livekit

2026-04-01 14:20:27 -07:00 · 2026-04-01 14:20:27 -07:00 · 8fd56d0f3a
commit 8fd56d0f3a
parent b90f98eb64
5 changed files with 165 additions and 0 deletions
--- a/services/livekit.nix
+++ b/services/livekit.nix
@ -0,0 +1,59 @@
+{ config, pkgs, ... }:
+
+{
+  sops.secrets."livekit/api_key" = {
+    sopsFile = ./secrets/livekit_vps.yaml;
+    mode = "0400";
+  };
+  sops.secrets."livekit/api_secret" = {
+    sopsFile = ./secrets/livekit_vps.yaml;
+    mode = "0400";
+  };
+
+  # WebRTC media (UDP) and ICE TCP fallback. HTTP signaling goes through nginx.
+  networking.firewall = {
+    allowedTCPPorts = [ 7881 ];
+    allowedUDPPortRanges = [
+      {
+        from = 50000;
+        to = 50200;
+      }
+    ];
+  };
+
+  systemd.services.livekit = {
+    description = "LiveKit SFU server";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+
+    serviceConfig = {
+      DynamicUser = true;
+      RuntimeDirectory = "livekit";
+      Restart = "always";
+      RestartSec = 5;
+    };
+
+    script = ''
+      API_KEY=$(cat ${config.sops.secrets."livekit/api_key".path})
+      API_SECRET=$(cat ${config.sops.secrets."livekit/api_secret".path})
+
+      cat > /run/livekit/config.yaml <<YAML
+      port: 7880
+      bind_addresses:
+        - "127.0.0.1"
+      rtc:
+        port_range_start: 50000
+        port_range_end: 50200
+        use_external_ip: true
+        tcp_port: 7881
+      logging:
+        level: info
+      keys:
+        $API_KEY: $API_SECRET
+      YAML
+
+      exec ${pkgs.livekit}/bin/livekit-server --config /run/livekit/config.yaml
+    '';
+  };
+}