modules/jitsi-meet: Add another module version [WIP]

author: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2025-08-02 16:29:30 +0200
committer: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2025-08-02 16:29:30 +0200
commit: fa9763ce9c89b05e3e426873fec40d9e60248819 (patch)
tree: 41f3c13d1120c7ff36ee4c843e4203e6096036eb /modules/by-name/ji
parent: modules/jitsi-meet: Lockdown prosody again (diff)
download: nixos-server-fa9763ce9c89b05e3e426873fec40d9e60248819.zip
1 files changed, 56 insertions, 75 deletions
diff --git a/modules/by-name/ji/jitsi-meet/module.nix b/modules/by-name/ji/jitsi-meet/module.nix
index 78eb602..cfa0782 100644
--- a/modules/by-name/ji/jitsi-meet/module.nix
+++ b/modules/by-name/ji/jitsi-meet/module.nix
@@ -1,11 +1,18 @@
 {
-  config,
+  pkgs,
   lib,
-  pkgsUnstable,
+  config,
+  nixpkgs-unstable,
+pkgsUnstable,
   ...
 }: let
   cfg = config.vhack.jitsi-meet;
 in {
+  # disabledModules = ["services/web-apps/jitsi-meet.nix"];
+  # imports = [
+  #   "${nixpkgs-unstable}/nixos/modules/services/web-apps/jitsi-meet.nix"
+  # ];
+
   options.vhack.jitsi-meet = {
     enable = lib.mkEnableOption "jitsi-meet";
 
@@ -34,89 +41,58 @@ in {
     ];
 
     services = {
+      jitsi-meet = {
+        enable = true;
+        hostName = "${cfg.domain}";
+
+        # prosody = {
+        #   enable = true;
+        #
+        #   # We only use prosody for jitsi XMPP communication, and therefore can remove support
+        #   # for general XMPP server stuff.
+        #   lockdown = true;
+        # };
+      };
+
       prosody = {
-        package = pkgsUnstable.prosody.override (previous: {
+        package = pkgs.prosody.override (previous: {
           withExtraLuaPackages = p:
             (previous.withExtraLuaPackages p)
-            ++ [p.cjson];
+            ++ [
+              # required for muc_breakout_rooms
+              p.cjson
+            ];
         });
       };
 
-      nginx.virtualHosts.${cfg.domain} = {
-        enableACME = true;
-        forceSSL = true;
-      };
-
-      jitsi-meet = {
+      jitsi-videobridge = {
         enable = true;
-        hostName = cfg.domain;
-
-        nginx.enable = true;
-
-        config = {
-          enableWelcomePage = true;
-          requireDisplayName = true;
-          analytics.disabled = true;
-
-          # Don't try to GET gravata stuff.
-          disableThirdPartyRequests = true;
-
-          # Avoids a heavy load on conference start.
-          startAudioOnly = true;
-
-          # Only transmit the last four members.
-          channelLastN = 4;
-
-          constraints.video.height = {
-            ideal = 720;
-            max = 1080;
-            min = 240;
-          };
-
-          remoteVideoMenu.disabled = false;
-          breakoutRooms.hideAddRoomButton = false;
-          maxFullResolutionParticipants = 1;
-
-          prejoinPageEnabled = true;
-          defaultLang = "sv";
-        };
-
-        interfaceConfig = {
-          GENERATE_ROOMNAMES_ON_WELCOME_PAGE = true;
-          DISABLE_PRESENCE_STATUS = true;
-
-          SHOW_CHROME_EXTENSION_BANNER = false;
-
-          # The default google play android apps comes with trackers.
-          MOBILE_DOWNLOAD_LINK_ANDROID = "https://f-droid.org/en/packages/org.jitsi.meet/";
-
-          # Don't try to promote the mobile app.
-          MOBILE_APP_PROMO = false;
-
-          SHOW_JITSI_WATERMARK = false;
-          SHOW_WATERMARK_FOR_GUESTS = false;
-        };
-
-        prosody = {
-          enable = true;
-
-          # We only use prosody for jitsi XMPP communication, and therefore can remove support
-          # for general XMPP server stuff.
-          lockdown = true;
-        };
+        openFirewall = true;
       };
 
-      jitsi-videobridge = {
-        openFirewall = true;
-        config.videobridge = {
-          cc.assumed-bandwidth-limit = "1000 Mbps";
-        };
+      nginx.virtualHosts."${cfg.domain}" = {
+        enableACME = true;
+        forceSSL = true;
       };
     };
 
-    # Use another port as `8080` (the default) is obviously already taken.
-    # Source: https://community.jitsi.org/t/jvb-port-8080-already-in-use-solution/87447
+    # networking.firewall = {
+    #   allowedTCPPorts = [
+    #     80 # For SSL certificate verification / renewal with Let's Encrypt. Required
+    #     443 # For general access to Jitsi Meet. Required
+    #     22 # For Accessing your Server using SSH (change the port accordingly if it's not 22). Required
+    #     5349 # For fallback network video/audio communications over TCP (when UDP is blocked for example), served by coturn. Required
+    #   ];
+    #
+    #   allowedUDPPorts = [
+    #     10000 # For General Network Audio/Video Meetings. Required
+    #     3478 # For querying the stun server (coturn, optional, needs config.js change to enable it).
+    #   ];
+    # };
+
     environment.etc."jitsi/videobridge/sip-communicator.properties".text = ''
+      # Use another port as `8080` (the default) is obviously already taken.
+      # Source: https://community.jitsi.org/t/jvb-port-8080-already-in-use-solution/87447
       org.jitsi.videobridge.rest.private.jetty.port=8979
     '';
 
@@ -124,9 +100,14 @@ in {
       groups.jitsi-meet = {
         gid = config.vhack.constants.ids.gids.jitsi-meet;
       };
-      users.jitsi-meet = {
-        group = "jitsi-meet";
-        uid = config.vhack.constants.ids.uids.jitsi-meet;
+      users = {
+        jitsi-meet = {
+          group = "jitsi-meet";
+          uid = config.vhack.constants.ids.uids.jitsi-meet;
+        };
+        prosody = {
+          extraGroups = ["jitsi-meet"];
+        };
       };
     };
   };
author	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2025-08-02 16:29:30 +0200
committer	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2025-08-02 16:29:30 +0200
commit	fa9763ce9c89b05e3e426873fec40d9e60248819 (patch)
tree	41f3c13d1120c7ff36ee4c843e4203e6096036eb /modules/by-name/ji
parent	modules/jitsi-meet: Lockdown prosody again (diff)
download	nixos-server-fa9763ce9c89b05e3e426873fec40d9e60248819.zip