diff --git a/config/hosts/matrix/default.nix b/config/hosts/matrix/default.nix index 5cafdf8..c6cd79a 100644 --- a/config/hosts/matrix/default.nix +++ b/config/hosts/matrix/default.nix @@ -2,6 +2,7 @@ { imports = [ ./configuration.nix + ./element-call.nix ./hardware-configuration.nix ./postgresql.nix ./matrix-authentication-service.nix diff --git a/config/hosts/matrix/element-call.nix b/config/hosts/matrix/element-call.nix new file mode 100644 index 0000000..1c8b442 --- /dev/null +++ b/config/hosts/matrix/element-call.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + services.livekit = { + enable = true; + settings.rtc.use_external_ip = true; + openFirewall = true; + keyFile = "/secrets/matrix-livekit-secret-key.secret"; + }; + services.lk-jwt-service = { + enable = true; + port = 8082; + livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu"; + keyFile = "/secrets/matrix-livekit-secret-key.secret"; + }; +} diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 85e6735..82b82e1 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -46,6 +46,28 @@ ]; turn_user_lifetime = 86400000; turn_allow_guests = true; + experimental_features = { + # MSC3266: Room summary API. Used for knocking over federation + msc3266_enabled = true; + # MSC4222 needed for syncv2 state_after. This allow clients to + # correctly track the state of the room. + msc4222_enabled = true; + }; + # The maximum allowed duration by which sent events can be delayed, as + # per MSC4140. + max_event_delay_duration = "24h"; + rc_message = { + # This needs to match at least e2ee key sharing frequency plus a bit of headroom + # Note key sharing events are bursty + per_second = 0.5; + burst_count = 30; + }; + rc_delayed_event_mgmt = { + # This needs to match at least the heart-beat frequency plus a bit of headroom + # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s + per_second = 1; + burst_count = 20; + }; }; extras = [ "oidc" ]; extraConfigFiles = [ diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index 518fe1a..ce3ab3d 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -57,6 +57,29 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + "matrix-rtc.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + ]; + locations."^~ /livekit/jwt/" = { + proxyPass = "http://localhost:8082/"; + }; + locations."^~ /livekit/sfu/" = { + proxyPass = "http://localhost:7880/"; + proxyWebsockets = true; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index 24573fb..5121ded 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -49,5 +49,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "matrix-livekit-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/livekit-secret-key" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index d2386b1..73699fb 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -27,6 +27,7 @@ id.nekover.se 10.202.41.124:8443; mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; + matrix-rtc.nekover.se 10.202.41.112:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 06f828b..8f38379 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -5,6 +5,7 @@ let "mail-1.grzb.de" = "mail-1.vs.grzb.de"; "mas.nekover.se" = "matrix.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de"; + "matrix-rtc.nekover.se" = "matrix.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; "git.nekover.se" = "forgejo.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index a6a0ef5..40ee30d 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -16,7 +16,7 @@ ''; }; locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}}'"; + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"},\"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix-rtc.nekover.se/livekit/jwt\"}, {\"type\": \"nextgen_new_foci_type\", \"props_for_nextgen_foci\": \"val\"}]}'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; diff --git a/hosts.nix b/hosts.nix index 1dfc6fc..1c5e6db 100644 --- a/hosts.nix +++ b/hosts.nix @@ -68,6 +68,7 @@ in environment = "proxmox"; }; matrix = { + hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; };