|
| 1 | +{ |
| 2 | + config, |
| 3 | + lib, |
| 4 | + pkgs, |
| 5 | + ... |
| 6 | +}: |
| 7 | +let |
| 8 | + cfg = config.services.lk-jwt-service; |
| 9 | +in |
| 10 | +{ |
| 11 | + meta.maintainers = [ lib.maintainers.quadradical ]; |
| 12 | + options.services.lk-jwt-service = { |
| 13 | + enable = lib.mkEnableOption "Enable lk-jwt-service"; |
| 14 | + package = lib.mkPackageOption pkgs "lk-jwt-service" { }; |
| 15 | + |
| 16 | + livekit = { |
| 17 | + url = lib.mkOption { |
| 18 | + type = lib.types.str; |
| 19 | + description = '' |
| 20 | + The URL that livekit runs on, prefixed with `ws://` or `wss://` (recommended). |
| 21 | + For example, `wss://example.com/livekit/sfu` |
| 22 | + ''; |
| 23 | + }; |
| 24 | + |
| 25 | + environmentFile = lib.mkOption { |
| 26 | + type = lib.types.path; |
| 27 | + description = '' |
| 28 | + Path to a file of environment variables, where you must declare some of: `LIVEKIT_KEY`, `LIVEKIT_SECRET`, `LIVEKIT_KEY_FROM_FILE`, `LIVEKIT_SECRET_FROM_FILE`, and/or `LIVEKIT_KEY_FILE`. |
| 29 | + For more information, see <https://github.com/element-hq/lk-jwt-service#configuration>. |
| 30 | + ''; |
| 31 | + }; |
| 32 | + }; |
| 33 | + |
| 34 | + port = lib.mkOption { |
| 35 | + type = lib.types.port; |
| 36 | + default = 8080; |
| 37 | + description = "Port that lk-jwt-service should listen on."; |
| 38 | + }; |
| 39 | + }; |
| 40 | + |
| 41 | + config = lib.mkIf cfg.enable { |
| 42 | + systemd.services.lk-jwt-service = { |
| 43 | + description = "Minimal service to issue LiveKit JWTs for MatrixRTC"; |
| 44 | + documentation = [ "https://github.com/element-hq/lk-jwt-service" ]; |
| 45 | + wantedBy = [ "multi-user.target" ]; |
| 46 | + wants = [ "network-online.target" ]; |
| 47 | + after = [ "network-online.target" ]; |
| 48 | + environment.LIVEKIT_URL = cfg.livekit.url; |
| 49 | + |
| 50 | + serviceConfig = { |
| 51 | + EnvironmentFile = cfg.livekit.environmentFile; |
| 52 | + DynamicUser = true; |
| 53 | + LockPersonality = true; |
| 54 | + MemoryDenyWriteExecute = true; |
| 55 | + ProtectClock = true; |
| 56 | + ProtectControlGroups = true; |
| 57 | + ProtectHostname = true; |
| 58 | + ProtectKernelLogs = true; |
| 59 | + ProtectKernelModules = true; |
| 60 | + ProtectKernelTunables = true; |
| 61 | + PrivateDevices = true; |
| 62 | + PrivateMounts = true; |
| 63 | + PrivateUsers = true; |
| 64 | + RestrictAddressFamilies = [ |
| 65 | + "AF_INET" |
| 66 | + "AF_INET6" |
| 67 | + ]; |
| 68 | + RestrictNamespaces = true; |
| 69 | + RestrictRealtime = true; |
| 70 | + ProtectHome = true; |
| 71 | + SystemCallArchitectures = "native"; |
| 72 | + SystemCallFilter = [ |
| 73 | + "@system-service" |
| 74 | + "~@privileged" |
| 75 | + "~@resources" |
| 76 | + ]; |
| 77 | + ExecStart = lib.getExe cfg.package; |
| 78 | + Restart = "on-failure"; |
| 79 | + RestartSec = 5; |
| 80 | + UMask = "077"; |
| 81 | + }; |
| 82 | + }; |
| 83 | + }; |
| 84 | +} |
0 commit comments