1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
{
pkgs,
lib,
config,
nixpkgs-unstable,
pkgsUnstable,
...
}: let
cfg = config.vhack.jitsi-meet;
in {
# disabledModules = ["services/web-apps/jitsi-meet.nix"];
# imports = [
# "${nixpkgs-unstable}/nixos/modules/services/web-apps/jitsi-meet.nix"
# ];
options.vhack.jitsi-meet = {
enable = lib.mkEnableOption "jitsi-meet";
domain = lib.mkOption {
type = lib.types.str;
description = "The domain jitsi-meet should be served on.";
};
};
config = lib.mkIf cfg.enable {
nixpkgs.config.permittedInsecurePackages = [
# Jitsi uses libolm for E2EE, which is no longer maintained upstream by the element
# team (as they switch to a rust new based crypto library.)
#
# libolm has two CVEs about timing based side-channel attacks in their crypt
# primitives. This is not ideal, but it has not (yet) been exploited in the wild and
# upstream (i.e. the matrix/element team) claims, that the CVEs are very difficult to
# exploit (they have been know _long_ before element switched to the rust version).
#
# Considering the lack of deployable video conferencing alternatives, the active
# interest in upstream to resolve this issue [1] and the fact, that we are unlikely
# to be attacked via a target attack, permitting this package seems viable.
#
# [1]: https://github.com/jitsi/jitsi-meet/issues/15107
"jitsi-meet-1.0.8043"
];
services = {
jitsi-meet = {
enable = true;
hostName = "${cfg.domain}";
# prosody = {
# enable = true;
#
# # We only use prosody for jitsi XMPP communication, and therefore can remove support
# # for general XMPP server stuff.
# lockdown = true;
# };
};
prosody = {
package = pkgs.prosody.override (previous: {
withExtraLuaPackages = p:
(previous.withExtraLuaPackages p)
++ [
# required for muc_breakout_rooms
p.cjson
];
});
};
jitsi-videobridge = {
enable = true;
openFirewall = true;
};
nginx.virtualHosts."${cfg.domain}" = {
enableACME = true;
forceSSL = true;
};
};
# networking.firewall = {
# allowedTCPPorts = [
# 80 # For SSL certificate verification / renewal with Let's Encrypt. Required
# 443 # For general access to Jitsi Meet. Required
# 22 # For Accessing your Server using SSH (change the port accordingly if it's not 22). Required
# 5349 # For fallback network video/audio communications over TCP (when UDP is blocked for example), served by coturn. Required
# ];
#
# allowedUDPPorts = [
# 10000 # For General Network Audio/Video Meetings. Required
# 3478 # For querying the stun server (coturn, optional, needs config.js change to enable it).
# ];
# };
environment.etc."jitsi/videobridge/sip-communicator.properties".text = ''
# Use another port as `8080` (the default) is obviously already taken.
# Source: https://community.jitsi.org/t/jvb-port-8080-already-in-use-solution/87447
org.jitsi.videobridge.rest.private.jetty.port=8979
'';
users = {
groups.jitsi-meet = {
gid = config.vhack.constants.ids.gids.jitsi-meet;
};
users = {
jitsi-meet = {
group = "jitsi-meet";
uid = config.vhack.constants.ids.uids.jitsi-meet;
};
prosody = {
extraGroups = ["jitsi-meet"];
};
};
};
};
}
|
