livekit

2026-04-01 14:20:27 -07:00 · 2026-04-01 14:20:27 -07:00 · 8fd56d0f3a
commit 8fd56d0f3a
parent b90f98eb64
5 changed files with 165 additions and 0 deletions
--- a/services/lk-jwt.nix
+++ b/services/lk-jwt.nix
@ -0,0 +1,53 @@
+{ config, pkgs, lib, ... }:
+
+let
+  # lk-jwt-service isn't in nixpkgs — build from source.
+  # On first `nix build`, the fake hashes will fail and print the correct ones.
+  lk-jwt-service = pkgs.buildGoModule {
+    pname = "lk-jwt-service";
+    version = "0.3.0";
+    src = pkgs.fetchFromGitHub {
+      owner = "element-hq";
+      repo = "lk-jwt-service";
+      rev = "v0.3.0";
+      hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+    };
+    vendorHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+    meta.mainProgram = "lk-jwt-service";
+  };
+in
+{
+  sops.secrets."livekit/api_key" = {
+    sopsFile = ./secrets/livekit_vps.yaml;
+    mode = "0400";
+  };
+  sops.secrets."livekit/api_secret" = {
+    sopsFile = ./secrets/livekit_vps.yaml;
+    mode = "0400";
+  };
+
+  systemd.services.lk-jwt = {
+    description = "LiveKit JWT service for Matrix OpenID token exchange";
+    wantedBy = [ "multi-user.target" ];
+    after = [
+      "network-online.target"
+      "livekit.service"
+    ];
+    wants = [ "network-online.target" ];
+
+    serviceConfig = {
+      DynamicUser = true;
+      Restart = "always";
+      RestartSec = 5;
+    };
+
+    script = ''
+      export LIVEKIT_URL="wss://livekit.ellie.town"
+      export LIVEKIT_KEY=$(cat ${config.sops.secrets."livekit/api_key".path})
+      export LIVEKIT_SECRET=$(cat ${config.sops.secrets."livekit/api_secret".path})
+      export LK_JWT_PORT=8080
+
+      exec ${lk-jwt-service}/bin/lk-jwt-service
+    '';
+  };
+}