Matrix: Difference between revisions

(5 intermediate revisions by 5 users not shown)

Line 13:

=== Desktop clients ===

These clients are ~~know~~ to work: <code>element-desktop</code> [https://element.io/] and <code>fractal</code> [https://gitlab.gnome.org/World/fractal]

These clients are known to work: <code>element-desktop</code> [https://element.io/] and <code>fractal</code> [https://gitlab.gnome.org/World/fractal]

Most of the other clients packaged in Nixpkgs, such as <code>matrix-commander</code>, <code>neochat</code>, <code>nheko</code>, rely on the '''insecure''' and '''deprecated''' <code>olm</code> library susceptible to [https://~~soatok~~.~~blog~~/2024/08/14/~~security~~-~~issues~~-in-~~matrixs~~-~~olm-library/ various security vulnerabilities~~].

Most of the other clients packaged in Nixpkgs, such as <code>matrix-commander</code>, <code>neochat</code>, <code>nheko</code>, rely on the '''insecure''' and '''deprecated''' <code>olm</code> library susceptible to various security vulnerabilities.[https://nvd.nist.gov/vuln/detail/CVE-2024-45191][https://nvd.nist.gov/vuln/detail/CVE-2024-45193][https://nvd.nist.gov/vuln/detail/CVE-2024-45192]

If this isn't a problem for you, you can install them as usual, and upon evaluation, Nix will helpfully guide you on how to [https://nixos.org/manual/nixpkgs/stable/#sec-allow-insecure install insecure packages].

Line 162:

turn_user_lifetime = "1h";

};

}

</syntaxhighlight>

==== Livekit ====

In order to set up element call or for calls to work in Element X it is necessary to set up and announce livekit. To set up livekit for matrix in nixos use<syntaxhighlight lang="nix" line="1">

{ config, lib, pkgs, ... }: let

keyFile = "/run/livekit.key";

in {

services.livekit = {

enable = true;

openFirewall = true;

settings.room.auto_create = false;

inherit keyFile;

};

services.lk-jwt-service = {

enable = true;

# can be on the same virtualHost as synapse

livekitUrl = "wss://domain.tld/livekit/sfu";

inherit keyFile;

};

# generate the key when needed

systemd.services.livekit-key = {

before = [ "lk-jwt-service.service" "livekit.service" ];

wantedBy = [ "multi-user.target" ];

path = with pkgs; [ livekit coreutils gawk ];

script = ''

echo "Key missing, generating key"

echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"

'';

serviceConfig.Type = "oneshot";

unitConfig.ConditionPathExists = "!${keyFile}";

};

# restrict access to livekit room creation to a homeserver

systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "domain.tld";

services.nginx.virtualHosts."domain.tld".locations = {

"^~ /livekit/jwt/" = {

priority = 400;

proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";

};

"^~ /livekit/sfu/" = {

extraConfig = ''

proxy_send_timeout 120;

proxy_read_timeout 120;

proxy_buffering off;

proxy_set_header Accept-Encoding gzip;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

'';

priority = 400;

proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/";

proxyWebsockets = true;

};

}

</syntaxhighlight>Furthermore, it is necessary to announce the service with a <code>domain.tld/.well-known/matrix/client</code> which needs to be served as <code>Content-Type application/json</code> (calls in Element X might not work without the content-type) and contain<syntaxhighlight lang="json">

{

"m.homeserver": {

"base_url": "https://domain.tld"

},

"m.identity_server": {

"base_url": "https://vector.im"

},

"org.matrix.msc3575.proxy": {

"url": "https://domain.tld"

},

"org.matrix.msc4143.rtc_foci": [

{

"type": "livekit", "livekit_service_url": "https://domain.tld/livekit/jwt"

}

]

}

</syntaxhighlight>

Line 254:

Line 325:

=== mautrix-whatsapp ===

Packaged as [https://search.nixos.org/packages?query=mautrix-whatsapp mautrix-whatsapp].

