1 files changed, 108 insertions, 0 deletions
diff --git a/modules/by-name/ji/jitsi-meet/module.nix b/modules/by-name/ji/jitsi-meet/module.nix
new file mode 100644
index 0000000..d5844be
--- /dev/null
+++ b/modules/by-name/ji/jitsi-meet/module.nix
@@ -0,0 +1,108 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.jitsi-meet;
+in {
+  options.vhack.jitsi-meet = {
+    enable = lib.mkEnableOption "jitsi-meet";
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The domain jitsi-meet should be served on.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    nixpkgs.config.permittedInsecurePackages = [
+      # Jitsi uses libolm for E2EE, which is no longer maintained upstream by the element
+      # team (as they switch to a rust new based crypto library.)
+      #
+      # libolm has two CVEs about timing based side-channel attacks in their crypt
+      # primitives. This is not ideal, but it has not (yet) been exploited in the wild and
+      # upstream (i.e. the matrix/element team) claims, that the CVEs are very difficult to
+      # exploit (they have been know _long_ before element switched to the rust version).
+      #
+      # Considering the lack of deployable video conferencing alternatives, the active
+      # interest in upstream to resolve this issue [1] and the fact, that we are unlikely
+      # to be attacked via a target attack, permitting this package seems viable.
+      #
+      # [1]: https://github.com/jitsi/jitsi-meet/issues/15107
+      "jitsi-meet-1.0.8043"
+    ];
+
+    services = {
+      nginx.virtualHosts.${cfg.domain} = {
+        enableACME = true;
+        forceSSL = true;
+      };
+
+      jitsi-meet = {
+        enable = true;
+        hostName = cfg.domain;
+
+        nginx.enable = true;
+
+        config = {
+          enableWelcomePage = true;
+          requireDisplayName = true;
+          analytics.disabled = true;
+
+          # Don't try to GET gravata stuff.
+          disableThirdPartyRequests = true;
+
+          # Avoids a heavy load on conference start.
+          startAudioOnly = true;
+
+          # Only transmit the last four members.
+          channelLastN = 4;
+
+          constraints.video.height = {
+            ideal = 720;
+            max = 1080;
+            min = 240;
+          };
+
+          remoteVideoMenu.disabled = false;
+          breakoutRooms.hideAddRoomButton = false;
+          maxFullResolutionParticipants = 1;
+
+          prejoinPageEnabled = true;
+          defaultLang = "sv";
+        };
+
+        interfaceConfig = {
+          GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false;
+          DISABLE_PRESENCE_STATUS = true;
+
+          SHOW_CHROME_EXTENSION_BANNER = false;
+
+          # The default google play android apps comes with trackers.
+          MOBILE_DOWNLOAD_LINK_ANDROID = "https://f-droid.org/en/packages/org.jitsi.meet/";
+
+          # Don't try to promote the mobile app.
+          MOBILE_APP_PROMO = false;
+
+          SHOW_JITSI_WATERMARK = false;
+          SHOW_WATERMARK_FOR_GUESTS = false;
+        };
+
+        prosody = {
+          enable = true;
+
+          # We only use prosody for jitsi XMPP communication, and therefore can remove support
+          # for general XMPP server stuff.
+          lockdown = true;
+        };
+      };
+
+      jitsi-videobridge = {
+        openFirewall = true;
+        config.videobridge = {
+          cc.assumed-bandwidth-limit = "1000 Mbps";
+        };
+      };
+    };
+  };
+}