{ pkgs, userName, ... }:let livekitKeyFile = "/var/lib/livekit/livekit.key"; matrixRegistrationTokenFile = "/var/lib/matrix.key"; in { imports = [ ../../pwrMgmt ]; # Enable flakes for NixOS nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings = { download-buffer-size = 134217728; # 128 MiB in bytes }; # Custom kernel/boot stuff boot.kernelPackages = pkgs.linuxPackages_latest; # boot.loader.systemd-boot.enable = true; # TODO: check on this # boot.loader.efi.canTouchEfiVariables = true; # Set your timezone time.timeZone = "America/Detroit"; # Enable OpenSSH services.openssh = { enable = true; settings.PermitRootLogin = "no"; settings.PasswordAuthentication = false; }; # Enable keyring services.gnome.gnome-keyring.enable = true; # Enable GnuPG programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; # Enable SUID wrappers (some programs need them) programs.mtr.enable = true; # Enable Polkit security.polkit.enable = true; # Power management (see ../../pwrMgmt/default.nix) pwrMgmt = { enable = true; cpuFreqGovernor = "performance"; powertop.enable = false; }; # Firewall settings (fallback, upstream way of doing things) networking.firewall = { enable = true; allowedTCPPorts = [ 80 443 8448 3478 5349 7880 7881 8080 8081 ]; allowedUDPPorts = [ 3478 8448 ]; allowedUDPPortRanges =[ # TURN UDP relays { from = 49000; to = 50000; } # { from = 50100; to = 50200; } ]; }; # Add username to groups "wheel" and "video" - more may be added here later users.users.${userName} = { openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4WKvKnnYpTbzZHFEslOKyfiiMqWxhW3AfX6E7ACmYU wyatt@wyattjmiller.com" ]; extraGroups = ["wheel" "video" "network"]; }; # fail2ban services.fail2ban = { enable = true; package = pkgs.fail2ban; maxretry = 5; bantime = "3h"; bantime-increment = { enable = true; rndtime = "10m"; }; }; # Matrix server services.matrix-tuwunel = { enable = true; package = pkgs.matrix-tuwunel; settings = { global = { server_name = "chat.wyattjmiller.com"; allow_encryption = true; allow_federation = true; allow_registration = true; registration_token = matrixRegistrationTokenFile; allow_unstable_room_versions = false; allow_experimental_room_versions = false; # encryption_enabled_by_default_for_room_type = false; zstd_compression = true; new_user_displayname_suffix = "✨"; max_request_size = 1048575600; # 100MB in bytes, for file uploads database_backup_path = "/var/lib/tuwunel/database_backups"; database_backups_to_keep = 2; address = [ "127.0.0.1" "::1" ]; port = [ 8008 ]; well_known = { client = "https://chat.wyattjmiller.com"; server = "chat.wyattjmiller.com:443"; support_email = "wyatt@wyattjmiller.com"; support_mxid = "@wymiller:chat.wyattjmiller.com"; rtc_transports = [{ type = "livekit"; livekit_service_url = "https://rtc.wyattjmiller.com"; }]; }; }; }; }; # TURN/STUN server services.coturn = { enable = true; no-cli = false; no-tcp-relay = false; realm = "turn.wyattjmiller.com"; min-port = 49000; max-port = 50000; # TODO: fill out this extraConfig option a bit more with denial of private IP addresses extraConfig = '' verbose no-multicast-peers ''; }; # LiveKit (Matrix RTC) services.livekit = { enable = true; package = pkgs.livekit; openFirewall = true; keyFile = livekitKeyFile; settings = { port = 7880; room.auto_create = true; rtc = { use_external_ip = true; }; }; }; # Reverse proxy services.caddy = { enable = true; package = pkgs.caddy; virtualHosts = { "chat.wyattjmiller.com" = { extraConfig = '' encode zstd gzip reverse_proxy localhost:8008 ''; }; "chat.wyattjmiller.com:8448" = { extraConfig = '' encode zstd gzip reverse_proxy localhost:8008 ''; }; "rtc.wyattjmiller.com" = { extraConfig = '' @jwt_service { path /sfu/get* /healthz* } handle @jwt_service { reverse_proxy localhost:8081 } handle { reverse_proxy localhost:7880 { header_up Connection "upgrade" header_up Upgrade {http.request.header.Upgrade} } } ''; }; }; }; # LiveKit JWT service services.lk-jwt-service = { enable = true; port = 8080; livekitUrl = "wss://rtc.wyattjmiller.com"; keyFile = livekitKeyFile; # settings = { # keys = { # "2rew2444" = "aAssWw18asef3fa5ldehHhjunlijj8x="; # }; # }; }; # Generate LiveKit key if it doesn't exist systemd.services.livekit-key = { before = [ "lk-jwt-service.service" "livekit.service" ]; wantedBy = [ "multi-user.target" ]; path = with pkgs; [ coreutils openssl ]; script = '' set -eu if [ -f "${livekitKeyFile}" ]; then exit 0 fi install -d -m 0700 "$(dirname "${livekitKeyFile}")" API_KEY="$(openssl rand -hex 8)" API_SECRET="$(openssl rand -hex 32)" # keyFile format for nixpkgs services.livekit.keyFile: # a YAML map of apiKey -> apiSecret (no surrounding "keys:" key) umask 077 printf '%s: %s\n' "$API_KEY" "$API_SECRET" > "${livekitKeyFile}" ''; serviceConfig = { Type = "oneshot"; User = "root"; }; }; system.stateVersion = "25.11"; }