Setup element-call

2025-05-07 05:09:07 +02:00 · 2025-05-07 05:09:07 +02:00 · e99c3eea15
commit e99c3eea15
parent a2ce398565
9 changed files with 73 additions and 1 deletions
--- a/config/hosts/matrix/default.nix
+++ b/config/hosts/matrix/default.nix
@ -2,6 +2,7 @@
 {
  imports = [
    ./configuration.nix
+    ./element-call.nix
    ./hardware-configuration.nix
    ./postgresql.nix
    ./matrix-authentication-service.nix
--- a/config/hosts/matrix/element-call.nix
+++ b/config/hosts/matrix/element-call.nix
@ -0,0 +1,15 @@
+{ ... }:
+{
+  services.livekit = {
+    enable = true;
+    settings.rtc.use_external_ip = true;
+    openFirewall = true;
+    keyFile = "/secrets/matrix-livekit-secret-key.secret";
+  };
+  services.lk-jwt-service = {
+    enable = true;
+    port = 8082;
+    livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu";
+    keyFile = "/secrets/matrix-livekit-secret-key.secret";
+  };
+}
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@ -46,6 +46,28 @@
      ];
      turn_user_lifetime = 86400000;
      turn_allow_guests = true;
+      experimental_features = {
+        # MSC3266: Room summary API. Used for knocking over federation
+        msc3266_enabled = true;
+        # MSC4222 needed for syncv2 state_after. This allow clients to
+        # correctly track the state of the room.
+        msc4222_enabled = true;
+      };
+      # The maximum allowed duration by which sent events can be delayed, as
+      # per MSC4140.
+      max_event_delay_duration = "24h";
+      rc_message = {
+        # This needs to match at least e2ee key sharing frequency plus a bit of headroom
+        # Note key sharing events are bursty
+        per_second = 0.5;
+        burst_count = 30;
+      };
+      rc_delayed_event_mgmt = {
+        # This needs to match at least the heart-beat frequency plus a bit of headroom
+        # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
+        per_second = 1;
+        burst_count = 20;
+      };
    };
    extras = [ "oidc" ];
    extraConfigFiles = [
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@ -57,6 +57,29 @@
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;

+          set_real_ip_from 10.202.41.100;
+          real_ip_header proxy_protocol;
+        '';
+      };
+      "matrix-rtc.nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+        ];
+        locations."^~ /livekit/jwt/" = {
+          proxyPass = "http://localhost:8082/";
+        };
+        locations."^~ /livekit/sfu/" = {
+          proxyPass = "http://localhost:7880/";
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
+
          set_real_ip_from 10.202.41.100;
          real_ip_header proxy_protocol;
        '';
--- a/config/hosts/matrix/secrets.nix
+++ b/config/hosts/matrix/secrets.nix
@ -49,5 +49,13 @@
      permissions = "0640";
      uploadAt = "pre-activation";
    };
+    "matrix-livekit-secret-key.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/livekit-secret-key" ];
+      destDir = "/secrets";
+      user = "root";
+      group = "root";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
  };
 }
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@ -27,6 +27,7 @@
          id.nekover.se 10.202.41.124:8443;
          mas.nekover.se 10.202.41.112:8443;
          matrix.nekover.se 10.202.41.112:8443;
+          matrix-rtc.nekover.se 10.202.41.112:8443;
          mewtube.nekover.se 127.0.0.1:8443;
          nekover.se 127.0.0.1:8443;
          nix-cache.nekover.se 10.202.41.121:8443;
--- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
@ -5,6 +5,7 @@ let
    "mail-1.grzb.de" = "mail-1.vs.grzb.de";
    "mas.nekover.se" = "matrix.vs.grzb.de";
    "matrix.nekover.se" = "matrix.vs.grzb.de";
+    "matrix-rtc.nekover.se" = "matrix.vs.grzb.de";
    "netbox.grzb.de" = "netbox.vs.grzb.de";
    "git.nekover.se" = "forgejo.vs.grzb.de";
    "grafana.grzb.de" = "metrics.vs.grzb.de";
--- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
@ -16,7 +16,7 @@
      '';
    };
    locations."/.well-known/matrix/client" = {
-      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}}'";
+      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"},\"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix-rtc.nekover.se/livekit/jwt\"}, {\"type\": \"nextgen_new_foci_type\", \"props_for_nextgen_foci\": \"val\"}]}'";
      extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
--- a/hosts.nix
+++ b/hosts.nix
@ -68,6 +68,7 @@ in
      environment = "proxmox";
    };
    matrix = {
+      hostNixpkgs = nixpkgs-unstable;
      site = "vs";
      environment = "proxmox";
    };