bicep/matrix: attempt to set up livekit

hosts/bicep/services/matrix/default.nix

@@ -7,6 +7,7 @@
     ./synapse-admin.nix
     ./element.nix
     ./coturn.nix
+    ./livekit.nix
     ./mjolnir.nix
     ./well-known.nix
 

hosts/bicep/services/matrix/livekit.nix

@@ -0,0 +1,67 @@
+{ config, lib, fp, ... }:
+let
+  synapseConfig = config.services.matrix-synapse-next;
+  matrixDomain = "matrix.pvv.ntnu.no";
+  cfg = config.services.livekit;
+in
+{
+  sops.secrets."matrix/livekit/keyfile/lk-jwt-service" = {
+    sopsFile = fp /secrets/bicep/matrix.yaml;
+    key = "livekit/keyfile/lk-jwt-service";
+  };
+  sops.templates."matrix-livekit-keyfile" = {
+    restartUnits = [
+      "livekit.service"
+      "lk-jwt-service.service"
+    ];
+    content = ''
+      lk-jwt-service: ${config.sops.placeholder."matrix/livekit/keyfile/lk-jwt-service"}
+    '';
+  };
+
+  services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
+    "org.matrix.msc4143.rtc_foci" = [{
+      type = "livekit";
+      livekit_service_url = "https://${matrixDomain}/livekit/jwt";
+    }];
+  };
+
+  services.livekit = {
+    enable = true;
+    openFirewall = true;
+    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
+
+    # NOTE: needed for ingress/egress workers
+    # redis.createLocally = true;
+
+    # settings.room.auto_create = false;
+  };
+
+  services.lk-jwt-service = lib.mkIf cfg.enable {
+    enable = true;
+    livekitUrl = "wss://${matrixDomain}/livekit/sfu";
+    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
+  };
+
+  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable matrixDomain;
+
+  services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
+    locations."^~ /livekit/jwt/" = {
+      proxyPass = "http://localhost:${toString config.services.lk-jwt-service.port}/";
+    };
+
+    # TODO: load balance to multiple livekit ingress/egress workers
+    locations."^~ /livekit/sfu/" = {
+      proxyPass = "http://localhost:${toString config.services.livekit.settings.port}/";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_send_timeout 120;
+        proxy_read_timeout 120;
+        proxy_buffering off;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+      '';
+    };
+  };
+}

secrets/bicep/matrix.yaml

@@ -17,6 +17,10 @@ ooye:
 hookshot:
     as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
     hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
+livekit:
+    keyfile:
+        #ENC[AES256_GCM,data:M+SfmEuhPL8sqxOl3uL8mE6Z6pC6naQNxFRskMPbVpLVWYM1Be+QOoLEiTMtWqH2PAf2NZXLcNY63Q99bYINz+BTt/ekllye,iv:DSZJxoZUlUZxPpzfpXyZ4ECeJjq6/WW8I2fvTXIjmfU=,tag:HwHhdQA8yuSKYxM5LcZV/w==,type:comment]
+        lk-jwt-service: ENC[AES256_GCM,data:6OjQCG2lztUGBojhfxzv7YdflNemhMToibOPTmnZD6q5T/EVRTV36Meg68E=,iv:UahvMi5ssAKuIsr5RlCdAm7XK/B2dLZLi6hcGAJ42DE=,tag:BEV3Clg6Sr9f9tPeJTiIOQ==,type:str]
 sops:
     age:
         - recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
@@ -82,8 +86,8 @@ sops:
             Qnh1djQ0ZDFhRmxsU2g0eHJZeFlkcU0Kj5H/dHrOwSgiZIzpv3nOc7AWeNMofJg7
             OzSVdRry72qPqYU8YLWjAcoP3ddITZnWr53/yYBVmssW/KeyVyPy9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-21T21:23:24Z"
-    mac: ENC[AES256_GCM,data:bEJoCzxph/MOnTOJKdrRiQmbVWmAgsKy8vbD5YBeWagWUCJPDAZNDFLzEzmPvt0jDBol04JosrSIKZS1JzJIIm0zRkcOWSqERQCgjgtGdAYmfp0V6ddseDUVfKlZYJDkt6Bdkqg+9LzrP8dDVm2tMDXpo8vzs02o9dTYFm7imVQ=,iv:buP/297JMfvEm9+IdMWRGV7AgZwF0+G6Z2YIeYw/z1o=,tag:+zG612MJA4Ui8CZBgxM+AQ==,type:str]
+    lastmodified: "2026-01-21T01:01:35Z"
+    mac: ENC[AES256_GCM,data:1f8RYVjnNs9T3DRFY+CouPUsGmfBRWEOASjB04dd89iIYC6sagk5e4JjqPDpOQjMxbAVnEKa2oX+nFSBa8xF14jqNSadl9xwlKwLJnaBhUb3grJ5d+O8Tcq+0xQ+oqIN+Awm6eaJTesiopRu68MhFQeUZwBUO+83W2YeQgFhz34=,iv:NymjPCr6/osod8liluA6Pbq1XT4KiI/qIS6lx9sM4NQ=,tag:Td3mjPaHUFeD3d/hZ3f1og==,type:str]
     pgp:
         - created_at: "2026-01-16T06:34:46Z"
           enc: |-
@@ -106,4 +110,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0