nixos/lasuite-meet: init (#407742) (a6900e58) · Commits · nix / nixpkgs

nixos/doc/manual/release-notes/rl-2511.section.md

+2 −0

Original line number	Diff line number	Diff line
		@@ -56,6 +56,8 @@

		- [mautrix-discord](https://github.com/mautrix/discord), a Matrix-Discord puppeting/relay bridge. Available as [services.mautrix-discord](#opt-services.mautrix-discord.enable).

		- [SuiteNumérique Meet](https://github.com/suitenumerique/meet) is an open source alternative to Google Meet and Zoom powered by LiveKit: HD video calls, screen sharing, and chat features. Built with Django and React. Available as [services.lasuite-meet](#opt-services.lasuite-meet.enable).

		## Backward Incompatibilities {#sec-release-25.11-incompatibilities}

		<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

nixos/modules/module-list.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -1596,6 +1596,7 @@
		./services/web-apps/komga.nix
		./services/web-apps/lanraragi.nix
		./services/web-apps/lasuite-docs.nix
		./services/web-apps/lasuite-meet.nix
		./services/web-apps/lemmy.nix
		./services/web-apps/limesurvey.nix
		./services/web-apps/mainsail.nix

nixos/modules/services/web-apps/lasuite-meet.nix

0 → 100644

+449 −0

Original line number	Diff line number	Diff line
		{
		config,
		lib,
		pkgs,
		utils,
		...
		}:
		let
		inherit (lib)
		getExe
		mapAttrs
		mkEnableOption
		mkIf
		mkPackageOption
		mkOption
		types
		optional
		optionalString
		;

		cfg = config.services.lasuite-meet;

		pythonEnvironment = mapAttrs (
		_: value:
		if value == null then
		"None"
		else if value == true then
		"True"
		else if value == false then
		"False"
		else
		toString value
		) cfg.settings;

		commonServiceConfig = {
		RuntimeDirectory = "lasuite-meet";
		StateDirectory = "lasuite-meet";
		WorkingDirectory = "/var/lib/lasuite-meet";

		User = "lasuite-meet";
		DynamicUser = true;
		SupplementaryGroups = mkIf cfg.redis.createLocally [
		config.services.redis.servers.lasuite-meet.group
		];
		# hardening
		AmbientCapabilities = "";
		CapabilityBoundingSet = [ "" ];
		DevicePolicy = "closed";
		LockPersonality = true;
		NoNewPrivileges = true;
		PrivateDevices = true;
		PrivateTmp = true;
		PrivateUsers = true;
		ProcSubset = "pid";
		ProtectClock = true;
		ProtectControlGroups = true;
		ProtectHome = true;
		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectProc = "invisible";
		ProtectSystem = "strict";
		RemoveIPC = true;
		RestrictAddressFamilies = [
		"AF_INET"
		"AF_INET6"
		"AF_UNIX"
		];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;
		SystemCallArchitectures = "native";
		MemoryDenyWriteExecute = true;
		EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
		UMask = "0077";
		};
		in
		{
		options.services.lasuite-meet = {
		enable = mkEnableOption "SuiteNumérique Meet";

		backendPackage = mkPackageOption pkgs "lasuite-meet" { };

		frontendPackage = mkPackageOption pkgs "lasuite-meet-frontend" { };

		bind = mkOption {
		type = types.str;
		default = "unix:/run/lasuite-meet/gunicorn.sock";
		example = "127.0.0.1:8000";
		description = ''
		The path, host/port or file descriptior to bind the gunicorn socket to.

		See <https://docs.gunicorn.org/en/stable/settings.html#bind> for possible options.
		'';
		};

		enableNginx = mkEnableOption "enable and configure Nginx for reverse proxying" // {
		default = true;
		};

		secretKeyPath = mkOption {
		type = types.nullOr types.path;
		default = null;
		description = ''
		Path to the Django secret key.

		The key can be generated using:
		```
		python3 -c 'import secrets; print(secrets.token_hex())'
		```

		If not set, the secret key will be automatically generated.
		'';
		};

		postgresql = {
		createLocally = mkEnableOption "Configure local PostgreSQL database server for meet";
		};

		redis = {
		createLocally = mkEnableOption "Configure local Redis cache server for meet";
		};

		livekit = {
		enable = mkEnableOption "Configure local livekit server" // {
		default = true;
		};

		openFirewall = mkEnableOption "Open firewall ports for livekit";

		keyFile = mkOption {
		type = lib.types.path;
		description = ''
		LiveKit key file holding one or multiple application secrets.
		Use `livekit-server generate-keys` to generate a random key name and secret.

		The file should have the YAML format `<keyname>: <secret>`.
		Example:
		`lasuite-meet: f6lQGaHtM5HfgZjIcec3cOCRfiDqIine4CpZZnqdT5cE`

		Individual key/secret pairs need to be passed to clients to connect to this instance.
		'';

		};

		settings = mkOption {
		type = types.attrs;
		default = { };
		description = ''
		Settings to pass to the livekit server.

