wizzy/home-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

secrets

Browse source
This commit is contained in:
Ellie 2026-04-01 14:46:37 -07:00
parent 6d8a3c0121
commit eb5b8052f6
2 changed files with 25 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

13
services/livekit.nix
View file

@ -4,12 +4,22 @@
sops.secrets."livekit/api_key" = { sops.secrets."livekit/api_key" = {
sopsFile = ./secrets/livekit_vps.yaml; sopsFile = ./secrets/livekit_vps.yaml;
mode = "0400"; mode = "0400";
owner = "livekit";
group = "livekit";
}; };
sops.secrets."livekit/api_secret" = { sops.secrets."livekit/api_secret" = {
sopsFile = ./secrets/livekit_vps.yaml; sopsFile = ./secrets/livekit_vps.yaml;
mode = "0400"; mode = "0400";
owner = "livekit";
group = "livekit";
}; };
users.users.livekit = {
isSystemUser = true;
group = "livekit";
};
users.groups.livekit = { };
# WebRTC media (UDP) and ICE TCP fallback. HTTP signaling goes through nginx. # WebRTC media (UDP) and ICE TCP fallback. HTTP signaling goes through nginx.
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 7881 ]; allowedTCPPorts = [ 7881 ];
@ -28,7 +38,8 @@
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
serviceConfig = { serviceConfig = {
DynamicUser = true; User = "livekit";
Group = "livekit";
RuntimeDirectory = "livekit"; RuntimeDirectory = "livekit";
Restart = "always"; Restart = "always";
RestartSec = 5; RestartSec = 5;

19
services/lk-jwt.nix
View file

@ -20,10 +20,14 @@ in
sops.secrets."livekit/api_key" = { sops.secrets."livekit/api_key" = {
sopsFile = ./secrets/livekit_vps.yaml; sopsFile = ./secrets/livekit_vps.yaml;
mode = "0400"; mode = "0400";
owner = "livekit";
group = "livekit";
}; };
sops.secrets."livekit/api_secret" = { sops.secrets."livekit/api_secret" = {
sopsFile = ./secrets/livekit_vps.yaml; sopsFile = ./secrets/livekit_vps.yaml;
mode = "0400"; mode = "0400";
owner = "livekit";
group = "livekit";
}; };
systemd.services.lk-jwt = { systemd.services.lk-jwt = {
@ -36,17 +40,20 @@ in
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
serviceConfig = { serviceConfig = {
DynamicUser = true; User = "livekit";
Group = "livekit";
Restart = "always"; Restart = "always";
RestartSec = 5; RestartSec = 5;
}; };
script = '' environment = {
export LIVEKIT_URL="wss://livekit.ellie.town" LIVEKIT_URL = "wss://livekit.ellie.town";
export LIVEKIT_KEY=$(cat ${config.sops.secrets."livekit/api_key".path}) LIVEKIT_KEY_FILE = config.sops.secrets."livekit/api_key".path;
export LIVEKIT_SECRET=$(cat ${config.sops.secrets."livekit/api_secret".path}) LIVEKIT_SECRET_FILE = config.sops.secrets."livekit/api_secret".path;
export LK_JWT_PORT=8080 LK_JWT_PORT = "8080";
};
script = ''
exec ${lk-jwt-service}/bin/lk-jwt-service exec ${lk-jwt-service}/bin/lk-jwt-service
''; '';
}; };