home-server/services/livekit.nix

{ config, pkgs, ... }:

{
  sops.secrets."livekit/api_key" = {
    sopsFile = ./secrets/livekit_vps.yaml;
    mode = "0400";
    owner = "livekit";
    group = "livekit";
  };
  sops.secrets."livekit/api_secret" = {
    sopsFile = ./secrets/livekit_vps.yaml;
    mode = "0400";
    owner = "livekit";
    group = "livekit";
  };

  users.users.livekit = {
    isSystemUser = true;
    group = "livekit";
  };
  users.groups.livekit = { };

  # WebRTC media (UDP) and ICE TCP fallback. HTTP signaling goes through nginx.
  networking.firewall = {
    allowedTCPPorts = [ 7881 ];
    allowedUDPPortRanges = [
      {
        from = 50000;
        to = 50200;
      }
    ];
  };

  systemd.services.livekit = {
    description = "LiveKit SFU server";
    wantedBy = [ "multi-user.target" ];
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];

    serviceConfig = {
      User = "livekit";
      Group = "livekit";
      RuntimeDirectory = "livekit";
      Restart = "always";
      RestartSec = 5;
    };

    script = ''
      API_KEY=$(cat ${config.sops.secrets."livekit/api_key".path})
      API_SECRET=$(cat ${config.sops.secrets."livekit/api_secret".path})

      cat > /run/livekit/config.yaml <<YAML
      port: 7880
      bind_addresses:
        - "127.0.0.1"
      rtc:
        port_range_start: 50000
        port_range_end: 50200
        use_external_ip: true
        tcp_port: 7881
      logging:
        level: info
      keys:
        $API_KEY: $API_SECRET
      YAML

      exec ${pkgs.livekit}/bin/livekit-server --config /run/livekit/config.yaml
    '';
  };
}
livekit 2026-04-01 14:20:27 -07:00			`{ config, pkgs, ... }:`

			`{`
			`sops.secrets."livekit/api_key" = {`
			`sopsFile = ./secrets/livekit_vps.yaml;`
			`mode = "0400";`
secrets 2026-04-01 14:46:37 -07:00			`owner = "livekit";`
			`group = "livekit";`
livekit 2026-04-01 14:20:27 -07:00			`};`
			`sops.secrets."livekit/api_secret" = {`
			`sopsFile = ./secrets/livekit_vps.yaml;`
			`mode = "0400";`
secrets 2026-04-01 14:46:37 -07:00			`owner = "livekit";`
			`group = "livekit";`
livekit 2026-04-01 14:20:27 -07:00			`};`

secrets 2026-04-01 14:46:37 -07:00			`users.users.livekit = {`
			`isSystemUser = true;`
			`group = "livekit";`
			`};`
			`users.groups.livekit = { };`

livekit 2026-04-01 14:20:27 -07:00			`# WebRTC media (UDP) and ICE TCP fallback. HTTP signaling goes through nginx.`
			`networking.firewall = {`
			`allowedTCPPorts = [ 7881 ];`
			`allowedUDPPortRanges = [`
			`{`
			`from = 50000;`
			`to = 50200;`
			`}`
			`];`
			`};`

			`systemd.services.livekit = {`
			`description = "LiveKit SFU server";`
			`wantedBy = [ "multi-user.target" ];`
			`after = [ "network-online.target" ];`
			`wants = [ "network-online.target" ];`

			`serviceConfig = {`
secrets 2026-04-01 14:46:37 -07:00			`User = "livekit";`
			`Group = "livekit";`
livekit 2026-04-01 14:20:27 -07:00			`RuntimeDirectory = "livekit";`
			`Restart = "always";`
			`RestartSec = 5;`
			`};`

			`script = ''`
			`API_KEY=$(cat ${config.sops.secrets."livekit/api_key".path})`
			`API_SECRET=$(cat ${config.sops.secrets."livekit/api_secret".path})`

			`cat > /run/livekit/config.yaml <<YAML`
			`port: 7880`
			`bind_addresses:`
			`- "127.0.0.1"`
			`rtc:`
			`port_range_start: 50000`
			`port_range_end: 50200`
			`use_external_ip: true`
			`tcp_port: 7881`
			`logging:`
			`level: info`
			`keys:`
			`$API_KEY: $API_SECRET`
			`YAML`

			`exec ${pkgs.livekit}/bin/livekit-server --config /run/livekit/config.yaml`
			`'';`
			`};`
			`}`