blob: 78eb6020a22e617d508a5dc6c231fd6c6718da8d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
{
config,
lib,
pkgsUnstable,
...
}: let
cfg = config.vhack.jitsi-meet;
in {
options.vhack.jitsi-meet = {
enable = lib.mkEnableOption "jitsi-meet";
domain = lib.mkOption {
type = lib.types.str;
description = "The domain jitsi-meet should be served on.";
};
};
config = lib.mkIf cfg.enable {
nixpkgs.config.permittedInsecurePackages = [
# Jitsi uses libolm for E2EE, which is no longer maintained upstream by the element
# team (as they switch to a rust new based crypto library.)
#
# libolm has two CVEs about timing based side-channel attacks in their crypt
# primitives. This is not ideal, but it has not (yet) been exploited in the wild and
# upstream (i.e. the matrix/element team) claims, that the CVEs are very difficult to
# exploit (they have been know _long_ before element switched to the rust version).
#
# Considering the lack of deployable video conferencing alternatives, the active
# interest in upstream to resolve this issue [1] and the fact, that we are unlikely
# to be attacked via a target attack, permitting this package seems viable.
#
# [1]: https://github.com/jitsi/jitsi-meet/issues/15107
"jitsi-meet-1.0.8043"
];
services = {
prosody = {
package = pkgsUnstable.prosody.override (previous: {
withExtraLuaPackages = p:
(previous.withExtraLuaPackages p)
++ [p.cjson];
});
};
nginx.virtualHosts.${cfg.domain} = {
enableACME = true;
forceSSL = true;
};
jitsi-meet = {
enable = true;
hostName = cfg.domain;
nginx.enable = true;
config = {
enableWelcomePage = true;
requireDisplayName = true;
analytics.disabled = true;
# Don't try to GET gravata stuff.
disableThirdPartyRequests = true;
# Avoids a heavy load on conference start.
startAudioOnly = true;
# Only transmit the last four members.
channelLastN = 4;
constraints.video.height = {
ideal = 720;
max = 1080;
min = 240;
};
remoteVideoMenu.disabled = false;
breakoutRooms.hideAddRoomButton = false;
maxFullResolutionParticipants = 1;
prejoinPageEnabled = true;
defaultLang = "sv";
};
interfaceConfig = {
GENERATE_ROOMNAMES_ON_WELCOME_PAGE = true;
DISABLE_PRESENCE_STATUS = true;
SHOW_CHROME_EXTENSION_BANNER = false;
# The default google play android apps comes with trackers.
MOBILE_DOWNLOAD_LINK_ANDROID = "https://f-droid.org/en/packages/org.jitsi.meet/";
# Don't try to promote the mobile app.
MOBILE_APP_PROMO = false;
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
prosody = {
enable = true;
# We only use prosody for jitsi XMPP communication, and therefore can remove support
# for general XMPP server stuff.
lockdown = true;
};
};
jitsi-videobridge = {
openFirewall = true;
config.videobridge = {
cc.assumed-bandwidth-limit = "1000 Mbps";
};
};
};
# Use another port as `8080` (the default) is obviously already taken.
# Source: https://community.jitsi.org/t/jvb-port-8080-already-in-use-solution/87447
environment.etc."jitsi/videobridge/sip-communicator.properties".text = ''
org.jitsi.videobridge.rest.private.jetty.port=8979
'';
users = {
groups.jitsi-meet = {
gid = config.vhack.constants.ids.gids.jitsi-meet;
};
users.jitsi-meet = {
group = "jitsi-meet";
uid = config.vhack.constants.ids.uids.jitsi-meet;
};
};
};
}
|
