{ pkgs, lib, config, nixpkgs-unstable, pkgsUnstable, ... }: let cfg = config.vhack.jitsi-meet; in { # disabledModules = ["services/web-apps/jitsi-meet.nix"]; # imports = [ # "${nixpkgs-unstable}/nixos/modules/services/web-apps/jitsi-meet.nix" # ]; options.vhack.jitsi-meet = { enable = lib.mkEnableOption "jitsi-meet"; domain = lib.mkOption { type = lib.types.str; description = "The domain jitsi-meet should be served on."; }; }; config = lib.mkIf cfg.enable { nixpkgs.config.permittedInsecurePackages = [ # Jitsi uses libolm for E2EE, which is no longer maintained upstream by the element # team (as they switch to a rust new based crypto library.) # # libolm has two CVEs about timing based side-channel attacks in their crypt # primitives. This is not ideal, but it has not (yet) been exploited in the wild and # upstream (i.e. the matrix/element team) claims, that the CVEs are very difficult to # exploit (they have been know _long_ before element switched to the rust version). # # Considering the lack of deployable video conferencing alternatives, the active # interest in upstream to resolve this issue [1] and the fact, that we are unlikely # to be attacked via a target attack, permitting this package seems viable. # # [1]: https://github.com/jitsi/jitsi-meet/issues/15107 "jitsi-meet-1.0.8043" ]; services = { jitsi-meet = { enable = true; hostName = "${cfg.domain}"; # prosody = { # enable = true; # # # We only use prosody for jitsi XMPP communication, and therefore can remove support # # for general XMPP server stuff. # lockdown = true; # }; }; prosody = { package = pkgs.prosody.override (previous: { withExtraLuaPackages = p: (previous.withExtraLuaPackages p) ++ [ # required for muc_breakout_rooms p.cjson ]; }); virtualHosts = { "recorder.${cfg.domain}" = { extraConfig = '' main_muc = "conference.${cfg.domain}" muc_component = "conference.${cfg.domain}" lobby_muc = "lobby.${cfg.domain}" ''; }; "auth.${cfg.domain}" = { extraConfig = '' main_muc = "conference.${cfg.domain}" muc_component = "conference.${cfg.domain}" lobby_muc = "lobby.${cfg.domain}" ''; }; "guest.${cfg.domain}" = { extraConfig = '' main_muc = "conference.${cfg.domain}" muc_component = "conference.${cfg.domain}" lobby_muc = "lobby.${cfg.domain}" ''; }; }; }; jitsi-videobridge = { enable = true; openFirewall = true; }; nginx.virtualHosts."${cfg.domain}" = { enableACME = true; forceSSL = true; }; }; # networking.firewall = { # allowedTCPPorts = [ # 80 # For SSL certificate verification / renewal with Let's Encrypt. Required # 443 # For general access to Jitsi Meet. Required # 22 # For Accessing your Server using SSH (change the port accordingly if it's not 22). Required # 5349 # For fallback network video/audio communications over TCP (when UDP is blocked for example), served by coturn. Required # ]; # # allowedUDPPorts = [ # 10000 # For General Network Audio/Video Meetings. Required # 3478 # For querying the stun server (coturn, optional, needs config.js change to enable it). # ]; # }; environment.etc."jitsi/videobridge/sip-communicator.properties".text = '' # Use another port as `8080` (the default) is obviously already taken. # Source: https://community.jitsi.org/t/jvb-port-8080-already-in-use-solution/87447 org.jitsi.videobridge.rest.private.jetty.port=8979 ''; users = { groups.jitsi-meet = { gid = config.vhack.constants.ids.gids.jitsi-meet; }; users = { jitsi-meet = { group = "jitsi-meet"; uid = config.vhack.constants.ids.uids.jitsi-meet; }; prosody = { extraGroups = ["jitsi-meet"]; }; }; }; }; }