add everything; add CI

author: Preston Pan <ret2pop@nullring.xyz> 2026-03-01 23:51:02 -0800
committer: Preston Pan <ret2pop@nullring.xyz> 2026-03-01 23:51:02 -0800
commit: a05e0614c1bb75f77717a943dc4ac75a0cca4652 (patch)
tree: d52ddee9db6d6eabbafc73f04aa83f6bbcd7f0c5 /nix/modules/conduit.nix
parent: 75439737613d86975856c4bff0a1257f58fd1b1f (diff)
1 files changed, 174 insertions, 9 deletions
diff --git a/nix/modules/conduit.nix b/nix/modules/conduit.nix
index 4d7a30c..edc8e8b 100644
--- a/nix/modules/conduit.nix
+++ b/nix/modules/conduit.nix
@@ -1,8 +1,25 @@
 { config, lib, ... }:
+let
+  livekitListenPort = 8443;
+  # secrets.yaml
+  livekit_secret = "livekit_secret";
+  conduit_secret = "conduit_secrets";
+in
 {
+  sops.secrets = lib.mkIf config.services.matrix-conduit.enable {
+    "${livekit_secret}" = lib.mkIf config.services.livekit.enable {
+      format = "yaml";
+      mode = "0444";
+    };
+
+    "${conduit_secret}" = {
+      format = "yaml";
+    };
+  };
+
   services.matrix-conduit = {
     enable = lib.mkDefault config.monorepo.profiles.server.enable;
-    secretFile = "/run/secrets/conduit_secrets";
+    secretFile = "/run/secrets/${conduit_secret}";
     settings.global = {
       server_name = "matrix.${config.monorepo.vars.orgHost}";
       trusted_servers = [
@@ -15,15 +32,11 @@
       allow_registration = false;
     };
   };
-  services.lk-jwt-service = {
-    enable = lib.mkDefault config.monorepo.profiles.server.enable;
-    port = 6495;
-    livekitUrl = "wss://livekit.${config.monorepo.vars.orgHost}";
-    keyFile = "/run/secrets/livekit_secret";
-  };
+
+
   services.livekit = {
-    enable = lib.mkDefault config.monorepo.profiles.server.enable;
-    keyFile = "/run/secrets/livekit_secret";
+    enable = lib.mkDefault (config.services.matrix-conduit.enable || config.services.matrix-synapse.enable);
+    keyFile = "/run/secrets/${livekit_secret}";
     settings = {
       port = 7880;
       turn = {
@@ -44,4 +57,156 @@
       };
     };
   };
+
+  services.lk-jwt-service = {
+    enable = lib.mkDefault config.services.livekit.enable;
+    port = 6495;
+    livekitUrl = "wss://livekit.${config.monorepo.vars.orgHost}";
+    keyFile = "/run/secrets/${livekit_secret}";
+  };
+
+  # TODO: split into conduit and livekit
+  networking.firewall.allowedTCPPorts = lib.mkIf config.services.matrix-conduit.enable [ 8448 7881 5349 livekitListenPort ];
+
+  # this is fine though
+  networking.firewall.allowedUDPPorts = lib.mkIf config.services.livekit.enable [ 7882 3478 ];
+  networking.firewall.allowedUDPPortRanges = lib.mkIf config.services.livekit.enable [
+    { from = 49152; to = 65535; }
+  ];
+
+  networking.domains.subDomains."matrix.${config.monorepo.vars.orgHost}" = lib.mkIf config.services.matrix-conduit.enable { };
+  networking.domains.subDomains."livekit.${config.monorepo.vars.orgHost}" = lib.mkIf config.services.livekit.enable { };
+
+  services.nginx.virtualHosts."matrix.${config.monorepo.vars.orgHost}" = lib.mkIf config.services.matrix-conduit.enable {
+    enableACME = lib.mkDefault config.monorepo.profiles.server.enable;
+    forceSSL = true;
+    listen = [
+      {
+        addr = "0.0.0.0";
+        port = 443;
+        ssl = true;
+      }
+      {
+        addr = "[::]";
+        port = 443;
+        ssl = true;
+      }
+      {
+        addr = "0.0.0.0";
+        port = 8448;
+        ssl = true;
+      }
+      {
+        addr = "[::]";
+        port = 8448;
+        ssl = true;
+      }
+    ];
+    locations."/_matrix/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.matrix-conduit.settings.global.port}";
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_buffers 32 16k;
+        proxy_read_timeout 5m;
+      '';
+    };
+
+    locations."= /.well-known/matrix/server" = {
+      extraConfig = ''
+        default_type application/json;
+        add_header Content-Type application/json;
+        add_header Access-Control-Allow-Origin *;
+      '';
+
+      return = ''200 '{"m.server": "matrix.${config.monorepo.vars.orgHost}:443"}' '';
+    };
+
+    locations."/.well-known/matrix/client" = {
+      extraConfig = ''
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+      '';
+
+      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.${config.monorepo.vars.orgHost}\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix.${config.monorepo.vars.orgHost}:${toString livekitListenPort}\"}]}'";
+    };
+
+    extraConfig = ''
+      merge_slashes off;
+    '';
+  };
+
+
+  services.nginx.virtualHosts."matrix.${config.monorepo.vars.orgHost}-livekit" = lib.mkIf config.services.livekit.enable {
+    serverName = "matrix.${config.monorepo.vars.orgHost}";
+    listen = [
+      {
+        addr = "0.0.0.0";
+        port = livekitListenPort;
+        ssl = true;
+      }
+      {
+        addr = "[::]";
+        port = livekitListenPort;
+        ssl = true;
+      }
+    ];
+    addSSL = true;
+    enableACME = false;
+    forceSSL = false;
+    useACMEHost = "matrix.${config.monorepo.vars.orgHost}";
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.lk-jwt-service.port}";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+      '';
+    };
+  };
+
+  services.nginx.virtualHosts."livekit.${config.monorepo.vars.orgHost}" = lib.mkIf config.services.livekit.enable {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.livekit.settings.port}";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+
+        # Standard headers for LiveKit
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # --- CORS CONFIGURATION START ---
+        # 1. Allow all origins (including app.element.io)
+        add_header 'Access-Control-Allow-Origin' '*' always;
+            
+        # 2. Allow specific methods (POST is required for /sfu/get)
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
+            
+        # 3. Allow headers (Content-Type is crucial for JSON)
+        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
+            
+        # 4. Handle the OPTIONS preflight request immediately
+        if ($request_method = 'OPTIONS') {
+           add_header 'Access-Control-Allow-Origin' '*' always;
+           add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
+           add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
+           add_header 'Access-Control-Max-Age' 1728000;
+           add_header 'Content-Type' 'text/plain; charset=utf-8';
+           add_header 'Content-Length' 0;
+           return 204;
+            }
+        # --- CORS CONFIGURATION END ---
+      '';
+    };
+  };
 }
author	Preston Pan <ret2pop@nullring.xyz>	2026-03-01 23:51:02 -0800
committer	Preston Pan <ret2pop@nullring.xyz>	2026-03-01 23:51:02 -0800
commit	a05e0614c1bb75f77717a943dc4ac75a0cca4652 (patch)
tree	d52ddee9db6d6eabbafc73f04aa83f6bbcd7f0c5 /nix/modules/conduit.nix
parent	75439737613d86975856c4bff0a1257f58fd1b1f (diff)