blob: d5844bee76f2943dd382aa70b4a7493057e9f8e3 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
{
config,
lib,
...
}: let
cfg = config.vhack.jitsi-meet;
in {
options.vhack.jitsi-meet = {
enable = lib.mkEnableOption "jitsi-meet";
domain = lib.mkOption {
type = lib.types.str;
description = "The domain jitsi-meet should be served on.";
};
};
config = lib.mkIf cfg.enable {
nixpkgs.config.permittedInsecurePackages = [
# Jitsi uses libolm for E2EE, which is no longer maintained upstream by the element
# team (as they switch to a rust new based crypto library.)
#
# libolm has two CVEs about timing based side-channel attacks in their crypt
# primitives. This is not ideal, but it has not (yet) been exploited in the wild and
# upstream (i.e. the matrix/element team) claims, that the CVEs are very difficult to
# exploit (they have been know _long_ before element switched to the rust version).
#
# Considering the lack of deployable video conferencing alternatives, the active
# interest in upstream to resolve this issue [1] and the fact, that we are unlikely
# to be attacked via a target attack, permitting this package seems viable.
#
# [1]: https://github.com/jitsi/jitsi-meet/issues/15107
"jitsi-meet-1.0.8043"
];
services = {
nginx.virtualHosts.${cfg.domain} = {
enableACME = true;
forceSSL = true;
};
jitsi-meet = {
enable = true;
hostName = cfg.domain;
nginx.enable = true;
config = {
enableWelcomePage = true;
requireDisplayName = true;
analytics.disabled = true;
# Don't try to GET gravata stuff.
disableThirdPartyRequests = true;
# Avoids a heavy load on conference start.
startAudioOnly = true;
# Only transmit the last four members.
channelLastN = 4;
constraints.video.height = {
ideal = 720;
max = 1080;
min = 240;
};
remoteVideoMenu.disabled = false;
breakoutRooms.hideAddRoomButton = false;
maxFullResolutionParticipants = 1;
prejoinPageEnabled = true;
defaultLang = "sv";
};
interfaceConfig = {
GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false;
DISABLE_PRESENCE_STATUS = true;
SHOW_CHROME_EXTENSION_BANNER = false;
# The default google play android apps comes with trackers.
MOBILE_DOWNLOAD_LINK_ANDROID = "https://f-droid.org/en/packages/org.jitsi.meet/";
# Don't try to promote the mobile app.
MOBILE_APP_PROMO = false;
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
prosody = {
enable = true;
# We only use prosody for jitsi XMPP communication, and therefore can remove support
# for general XMPP server stuff.
lockdown = true;
};
};
jitsi-videobridge = {
openFirewall = true;
config.videobridge = {
cc.assumed-bandwidth-limit = "1000 Mbps";
};
};
};
};
}
|
