Skip to content

Commit d3f22ba

Browse files
Henry-HilesHenry-Hiles
committed
nixos/livekit: init
1 parent 2ad2e85 commit d3f22ba

File tree

1 file changed

+135
-0
lines changed

1 file changed

+135
-0
lines changed

nixos/modules/services/networking/livekit.nix

+135
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,135 @@
1+
{
2+
config,
3+
lib,
4+
pkgs,
5+
utils,
6+
...
7+
}:
8+
let
9+
cfg = config.services.livekit;
10+
format = pkgs.formats.json { };
11+
in
12+
{
13+
meta.maintainers = with lib.maintainers; [ quadradical ];
14+
options.services.livekit = {
15+
enable = lib.mkEnableOption "Enable the livekit server";
16+
package = lib.mkPackageOption pkgs "livekit" { };
17+
18+
keyFile = lib.mkOption {
19+
type = lib.types.path;
20+
description = ''
21+
LiveKit key file, with syntax `APIkey: secret`.
22+
The key and secret are used by other clients or services to connect to your Livekit instance.
23+
'';
24+
};
25+
26+
openFirewall = lib.mkOption {
27+
type = lib.types.bool;
28+
default = false;
29+
description = "Opens port range for LiveKit on the firewall.";
30+
};
31+
32+
settings = lib.mkOption {
33+
type = lib.types.submodule {
34+
freeformType = format.type;
35+
options = {
36+
port = lib.mkOption {
37+
type = lib.types.port;
38+
default = 7880;
39+
description = "Main TCP port for RoomService and RTC endpoint.";
40+
};
41+
42+
rtc = {
43+
port_range_start = lib.mkOption {
44+
type = lib.types.int;
45+
default = 50000;
46+
description = "Start of UDP port range for WebRTC";
47+
};
48+
49+
port_range_end = lib.mkOption {
50+
type = lib.types.int;
51+
default = 51000;
52+
description = "End of UDP port range for WebRTC";
53+
};
54+
55+
use_external_ip = lib.mkOption {
56+
type = lib.types.bool;
57+
default = false;
58+
description = ''
59+
When set to true, attempts to discover the host's public IP via STUN.
60+
This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one
61+
'';
62+
};
63+
};
64+
};
65+
};
66+
default = { };
67+
description = ''
68+
LiveKit configuration file expressed in nix.
69+
70+
For an example configuration, see <https://docs.livekit.io/home/self-hosting/deployment/#configuration>.
71+
For all possible values, see <https://github.com/livekit/livekit/blob/master/config-sample.yaml>.
72+
'';
73+
};
74+
};
75+
76+
config = lib.mkIf cfg.enable {
77+
networking.firewall = lib.mkIf cfg.openFirewall {
78+
allowedTCPPorts = [
79+
cfg.settings.port
80+
];
81+
allowedUDPPortRanges = [
82+
{
83+
from = cfg.settings.rtc.port_range_start;
84+
to = cfg.settings.rtc.port_range_end;
85+
}
86+
];
87+
};
88+
89+
systemd.services.livekit = {
90+
description = "LiveKit SFU server";
91+
documentation = [ "https://docs.livekit.io" ];
92+
wantedBy = [ "multi-user.target" ];
93+
wants = [ "network-online.target" ];
94+
after = [ "network-online.target" ];
95+
96+
serviceConfig = {
97+
DynamicUser = true;
98+
LockPersonality = true;
99+
MemoryDenyWriteExecute = true;
100+
ProtectClock = true;
101+
ProtectControlGroups = true;
102+
ProtectHostname = true;
103+
ProtectKernelLogs = true;
104+
ProtectKernelModules = true;
105+
ProtectKernelTunables = true;
106+
PrivateDevices = true;
107+
PrivateMounts = true;
108+
PrivateUsers = true;
109+
RestrictAddressFamilies = [
110+
"AF_INET"
111+
"AF_INET6"
112+
"AF_NETLINK"
113+
];
114+
RestrictNamespaces = true;
115+
RestrictRealtime = true;
116+
ProtectHome = true;
117+
SystemCallArchitectures = "native";
118+
SystemCallFilter = [
119+
"@system-service"
120+
"~@privileged"
121+
"~@resources"
122+
];
123+
LoadCredential = [ "livekit-secrets:${cfg.keyFile}" ];
124+
ExecStart = utils.escapeSystemdExecArgs [
125+
(lib.getExe cfg.package)
126+
"--config=${format.generate "livekit.json" cfg.settings}"
127+
"--key-file=/run/credentials/livekit.service/livekit-secrets"
128+
];
129+
Restart = "on-failure";
130+
RestartSec = 5;
131+
UMask = "077";
132+
};
133+
};
134+
};
135+
}

0 commit comments

Comments
 (0)