1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
{
pkgs,
lib,
config,
nixpkgs-unstable,
pkgsUnstable,
...
}: let
cfg = config.vhack.jitsi-meet;
in {
# disabledModules = ["services/web-apps/jitsi-meet.nix"];
# imports = [
# "${nixpkgs-unstable}/nixos/modules/services/web-apps/jitsi-meet.nix"
# ];
options.vhack.jitsi-meet = {
enable = lib.mkEnableOption "jitsi-meet";
domain = lib.mkOption {
type = lib.types.str;
description = "The domain jitsi-meet should be served on.";
};
};
config = lib.mkIf cfg.enable {
nixpkgs.config.permittedInsecurePackages = [
# Jitsi uses libolm for E2EE, which is no longer maintained upstream by the element
# team (as they switch to a rust new based crypto library.)
#
# libolm has two CVEs about timing based side-channel attacks in their crypt
# primitives. This is not ideal, but it has not (yet) been exploited in the wild and
# upstream (i.e. the matrix/element team) claims, that the CVEs are very difficult to
# exploit (they have been know _long_ before element switched to the rust version).
#
# Considering the lack of deployable video conferencing alternatives, the active
# interest in upstream to resolve this issue [1] and the fact, that we are unlikely
# to be attacked via a target attack, permitting this package seems viable.
#
# [1]: https://github.com/jitsi/jitsi-meet/issues/15107
"jitsi-meet-1.0.8043"
];
services = {
jitsi-meet = {
enable = true;
hostName = "${cfg.domain}";
# prosody = {
# enable = true;
#
# # We only use prosody for jitsi XMPP communication, and therefore can remove support
# # for general XMPP server stuff.
# lockdown = true;
# };
};
prosody = {
package = pkgs.prosody.override (previous: {
withExtraLuaPackages = p:
(previous.withExtraLuaPackages p)
++ [
# required for muc_breakout_rooms
p.cjson
];
});
virtualHosts = {
"recorder.${cfg.domain}" = {
extraConfig = ''
main_muc = "conference.${cfg.domain}"
muc_component = "conference.${cfg.domain}"
lobby_muc = "lobby.${cfg.domain}"
'';
};
"auth.${cfg.domain}" = {
extraConfig = ''
main_muc = "conference.${cfg.domain}"
muc_component = "conference.${cfg.domain}"
lobby_muc = "lobby.${cfg.domain}"
'';
};
"guest.${cfg.domain}" = {
extraConfig = ''
main_muc = "conference.${cfg.domain}"
muc_component = "conference.${cfg.domain}"
lobby_muc = "lobby.${cfg.domain}"
'';
};
};
};
jitsi-videobridge = {
enable = true;
openFirewall = true;
};
nginx.virtualHosts."${cfg.domain}" = {
enableACME = true;
forceSSL = true;
};
};
# networking.firewall = {
# allowedTCPPorts = [
# 80 # For SSL certificate verification / renewal with Let's Encrypt. Required
# 443 # For general access to Jitsi Meet. Required
# 22 # For Accessing your Server using SSH (change the port accordingly if it's not 22). Required
# 5349 # For fallback network video/audio communications over TCP (when UDP is blocked for example), served by coturn. Required
# ];
#
# allowedUDPPorts = [
# 10000 # For General Network Audio/Video Meetings. Required
# 3478 # For querying the stun server (coturn, optional, needs config.js change to enable it).
# ];
# };
environment.etc."jitsi/videobridge/sip-communicator.properties".text = ''
# Use another port as `8080` (the default) is obviously already taken.
# Source: https://community.jitsi.org/t/jvb-port-8080-already-in-use-solution/87447
org.jitsi.videobridge.rest.private.jetty.port=8979
'';
users = {
groups.jitsi-meet = {
gid = config.vhack.constants.ids.gids.jitsi-meet;
};
users = {
jitsi-meet = {
group = "jitsi-meet";
uid = config.vhack.constants.ids.uids.jitsi-meet;
};
prosody = {
extraGroups = ["jitsi-meet"];
};
};
};
};
}
|
