| blob | 91906e417361d3aab2646ee06fee3e900f94b0b8 |
1 { config, lib, pkgs, ... }:
2 let
3 cfg = config.services.jicofo;
5 format = pkgs.formats.hocon { };
7 configFile = format.generate "jicofo.conf" cfg.config;
8 in
9 {
10 options.services.jicofo = with lib.types; {
11 enable = lib.mkEnableOption "Jitsi Conference Focus - component of Jitsi Meet";
13 xmppHost = lib.mkOption {
14 type = str;
15 example = "localhost";
16 description = ''
17 Hostname of the XMPP server to connect to.
18 '';
19 };
21 xmppDomain = lib.mkOption {
22 type = nullOr str;
23 example = "meet.example.org";
24 description = ''
25 Domain name of the XMMP server to which to connect as a component.
27 If null, {option}`xmppHost` is used.
28 '';
29 };
31 componentPasswordFile = lib.mkOption {
32 type = str;
33 example = "/run/keys/jicofo-component";
34 description = ''
35 Path to file containing component secret.
36 '';
37 };
39 userName = lib.mkOption {
40 type = str;
41 default = "focus";
42 description = ''
43 User part of the JID for XMPP user connection.
44 '';
45 };
47 userDomain = lib.mkOption {
48 type = str;
49 example = "auth.meet.example.org";
50 description = ''
51 Domain part of the JID for XMPP user connection.
52 '';
53 };
55 userPasswordFile = lib.mkOption {
56 type = str;
57 example = "/run/keys/jicofo-user";
58 description = ''
59 Path to file containing password for XMPP user connection.
60 '';
61 };
63 bridgeMuc = lib.mkOption {
64 type = str;
65 example = "jvbbrewery@internal.meet.example.org";
66 description = ''
67 JID of the internal MUC used to communicate with Videobridges.
68 '';
69 };
71 config = lib.mkOption {
72 type = format.type;
73 default = { };
74 example = lib.literalExpression ''
75 {
76 jicofo.bridge.max-bridge-participants = 42;
77 }
78 '';
79 description = ''
80 Contents of the {file}`jicofo.conf` configuration file.
81 '';
82 };
83 };
85 config = lib.mkIf cfg.enable {
86 services.jicofo.config = {
87 jicofo = {
88 bridge.brewery-jid = cfg.bridgeMuc;
89 xmpp = rec {
90 client = {
91 hostname = cfg.xmppHost;
92 username = cfg.userName;
93 domain = cfg.userDomain;
94 password = format.lib.mkSubstitution "JICOFO_AUTH_PASS";
95 xmpp-domain = if cfg.xmppDomain == null then cfg.xmppHost else cfg.xmppDomain;
96 };
97 service = client;
98 };
99 };
100 };
102 users.groups.jitsi-meet = {};
104 systemd.services.jicofo = let
105 jicofoProps = {
106 "-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION" = "/etc/jitsi";
107 "-Dnet.java.sip.communicator.SC_HOME_DIR_NAME" = "jicofo";
108 "-Djava.util.logging.config.file" = "/etc/jitsi/jicofo/logging.properties";
109 "-Dconfig.file" = configFile;
110 };
111 in
112 {
113 description = "JItsi COnference FOcus";
114 wantedBy = [ "multi-user.target" ];
115 after = [ "network.target" ];
117 restartTriggers = [
118 configFile
119 ];
120 environment.JAVA_SYS_PROPS = lib.concatStringsSep " " (lib.mapAttrsToList (k: v: "${k}=${toString v}") jicofoProps);
122 script = ''
123 export JICOFO_AUTH_PASS="$(<${cfg.userPasswordFile})"
124 exec "${pkgs.jicofo}/bin/jicofo"
125 '';
127 serviceConfig = {
128 Type = "exec";
130 DynamicUser = true;
131 User = "jicofo";
132 Group = "jitsi-meet";
134 CapabilityBoundingSet = "";
135 NoNewPrivileges = true;
136 ProtectSystem = "strict";
137 ProtectHome = true;
138 PrivateTmp = true;
139 PrivateDevices = true;
140 ProtectHostname = true;
141 ProtectKernelTunables = true;
142 ProtectKernelModules = true;
143 ProtectControlGroups = true;
144 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
145 RestrictNamespaces = true;
146 LockPersonality = true;
147 RestrictRealtime = true;
148 RestrictSUIDSGID = true;
149 };
150 };
152 environment.etc."jitsi/jicofo/sip-communicator.properties".text = "";
153 environment.etc."jitsi/jicofo/logging.properties".source =
154 lib.mkDefault "${pkgs.jicofo}/etc/jitsi/jicofo/logging.properties-journal";
155 };
157 meta.maintainers = lib.teams.jitsi.members;
158 }