hippocampus: matrix: turn/sfu prep

machines/hippocampus/servers/public/matrix/rtc.nix

@@ -0,0 +1,60 @@
+{ config, pkgs, lib, ... }: {
+  imports = [
+    ./turn.nix
+  ];
+  # Shared between lk-jwt-service and livekit
+  # TODO: Generate it
+  sops.secrets.lk-jwt = {};
+  services.lk-jwt-service = {
+    enable = true;
+    port = 7374;
+    livekitUrl = "wss://matrix-rtc.glia.club";
+    keyFile = config.sops.secrets.lk-jwt.path;
+  };
+  services.livekit = {
+    enable  = true;
+    keyFile = config.sops.secrets.lk-jwt.path;
+    # Ingress of other video streams
+    # for RTC usage, e.g. RTMP, WHIP, etc.
+    ingress = { enable = false; };
+    # Redis is used if we were to use ingress
+    redis = { createLocally = false };
+    settings = {
+      port = 7375;
+      rtc = {
+        port_range_end   = 50100;
+        port_range_start = 50200;
+        use_external_ip  = true;
+        enable_loopback_candidate = false;
+      };
+    };
+  };
+  services.matrix-tuwunel.settings = {
+    global.well_known = {
+      rtc_transports = [
+        type = "livekit";
+        livekit_service_url = "https://matrix-rtc.glia.club";
+      ];
+    };
+  };
+  services.caddy.virtualHosts = {
+    "matrix-rtc.glia.club" = {
+      extraConfig = ''
+        # This is matrix-rtc-jwt
+        @jwt_service {
+          path /sfu/get* /healthz*
+        }
+        handle @jwt_service {
+          reverse_proxy localhost:${config.services.lk-jwt-service.port}
+        }
+        # This is livekit
+        handle {
+          reverse_proxy localhost:${config.services.livekit.settings.port} {
+            header_up Connection "upgrade"
+            header_up Upgrade {http.request.header.Upgrade}
+          }
+        }
+      '';
+    };
+  };
+}

machines/hippocampus/servers/public/matrix/server.nix

@@ -1,4 +1,8 @@
 { config, pkgs, lib, ... }: {
+  imports = [
+    # Real Time Communication
+    ./rtc.nix
+  ];
   sops.secrets.tuwunelreg = {
     owner = config.services.matrix-tuwunel.user;
   };

machines/hippocampus/servers/public/matrix/turn.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }: {
+  # TODO: Generate coturn secret
+  services.coturn = {
+    enable = true;
+    realm = "turn.glia.club";
+    listening-port = 3478;
+    tls-listening-port = 5349;
+    min-port = config.services.livekit.settings.rtc.port_range_start+1;
+    max-port = 65535;
+    use-auth-secret = true;
+    static-auth-secret-file = config.sops.secrets.coturn-secret.path;
+  };
+  services.caddy.virtualHosts = {
+    "turn.glia.club" = {
+      # Use ZeroSSL
+      # as WebRTC clients misbehave with LetsEncrypt:
+      # https://github.com/element-hq/element-android/issues/1533
+      # https://github.com/element-hq/element-ios/issues/2712
+      # https://bugs.chromium.org/p/webrtc/issues/detail?id=11710
+      extraConfig = ''
+        acme_ca https://acme.zerossl.com/v2/DV90
+        respond "You ~~spin~~ turn me right round!"
+      '';
+    };
+  };
+}