pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.services.jicofo;
7in
8{
9 options.services.jicofo = with types; {
10 enable = mkEnableOption (lib.mdDoc "Jitsi Conference Focus - component of Jitsi Meet");
11
12 xmppHost = mkOption {
13 type = str;
14 example = "localhost";
15 description = lib.mdDoc ''
16 Hostname of the XMPP server to connect to.
17 '';
18 };
19
20 xmppDomain = mkOption {
21 type = nullOr str;
22 example = "meet.example.org";
23 description = lib.mdDoc ''
24 Domain name of the XMMP server to which to connect as a component.
25
26 If null, {option}`xmppHost` is used.
27 '';
28 };
29
30 componentPasswordFile = mkOption {
31 type = str;
32 example = "/run/keys/jicofo-component";
33 description = lib.mdDoc ''
34 Path to file containing component secret.
35 '';
36 };
37
38 userName = mkOption {
39 type = str;
40 default = "focus";
41 description = lib.mdDoc ''
42 User part of the JID for XMPP user connection.
43 '';
44 };
45
46 userDomain = mkOption {
47 type = str;
48 example = "auth.meet.example.org";
49 description = lib.mdDoc ''
50 Domain part of the JID for XMPP user connection.
51 '';
52 };
53
54 userPasswordFile = mkOption {
55 type = str;
56 example = "/run/keys/jicofo-user";
57 description = lib.mdDoc ''
58 Path to file containing password for XMPP user connection.
59 '';
60 };
61
62 bridgeMuc = mkOption {
63 type = str;
64 example = "jvbbrewery@internal.meet.example.org";
65 description = lib.mdDoc ''
66 JID of the internal MUC used to communicate with Videobridges.
67 '';
68 };
69
70 config = mkOption {
71 type = attrsOf str;
72 default = { };
73 example = literalExpression ''
74 {
75 "org.jitsi.jicofo.auth.URL" = "XMPP:jitsi-meet.example.com";
76 }
77 '';
78 description = lib.mdDoc ''
79 Contents of the {file}`sip-communicator.properties` configuration file for jicofo.
80 '';
81 };
82 };
83
84 config = mkIf cfg.enable {
85 services.jicofo.config = mapAttrs (_: v: mkDefault v) {
86 "org.jitsi.jicofo.BRIDGE_MUC" = cfg.bridgeMuc;
87 };
88
89 users.groups.jitsi-meet = {};
90
91 systemd.services.jicofo = let
92 jicofoProps = {
93 "-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION" = "/etc/jitsi";
94 "-Dnet.java.sip.communicator.SC_HOME_DIR_NAME" = "jicofo";
95 "-Djava.util.logging.config.file" = "/etc/jitsi/jicofo/logging.properties";
96 };
97 in
98 {
99 description = "JItsi COnference FOcus";
100 wantedBy = [ "multi-user.target" ];
101 after = [ "network.target" ];
102
103 restartTriggers = [
104 config.environment.etc."jitsi/jicofo/sip-communicator.properties".source
105 ];
106 environment.JAVA_SYS_PROPS = concatStringsSep " " (mapAttrsToList (k: v: "${k}=${toString v}") jicofoProps);
107
108 script = ''
109 ${pkgs.jicofo}/bin/jicofo \
110 --host=${cfg.xmppHost} \
111 --domain=${if cfg.xmppDomain == null then cfg.xmppHost else cfg.xmppDomain} \
112 --secret=$(cat ${cfg.componentPasswordFile}) \
113 --user_name=${cfg.userName} \
114 --user_domain=${cfg.userDomain} \
115 --user_password=$(cat ${cfg.userPasswordFile})
116 '';
117
118 serviceConfig = {
119 Type = "exec";
120
121 DynamicUser = true;
122 User = "jicofo";
123 Group = "jitsi-meet";
124
125 CapabilityBoundingSet = "";
126 NoNewPrivileges = true;
127 ProtectSystem = "strict";
128 ProtectHome = true;
129 PrivateTmp = true;
130 PrivateDevices = true;
131 ProtectHostname = true;
132 ProtectKernelTunables = true;
133 ProtectKernelModules = true;
134 ProtectControlGroups = true;
135 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
136 RestrictNamespaces = true;
137 LockPersonality = true;
138 RestrictRealtime = true;
139 RestrictSUIDSGID = true;
140 };
141 };
142
143 environment.etc."jitsi/jicofo/sip-communicator.properties".source =
144 pkgs.writeText "sip-communicator.properties" (
145 generators.toKeyValue {} cfg.config
146 );
147 environment.etc."jitsi/jicofo/logging.properties".source =
148 mkDefault "${pkgs.jicofo}/etc/jitsi/jicofo/logging.properties-journal";
149 };
150
151 meta.maintainers = lib.teams.jitsi.members;
152}