{ pkgs, userName, ... }: let # INFO: set these to your liking matrixFqdn = "chat.wyattjmiller.com"; rtcFqdn = "rtc.wyattjmiller.com"; supportEmail = "wyatt@wyattjmiller.com"; livekitKeyFile = "/var/lib/livekit/livekit.key"; matrixRegistrationTokenFile = "/var/lib/matrix.key"; in { imports = [ ../../pwrMgmt ]; # Enable flakes for NixOS nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings = { download-buffer-size = 134217728; # 128 MiB in bytes }; # Custom kernel/boot stuff boot.kernelPackages = pkgs.linuxPackages_latest; # Set your timezone time.timeZone = "America/Detroit"; # Enable OpenSSH services.openssh = { enable = true; settings.PermitRootLogin = "no"; settings.PasswordAuthentication = false; }; # Enable keyring services.gnome.gnome-keyring.enable = true; # Enable GnuPG programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; # Enable SUID wrappers (some programs need them) programs.mtr.enable = true; # Enable Polkit security.polkit.enable = true; # Power management (see ../../pwrMgmt/default.nix) pwrMgmt = { enable = true; cpuFreqGovernor = "performance"; powertop.enable = false; }; # Firewall settings (fallback, upstream way of doing things) networking.firewall = { enable = true; allowedTCPPorts = [ 80 443 8448 3478 5349 7880 7881 8080 8081 ]; allowedUDPPorts = [ 3478 7881 8448 ]; allowedUDPPortRanges =[ # TURN UDP relays { from = 49000; to = 50000; } # { from = 50100; to = 50200; } ]; }; # Add username to groups "wheel" and "video" - more may be added here later users.users.${userName} = { openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4WKvKnnYpTbzZHFEslOKyfiiMqWxhW3AfX6E7ACmYU wyatt@wyattjmiller.com" ]; extraGroups = ["wheel" "video" "network"]; }; # fail2ban services.fail2ban = { enable = true; package = pkgs.fail2ban; maxretry = 5; bantime = "3h"; bantime-increment = { enable = true; rndtime = "10m"; }; }; # Matrix server services.matrix-tuwunel = { enable = true; package = pkgs.matrix-tuwunel; settings = { global = { server_name = matrixFqdn; allow_encryption = true; allow_federation = true; allow_registration = true; registration_token = matrixRegistrationTokenFile; allow_unstable_room_versions = false; allow_experimental_room_versions = false; zstd_compression = true; new_user_displayname_suffix = "✨"; max_request_size = 1048575600; # 100MB in bytes, for file uploads database_backup_path = "/var/lib/tuwunel/database_backups"; database_backups_to_keep = 2; address = [ "127.0.0.1" "::1" ]; port = [ 8008 ]; well_known = { client = "https://${matrixFqdn}"; server = "${matrixFqdn}:443"; support_email = supportEmail; support_mxid = "@wymiller:${matrixFqdn}"; rtc_transports = [{ type = "livekit"; livekit_service_url = "https://${rtcFqdn}"; }]; }; }; }; }; # LiveKit (Matrix RTC) services.livekit = { enable = true; package = pkgs.livekit; openFirewall = true; keyFile = livekitKeyFile; settings = { port = 7880; room.auto_create = true; rtc = { use_external_ip = true; }; }; }; # Reverse proxy services.caddy = { enable = true; package = pkgs.caddy; virtualHosts = { "${matrixFqdn}" = { extraConfig = '' encode zstd gzip reverse_proxy localhost:8008 ''; }; "${matrixFqdn}:8448" = { extraConfig = '' encode zstd gzip reverse_proxy localhost:8008 ''; }; "${rtcFqdn}" = { extraConfig = '' @jwt_service { path /sfu/get* /healthz* } handle @jwt_service { reverse_proxy localhost:8080 } handle { reverse_proxy localhost:7880 { header_up Connection "upgrade" header_up Upgrade {http.request.header.Upgrade} } } ''; }; }; }; # LiveKit JWT service services.lk-jwt-service = { enable = true; port = 8080; livekitUrl = "wss://rtc.wyattjmiller.com"; keyFile = livekitKeyFile; }; # Generate LiveKit key if it doesn't exist systemd.services = { matrix-registration-token-gen = { before = [ "tuwunel.service" ]; wantedBy = [ "multi-user.target" ]; path = with pkgs; [ coreutils openssl ]; script = '' set -eu if [ -f "${matrixRegistrationTokenFile}" ]; then exit 0 fi install -d -m 0700 "$(dirname "${matrixRegistrationTokenFile}")" TOKEN="$(openssl rand -hex 32)" umask 077 printf '%s\n' "$TOKEN" > "${matrixRegistrationTokenFile}" ''; serviceConfig = { Type = "oneshot"; User = "root"; }; }; livekit-key-gen = { before = [ "lk-jwt-service.service" "livekit.service" ]; wantedBy = [ "multi-user.target" ]; path = with pkgs; [ coreutils openssl ]; script = '' set -eu if [ -f "${livekitKeyFile}" ]; then exit 0 fi install -d -m 0700 "$(dirname "${livekitKeyFile}")" API_KEY="$(openssl rand -hex 8)" API_SECRET="$(openssl rand -hex 32)" umask 077 printf '%s: %s\n' "$API_KEY" "$API_SECRET" > "${livekitKeyFile}" ''; serviceConfig = { Type = "oneshot"; User = "root"; }; }; }; system.stateVersion = "25.11"; }