~~Module implemented in this [https://github.com/NixOS/nixpkgs/pull/246842 PR].~~

=== matrix-appservice-irc ===

@@ Line 13: / Line 13: @@
 === Desktop clients ===
-These clients are know to work: <code>element-desktop</code> [https://element.io/] and <code>fractal</code> [https://gitlab.gnome.org/World/fractal]
+These clients are known to work: <code>element-desktop</code> [https://element.io/] and <code>fractal</code> [https://gitlab.gnome.org/World/fractal]
-Most of the other clients packaged in Nixpkgs, such as <code>matrix-commander</code>, <code>neochat</code>, <code>nheko</code>, rely on the '''insecure''' and '''deprecated''' <code>olm</code> library susceptible to [https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/ various security vulnerabilities].
+Most of the other clients packaged in Nixpkgs, such as <code>matrix-commander</code>, <code>neochat</code>, <code>nheko</code>, rely on the '''insecure''' and '''deprecated''' <code>olm</code> library susceptible to various security vulnerabilities.[https://nvd.nist.gov/vuln/detail/CVE-2024-45191][https://nvd.nist.gov/vuln/detail/CVE-2024-45193][https://nvd.nist.gov/vuln/detail/CVE-2024-45192]
 If this isn't a problem for you, you can install them as usual, and upon evaluation, Nix will helpfully guide you on how to [https://nixos.org/manual/nixpkgs/stable/#sec-allow-insecure install insecure packages].
@@ Line 162: / Line 162: @@
      turn_user_lifetime = "1h";
    };
+}
+</syntaxhighlight>
+==== Livekit ====
+In order to set up element call or for calls to work in Element X it is necessary to set up and announce livekit. To set up livekit for matrix in nixos use<syntaxhighlight lang="nix" line="1">
+{ config, lib, pkgs, ... }: let
+  keyFile = "/run/livekit.key";
+in {
+  services.livekit = {
+    enable = true;
+    openFirewall = true;
+    settings.room.auto_create = false;
+    inherit keyFile;
+  };
+  services.lk-jwt-service = {
+    enable = true;
+    # can be on the same virtualHost as synapse
+    livekitUrl = "wss://domain.tld/livekit/sfu";
+    inherit keyFile;
+  };
+  # generate the key when needed
+  systemd.services.livekit-key = {
+    before = [ "lk-jwt-service.service" "livekit.service" ];
+    wantedBy = [ "multi-user.target" ];
+    path = with pkgs; [ livekit coreutils gawk ];
+    script = ''
+        echo "Key missing, generating key"
+        echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"
+    '';
+    serviceConfig.Type = "oneshot";
+    unitConfig.ConditionPathExists = "!${keyFile}";
+  };
+  # restrict access to livekit room creation to a homeserver
+  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "domain.tld";
+  services.nginx.virtualHosts."domain.tld".locations = {
+    "^~ /livekit/jwt/" = {
+      priority = 400;
+      proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
+    };
+    "^~ /livekit/sfu/" = {
+      extraConfig = ''
+        proxy_send_timeout 120;
+        proxy_read_timeout 120;
+        proxy_buffering off;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+      '';
+      priority = 400;
+      proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/";
+      proxyWebsockets = true;
+    };
+  };
+}
+</syntaxhighlight>Furthermore, it is necessary to announce the service with a <code>domain.tld/.well-known/matrix/client</code> which needs to be served as <code>Content-Type application/json</code> (calls in Element X might not work without the content-type) and contain<syntaxhighlight lang="json">
+{
+  "m.homeserver": {
+    "base_url": "https://domain.tld"
+  },
+  "m.identity_server": {
+    "base_url": "https://vector.im"
+  },
+  "org.matrix.msc3575.proxy": {
+    "url": "https://domain.tld"
+  },
+  "org.matrix.msc4143.rtc_foci": [
+    {
+       "type": "livekit",    "livekit_service_url": "https://domain.tld/livekit/jwt"
+    }
+  ]
 }
 </syntaxhighlight>
@@ Line 254: / Line 325: @@
 === mautrix-whatsapp ===
 Packaged as [https://search.nixos.org/packages?query=mautrix-whatsapp mautrix-whatsapp].
-Module implemented in this [https://github.com/NixOS/nixpkgs/pull/246842 PR].
 === matrix-appservice-irc ===