From 8fd56d0f3ad405595fd70085d20e88321c632401 Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Wed, 1 Apr 2026 14:20:27 -0700
Subject: [PATCH 1/4] livekit

---
 flake.nix                         |  2 ++
 services/livekit.nix              | 59 +++++++++++++++++++++++++++++++
 services/lk-jwt.nix               | 53 +++++++++++++++++++++++++++
 services/secrets/livekit_vps.yaml | 18 ++++++++++
 services/wireguard-outer.nix      | 33 +++++++++++++++++
 5 files changed, 165 insertions(+)
 create mode 100644 services/livekit.nix
 create mode 100644 services/lk-jwt.nix
 create mode 100644 services/secrets/livekit_vps.yaml

diff --git a/flake.nix b/flake.nix
index 7ac02c3..082c2be 100644
--- a/flake.nix
+++ b/flake.nix
@@ -86,6 +86,8 @@
           ./services/nginx.nix
           ./services/blog.nix
           ./services/coturn.nix
+          ./services/livekit.nix
+          ./services/lk-jwt.nix
           ./services/wireguard-outer.nix
           ./services/borgbackup-vps.nix
         ];
diff --git a/services/livekit.nix b/services/livekit.nix
new file mode 100644
index 0000000..2c37081
--- /dev/null
+++ b/services/livekit.nix
@@ -0,0 +1,59 @@
+{ config, pkgs, ... }:
+
+{
+  sops.secrets."livekit/api_key" = {
+    sopsFile = ./secrets/livekit_vps.yaml;
+    mode = "0400";
+  };
+  sops.secrets."livekit/api_secret" = {
+    sopsFile = ./secrets/livekit_vps.yaml;
+    mode = "0400";
+  };
+
+  # WebRTC media (UDP) and ICE TCP fallback. HTTP signaling goes through nginx.
+  networking.firewall = {
+    allowedTCPPorts = [ 7881 ];
+    allowedUDPPortRanges = [
+      {
+        from = 50000;
+        to = 50200;
+      }
+    ];
+  };
+
+  systemd.services.livekit = {
+    description = "LiveKit SFU server";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+
+    serviceConfig = {
+      DynamicUser = true;
+      RuntimeDirectory = "livekit";
+      Restart = "always";
+      RestartSec = 5;
+    };
+
+    script = ''
+      API_KEY=$(cat ${config.sops.secrets."livekit/api_key".path})
+      API_SECRET=$(cat ${config.sops.secrets."livekit/api_secret".path})
+
+      cat > /run/livekit/config.yaml <<YAML
+      port: 7880
+      bind_addresses:
+        - "127.0.0.1"
+      rtc:
+        port_range_start: 50000
+        port_range_end: 50200
+        use_external_ip: true
+        tcp_port: 7881
+      logging:
+        level: info
+      keys:
+        $API_KEY: $API_SECRET
+      YAML
+
+      exec ${pkgs.livekit}/bin/livekit-server --config /run/livekit/config.yaml
+    '';
+  };
+}
diff --git a/services/lk-jwt.nix b/services/lk-jwt.nix
new file mode 100644
index 0000000..80888c6
--- /dev/null
+++ b/services/lk-jwt.nix
@@ -0,0 +1,53 @@
+{ config, pkgs, lib, ... }:
+
+let
+  # lk-jwt-service isn't in nixpkgs — build from source.
+  # On first `nix build`, the fake hashes will fail and print the correct ones.
+  lk-jwt-service = pkgs.buildGoModule {
+    pname = "lk-jwt-service";
+    version = "0.3.0";
+    src = pkgs.fetchFromGitHub {
+      owner = "element-hq";
+      repo = "lk-jwt-service";
+      rev = "v0.3.0";
+      hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+    };
+    vendorHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+    meta.mainProgram = "lk-jwt-service";
+  };
+in
+{
+  sops.secrets."livekit/api_key" = {
+    sopsFile = ./secrets/livekit_vps.yaml;
+    mode = "0400";
+  };
+  sops.secrets."livekit/api_secret" = {
+    sopsFile = ./secrets/livekit_vps.yaml;
+    mode = "0400";
+  };
+
+  systemd.services.lk-jwt = {
+    description = "LiveKit JWT service for Matrix OpenID token exchange";
+    wantedBy = [ "multi-user.target" ];
+    after = [
+      "network-online.target"
+      "livekit.service"
+    ];
+    wants = [ "network-online.target" ];
+
+    serviceConfig = {
+      DynamicUser = true;
+      Restart = "always";
+      RestartSec = 5;
+    };
+
+    script = ''
+      export LIVEKIT_URL="wss://livekit.ellie.town"
+      export LIVEKIT_KEY=$(cat ${config.sops.secrets."livekit/api_key".path})
+      export LIVEKIT_SECRET=$(cat ${config.sops.secrets."livekit/api_secret".path})
+      export LK_JWT_PORT=8080
+
+      exec ${lk-jwt-service}/bin/lk-jwt-service
+    '';
+  };
+}
diff --git a/services/secrets/livekit_vps.yaml b/services/secrets/livekit_vps.yaml
new file mode 100644
index 0000000..1480241
--- /dev/null
+++ b/services/secrets/livekit_vps.yaml
@@ -0,0 +1,18 @@
+livekit:
+    api_key: ENC[AES256_GCM,data:zD2FsmXwMR6A,iv:lPkUgWv6lmBsE6ASJbLkF99AhhOZXw/fjEDgehvdmKs=,tag:OfnqmoXJM/hVuNo1Iv5eew==,type:str]
+    api_secret: ENC[AES256_GCM,data:HwBLo3/BfMnMtkyYHUYGtCXvZ+IHwQX22otrfVe9895dQR45QgMTJfMDogE=,iv:xyqh45uZdLza+zQURnfaAAtS+hGKrDcVF3nL8TFFtus=,tag:btA+bHwVKwzX71mqZvzfKA==,type:str]
+sops:
+    age:
+        - recipient: age1856wmagg3dz4j07alwqnn6d75655t6wcs8glklyjyezhu5p875fq9sez4p
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0d1VYdWI0TEZtaStvUml6
+            NEdYS0gvbUlMTVRpY2xna3BRT2ZINkpLZG53CkNrcDNHUjc4Zm43NnhJKzc0UjBX
+            RTVrQ3hYWFVzdlJ5Zkh6ZWJkZi9CZUEKLS0tIDZuUjNQWmJXSlZqdGQySXNKV3F1
+            UXNYWktWUktGQWhpeThvOUFNUlFHWGcKvoGymssPBN5yQwpq2HTHYeNt5VnA1pKe
+            fyJ0mbwMq+/ZW88HE4vpUY8zONC0QCGprxysMVgsRpXFBfFKk0pjcQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-01T21:18:12Z"
+    mac: ENC[AES256_GCM,data:E4NwepDYNcwhusfuRFebEXyGQcwlhfvddMDWF3JfUAOERvZnmmY5+OMQc/qbF114r3UYvZr3qX1WgsFE4n4YiuGPFY+E5m4/6PV//Lwe4p5GWGto1fPMN7n2jB+Y1RJn+wP18pjvrIc9onaSgiOuP8eFijp1vZ6hX7kZ2lrEdrI=,iv:SP235ndbodZlpv+RwIKw/U6+XyDwJhjfF53pROWMlI0=,tag:4cWULyYdnJKyjxk+7bkkQg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/services/wireguard-outer.nix b/services/wireguard-outer.nix
index 1c6d072..02ea612 100644
--- a/services/wireguard-outer.nix
+++ b/services/wireguard-outer.nix
@@ -60,6 +60,34 @@
       };
     };
 
