2026-04-01 14:20:27 -07:00
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
# lk-jwt-service isn't in nixpkgs — build from source.
|
|
|
|
|
# On first `nix build`, the fake hashes will fail and print the correct ones.
|
|
|
|
|
lk-jwt-service = pkgs.buildGoModule {
|
|
|
|
|
pname = "lk-jwt-service";
|
|
|
|
|
version = "0.3.0";
|
|
|
|
|
src = pkgs.fetchFromGitHub {
|
|
|
|
|
owner = "element-hq";
|
|
|
|
|
repo = "lk-jwt-service";
|
|
|
|
|
rev = "v0.3.0";
|
2026-04-01 14:40:27 -07:00
|
|
|
hash = "sha256-fA33LZkozPTng47kunXWkfUExVbMZsiL8Dtkm1hLV6U=";
|
2026-04-01 14:20:27 -07:00
|
|
|
};
|
2026-04-01 14:40:27 -07:00
|
|
|
vendorHash = "sha256-0A9pd+PAsGs4KS2BnCxc7PAaUAV3Z+XKNqSrmYvxNeM=";
|
2026-04-01 14:20:27 -07:00
|
|
|
meta.mainProgram = "lk-jwt-service";
|
|
|
|
|
};
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
sops.secrets."livekit/api_key" = {
|
|
|
|
|
sopsFile = ./secrets/livekit_vps.yaml;
|
|
|
|
|
mode = "0400";
|
|
|
|
|
};
|
|
|
|
|
sops.secrets."livekit/api_secret" = {
|
|
|
|
|
sopsFile = ./secrets/livekit_vps.yaml;
|
|
|
|
|
mode = "0400";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.lk-jwt = {
|
|
|
|
|
description = "LiveKit JWT service for Matrix OpenID token exchange";
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
after = [
|
|
|
|
|
"network-online.target"
|
|
|
|
|
"livekit.service"
|
|
|
|
|
];
|
|
|
|
|
wants = [ "network-online.target" ];
|
|
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
DynamicUser = true;
|
|
|
|
|
Restart = "always";
|
|
|
|
|
RestartSec = 5;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
script = ''
|
|
|
|
|
export LIVEKIT_URL="wss://livekit.ellie.town"
|
|
|
|
|
export LIVEKIT_KEY=$(cat ${config.sops.secrets."livekit/api_key".path})
|
|
|
|
|
export LIVEKIT_SECRET=$(cat ${config.sops.secrets."livekit/api_secret".path})
|
|
|
|
|
export LK_JWT_PORT=8080
|
|
|
|
|
|
|
|
|
|
exec ${lk-jwt-service}/bin/lk-jwt-service
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
}
|
