From eb5b8052f68a97d007cf33d3d8c4926f3a5efc2c Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Wed, 1 Apr 2026 14:46:37 -0700
Subject: [PATCH] secrets

---
 services/livekit.nix | 13 ++++++++++++-
 services/lk-jwt.nix  | 19 +++++++++++++------
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/services/livekit.nix b/services/livekit.nix
index 2c37081..a4d6f7d 100644
--- a/services/livekit.nix
+++ b/services/livekit.nix
@@ -4,12 +4,22 @@
   sops.secrets."livekit/api_key" = {
     sopsFile = ./secrets/livekit_vps.yaml;
     mode = "0400";
+    owner = "livekit";
+    group = "livekit";
   };
   sops.secrets."livekit/api_secret" = {
     sopsFile = ./secrets/livekit_vps.yaml;
     mode = "0400";
+    owner = "livekit";
+    group = "livekit";
   };
 
+  users.users.livekit = {
+    isSystemUser = true;
+    group = "livekit";
+  };
+  users.groups.livekit = { };
+
   # WebRTC media (UDP) and ICE TCP fallback. HTTP signaling goes through nginx.
   networking.firewall = {
     allowedTCPPorts = [ 7881 ];
@@ -28,7 +38,8 @@
     wants = [ "network-online.target" ];
 
     serviceConfig = {
-      DynamicUser = true;
+      User = "livekit";
+      Group = "livekit";
       RuntimeDirectory = "livekit";
       Restart = "always";
       RestartSec = 5;
diff --git a/services/lk-jwt.nix b/services/lk-jwt.nix
index e4a983a..b7f8160 100644
--- a/services/lk-jwt.nix
+++ b/services/lk-jwt.nix
@@ -20,10 +20,14 @@ in
   sops.secrets."livekit/api_key" = {
     sopsFile = ./secrets/livekit_vps.yaml;
     mode = "0400";
+    owner = "livekit";
+    group = "livekit";
   };
   sops.secrets."livekit/api_secret" = {
     sopsFile = ./secrets/livekit_vps.yaml;
     mode = "0400";
+    owner = "livekit";
+    group = "livekit";
   };
 
   systemd.services.lk-jwt = {
@@ -36,17 +40,20 @@ in
     wants = [ "network-online.target" ];
 
     serviceConfig = {
-      DynamicUser = true;
+      User = "livekit";
+      Group = "livekit";
       Restart = "always";
       RestartSec = 5;
     };
 
-    script = ''
-      export LIVEKIT_URL="wss://livekit.ellie.town"
-      export LIVEKIT_KEY=$(cat ${config.sops.secrets."livekit/api_key".path})
-      export LIVEKIT_SECRET=$(cat ${config.sops.secrets."livekit/api_secret".path})
-      export LK_JWT_PORT=8080
+    environment = {
+      LIVEKIT_URL = "wss://livekit.ellie.town";
+      LIVEKIT_KEY_FILE = config.sops.secrets."livekit/api_key".path;
+      LIVEKIT_SECRET_FILE = config.sops.secrets."livekit/api_secret".path;
+      LK_JWT_PORT = "8080";
+    };
 
+    script = ''
       exec ${lk-jwt-service}/bin/lk-jwt-service
     '';
   };