+    virtualHosts."livekit.ellie.town" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:7880";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_read_timeout 86400;
+        '';
+      };
+    };
+
+    virtualHosts."lk-jwt.ellie.town" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8080";
+        extraConfig = ''
+          add_header Access-Control-Allow-Origin * always;
+          add_header Access-Control-Allow-Methods "POST, OPTIONS" always;
+          add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
+          if ($request_method = OPTIONS) {
+            return 204;
+          }
+        '';
+      };
+    };
+
     # virtualHosts."akkoma.ellie.town" = {
     #   enableACME = true;
     #   forceSSL = true;
@@ -131,6 +159,11 @@
         default_type application/json;
         add_header Access-Control-Allow-Origin *;
         return 200 '{"m.homeserver":{"base_url":"https://matrix.ellie.town"}}';'';
+
+      locations."= /.well-known/element/call.json".extraConfig = ''
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+        return 200 '{"type":"livekit","livekit_service_url":"https://lk-jwt.ellie.town"}';'';
     };
   };
 

From 6d8a3c012171a4867616ec2a346295d9aa8f20e8 Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Wed, 1 Apr 2026 14:40:27 -0700
Subject: [PATCH 2/4] hashes

---
 result              | 1 +
 services/lk-jwt.nix | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 120000 result

diff --git a/result b/result
new file mode 120000
index 0000000..62fedd1
--- /dev/null
+++ b/result
@@ -0,0 +1 @@
+/nix/store/252q6jdcng8my1dsrxb8j5klf1yzaikp-nixos-system-nixos-25.11.20260329.107cba9
\ No newline at end of file
diff --git a/services/lk-jwt.nix b/services/lk-jwt.nix
index 80888c6..e4a983a 100644
--- a/services/lk-jwt.nix
+++ b/services/lk-jwt.nix
@@ -10,9 +10,9 @@ let
       owner = "element-hq";
       repo = "lk-jwt-service";
       rev = "v0.3.0";
-      hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+      hash = "sha256-fA33LZkozPTng47kunXWkfUExVbMZsiL8Dtkm1hLV6U=";
     };
-    vendorHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+    vendorHash = "sha256-0A9pd+PAsGs4KS2BnCxc7PAaUAV3Z+XKNqSrmYvxNeM=";
     meta.mainProgram = "lk-jwt-service";
   };
 in

