
3478 3478
5349 5349
7880 7880
7881 7881
8080 8080
8081
]; ];
allowedUDPPorts = [ allowedUDPPorts = [
3478 3478
8448
]; ];
allowedUDPPortRanges =[ allowedUDPPortRanges =[
# TURN UDP relays
{ {
from = 49000; from = 49000;
to = 50000; to = 50000;
} }
#
{ {
from = 50100; from = 50100;
to = 50200; to = 50200;
@@ -109,17 +117,17 @@
package = pkgs.matrix-tuwunel; package = pkgs.matrix-tuwunel;
settings = { settings = {
global = { global = {
server_name = "wyattjmiller.com"; server_name = "chat.wyattjmiller.com";
allow_encryption = true; allow_encryption = true;
allow_federation = true; allow_federation = true;
allow_registration = false; allow_registration = true;
registration_token = matrixRegistrationTokenFile;
allow_unstable_room_versions = false; allow_unstable_room_versions = false;
allow_experimental_room_versions = false; allow_experimental_room_versions = false;
encryption_enabled_by_default_for_room_type = "all"; # encryption_enabled_by_default_for_room_type = false;
zstd_compression = true; zstd_compression = true;
new_user_displayname_suffix = ""; new_user_displayname_suffix = "";
max_request_size = 1048575600; # 100MB in bytes, for file uploads max_request_size = 1048575600; # 100MB in bytes, for file uploads
database_path = "/var/lib/tuwunel";
database_backup_path = "/var/lib/tuwunel/database_backups"; database_backup_path = "/var/lib/tuwunel/database_backups";
database_backups_to_keep = 2; database_backups_to_keep = 2;
@@ -133,22 +141,39 @@
client = "https://chat.wyattjmiller.com"; client = "https://chat.wyattjmiller.com";
server = "chat.wyattjmiller.com:443"; server = "chat.wyattjmiller.com:443";
support_email = "wyatt@wyattjmiller.com"; support_email = "wyatt@wyattjmiller.com";
support_mxid = "@wymiller:wyattjmiller.com"; support_mxid = "@wymiller:chat.wyattjmiller.com";
rtc_transports = { rtc_transports = [{
type = "livekit"; type = "livekit";
livekit_service_url = "https://rtc.wyattjmiller.com"; livekit_service_url = "https://rtc.wyattjmiller.com";
}; }];
}; };
}; };
}; };
}; };
# TURN/STUN server
services.coturn = {
enable = true;
no-cli = false;
no-tcp-relay = false;
realm = "turn.wyattjmiller.com";
min-port = 49000;
max-port = 50000;
# TODO: fill out this extraConfig option a bit more with denial of private IP addresses
extraConfig = ''
verbose
no-multicast-peers
'';
};
# LiveKit (Matrix RTC) # LiveKit (Matrix RTC)
services.livekit = { services.livekit = {
enable = true; enable = true;
package = pkgs.livekit; package = pkgs.livekit;
openFirewall = true; openFirewall = true;
keyFile = livekitKeyFile;
settings = { settings = {
port = 7880; port = 7880;
room.auto_create = true; room.auto_create = true;
@@ -169,7 +194,7 @@
reverse_proxy localhost:8008 reverse_proxy localhost:8008
''; '';
}; };
"chat.wyattjmiller.com:8443" = { "chat.wyattjmiller.com:8448" = {
extraConfig = '' extraConfig = ''
encode zstd gzip encode zstd gzip
reverse_proxy localhost:8008 reverse_proxy localhost:8008
@@ -196,20 +221,40 @@
}; };
}; };
# TURN/STUN server # LiveKit JWT service
services.coturn = { services.lk-jwt-service = {
enable = true; enable = true;
no-cli = false; port = 8080;
no-tcp-relay = false; livekitUrl = "wss://rtc.wyattjmiller.com";
realm = "turn.wyattjmiller.com"; keyFile = livekitKeyFile;
min-port = 49000; # settings = {
max-port = 50000; # keys = {
# "2rew2444" = "aAssWw18asef3fa5ldehHhjunlijj8x=";
# };
# };
};
# TODO: fill out this extraConfig option a bit more with denial of private IP addresses # Generate LiveKit key if it doesn't exist
extraConfig = '' systemd.services.livekit-key = {
verbose before = [
no-multicast-peers "lk-jwt-service.service"
"livekit.service"
];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [
livekit
coreutils
gawk
];
script = ''
echo "Key missing, generating key"
echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}"
''; '';
serviceConfig = {
Type = "oneshot";
User = "root";
};
unitConfig.ConditionPathExists = "!${livekitKeyFile}";
}; };
system.stateVersion = "25.11"; system.stateVersion = "25.11";

35
modules/machine/yshtola/hardware-configuration.nix
View File

@@ -0,0 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
boot.kernelParams = [ "console=ttyS0,19200n8" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.loader.grub.extraConfig = ''
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
terminal_input serial;
terminal_output serial;
'';
boot.loader.grub.forceInstall = true;
# boot.loader.grub.enable = true;
boot.loader.grub.device = "nodev";
boot.loader.timeout = 10;
fileSystems."/" =
{ device = "/dev/sda";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/sdb"; }
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}