From eb5b8052f68a97d007cf33d3d8c4926f3a5efc2c Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Wed, 1 Apr 2026 14:46:37 -0700
Subject: [PATCH 3/4] secrets

---
 services/livekit.nix | 13 ++++++++++++-
 services/lk-jwt.nix  | 19 +++++++++++++------
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/services/livekit.nix b/services/livekit.nix
index 2c37081..a4d6f7d 100644
--- a/services/livekit.nix
+++ b/services/livekit.nix
@@ -4,12 +4,22 @@
   sops.secrets."livekit/api_key" = {
     sopsFile = ./secrets/livekit_vps.yaml;
     mode = "0400";
+    owner = "livekit";
+    group = "livekit";
   };
   sops.secrets."livekit/api_secret" = {
     sopsFile = ./secrets/livekit_vps.yaml;
     mode = "0400";
+    owner = "livekit";
+    group = "livekit";
   };
 
+  users.users.livekit = {
+    isSystemUser = true;
+    group = "livekit";
+  };
+  users.groups.livekit = { };
+
   # WebRTC media (UDP) and ICE TCP fallback. HTTP signaling goes through nginx.
   networking.firewall = {
     allowedTCPPorts = [ 7881 ];
@@ -28,7 +38,8 @@
     wants = [ "network-online.target" ];
 
     serviceConfig = {
-      DynamicUser = true;
+      User = "livekit";
+      Group = "livekit";
       RuntimeDirectory = "livekit";
       Restart = "always";
       RestartSec = 5;
diff --git a/services/lk-jwt.nix b/services/lk-jwt.nix
index e4a983a..b7f8160 100644
--- a/services/lk-jwt.nix
+++ b/services/lk-jwt.nix
@@ -20,10 +20,14 @@ in
   sops.secrets."livekit/api_key" = {
     sopsFile = ./secrets/livekit_vps.yaml;
     mode = "0400";
+    owner = "livekit";
+    group = "livekit";
   };
   sops.secrets."livekit/api_secret" = {
     sopsFile = ./secrets/livekit_vps.yaml;
     mode = "0400";
+    owner = "livekit";
+    group = "livekit";
   };
 
   systemd.services.lk-jwt = {
@@ -36,17 +40,20 @@ in
     wants = [ "network-online.target" ];
 
     serviceConfig = {
-      DynamicUser = true;
+      User = "livekit";
+      Group = "livekit";
       Restart = "always";
       RestartSec = 5;
     };
 
-    script = ''
-      export LIVEKIT_URL="wss://livekit.ellie.town"
-      export LIVEKIT_KEY=$(cat ${config.sops.secrets."livekit/api_key".path})
-      export LIVEKIT_SECRET=$(cat ${config.sops.secrets."livekit/api_secret".path})
-      export LK_JWT_PORT=8080
+    environment = {
+      LIVEKIT_URL = "wss://livekit.ellie.town";
+      LIVEKIT_KEY_FILE = config.sops.secrets."livekit/api_key".path;
+      LIVEKIT_SECRET_FILE = config.sops.secrets."livekit/api_secret".path;
+      LK_JWT_PORT = "8080";
+    };
 
+    script = ''
       exec ${lk-jwt-service}/bin/lk-jwt-service
     '';
   };

From 6843931e4b5990beb6776daa1669edc8b8493131 Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Wed, 1 Apr 2026 14:49:52 -0700
Subject: [PATCH 4/4] secrets

---
 services/lk-jwt.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/services/lk-jwt.nix b/services/lk-jwt.nix
index b7f8160..d7b6883 100644
--- a/services/lk-jwt.nix
+++ b/services/lk-jwt.nix
@@ -48,12 +48,12 @@ in
 
     environment = {
       LIVEKIT_URL = "wss://livekit.ellie.town";
-      LIVEKIT_KEY_FILE = config.sops.secrets."livekit/api_key".path;
-      LIVEKIT_SECRET_FILE = config.sops.secrets."livekit/api_secret".path;
       LK_JWT_PORT = "8080";
     };
 
     script = ''
+      export LIVEKIT_KEY_FROM_FILE=${config.sops.secrets."livekit/api_key".path}
+      export LIVEKIT_SECRET_FROM_FILE=${config.sops.secrets."livekit/api_secret".path}
       exec ${lk-jwt-service}/bin/lk-jwt-service
     '';
   };