		See `services.livekit.settings` for more details.
		'';
		};
		};

		gunicorn = {
		extraArgs = mkOption {
		type = types.listOf types.str;
		default = [
		"--name=meet"
		"--workers=3"
		];
		description = ''
		Extra arguments to pass to the gunicorn process.
		'';
		};
		};

		celery = {
		extraArgs = mkOption {
		type = types.listOf types.str;
		default = [ ];
		description = ''
		Extra arguments to pass to the celery process.
		'';
		};
		};

		domain = mkOption {
		type = types.str;
		description = ''
		Domain name of the meet instance.
		'';
		};

		settings = mkOption {
		type = types.submodule {
		freeformType = types.attrsOf (
		types.nullOr (
		types.oneOf [
		types.str
		types.bool
		types.path
		types.int
		]
		)
		);

		options = {
		DJANGO_CONFIGURATION = mkOption {
		type = types.str;
		internal = true;
		default = "Production";
		description = "The configuration that Django will use";
		};

		DJANGO_SETTINGS_MODULE = mkOption {
		type = types.str;
		internal = true;
		default = "meet.settings";
		description = "The configuration module that Django will use";
		};

		DJANGO_SECRET_KEY_FILE = mkOption {
		type = types.path;
		default =
		if cfg.secretKeyPath == null then "/var/lib/lasuite-meet/django_secret_key" else cfg.secretKeyPath;
		description = "The path to the file containing Django's secret key";
		};

		DJANGO_DATA_DIR = mkOption {
		type = types.path;
		default = "/var/lib/lasuite-meet";
		description = "Path to the data directory";
		};

		DJANGO_ALLOWED_HOSTS = mkOption {
		type = types.str;
		default = if cfg.enableNginx then "localhost,127.0.0.1,${cfg.domain}" else "";
		defaultText = lib.literalExpression ''
		if cfg.enableNginx then "localhost,127.0.0.1,$${cfg.domain}" else ""
		'';
		description = "Comma-separated list of hosts that are able to connect to the server";
		};

		DB_NAME = mkOption {
		type = types.str;
		default = "lasuite-meet";
		description = "Name of the database";
		};

		DB_USER = mkOption {
		type = types.str;
		default = "lasuite-meet";
		description = "User of the database";
		};

		DB_HOST = mkOption {
		type = types.nullOr types.str;
		default = if cfg.postgresql.createLocally then "/run/postgresql" else null;
		description = "Host of the database";
		};

		REDIS_URL = mkOption {
		type = types.nullOr types.str;
		default =
		if cfg.redis.createLocally then
		"unix://${config.services.redis.servers.lasuite-meet.unixSocket}?db=0"
		else
		null;
		description = "URL of the redis backend";
		};

		CELERY_BROKER_URL = mkOption {
		type = types.nullOr types.str;
		default =
		if cfg.redis.createLocally then
		"redis+socket://${config.services.redis.servers.lasuite-meet.unixSocket}?db=1"
		else
		null;
		description = "URL of the redis backend for celery";
		};

		LIVEKIT_API_URL = mkOption {
		type = types.nullOr types.str;
		default = if cfg.enableNginx && cfg.livekit.enable then "http://${cfg.domain}/livekit" else null;
		defaultText = lib.literalExpression ''
		if cfg.enableNginx && cfg.livekit.enable then
		"http://$${cfg.domain}/livekit"
		else
		null
		'';
		description = "URL to the livekit server";
		};
		};
		};

		default = { };
		example = ''
		{
		DJANGO_ALLOWED_HOSTS = "*";
		}
		'';
		description = ''
		Configuration options of meet.
		See https://github.com/suitenumerique/meet/blob/v${cfg.backendPackage.version}/docs/env.md
		`REDIS_URL` and `CELERY_BROKER_URL` are set if `services.lasuite-meet.redis.createLocally` is true.
		`DB_NAME` `DB_USER` and `DB_HOST` are set if `services.lasuite-meet.postgresql.createLocally` is true.
		'';
		};

		environmentFile = mkOption {
		type = types.nullOr types.path;
		default = null;
		description = ''
		Path to environment file.

		This can be useful to pass secrets to meet via tools like `agenix` or `sops`.
		'';
		};
		};

		config = mkIf cfg.enable {
		systemd.services.lasuite-meet = {
		description = "Meet from SuiteNumérique";
		after =
		[ "network.target" ]
		++ (optional cfg.postgresql.createLocally "postgresql.service")
		++ (optional cfg.redis.createLocally "redis-lasuite-meet.service");

		wants =
		(optional cfg.postgresql.createLocally "postgresql.service")
		++ (optional cfg.redis.createLocally "redis-lasuite-meet.service");

		wantedBy = [ "multi-user.target" ];

		preStart = ''
		ln -sfT ${cfg.backendPackage}/share/static /var/lib/lasuite-meet/static

		if [ ! -f .version ]; then
		touch .version
		fi

		if [ "${cfg.backendPackage.version}" != "$(cat .version)" ]; then
		${getExe cfg.backendPackage} migrate
		echo -n "${cfg.backendPackage.version}" > .version
		fi
		${optionalString (cfg.secretKeyPath == null) ''
		if [[ ! -f /var/lib/lasuite-meet/django_secret_key ]]; then
		(
		umask 0377
		tr -dc A-Za-z0-9 < /dev/urandom \| head -c64 \| ${pkgs.moreutils}/bin/sponge /var/lib/lasuite-meet/django_secret_key
		)
		fi
		''}
		'';

		environment = pythonEnvironment;

		serviceConfig = {
		ExecStart = utils.escapeSystemdExecArgs (
		[
		(lib.getExe' cfg.backendPackage "gunicorn")
		"--bind=${cfg.bind}"
		]
		++ cfg.gunicorn.extraArgs
		++ [ "meet.wsgi:application" ]
		);
		} // commonServiceConfig;
		};

		systemd.services.lasuite-meet-celery = {
		description = "Meet Celery broker from SuiteNumérique";
		after =
		[ "network.target" ]
		++ (optional cfg.postgresql.createLocally "postgresql.service")
		++ (optional cfg.redis.createLocally "redis-lasuite-meet.service");

		wants =
		(optional cfg.postgresql.createLocally "postgresql.service")
		++ (optional cfg.redis.createLocally "redis-lasuite-meet.service");

		wantedBy = [ "multi-user.target" ];

		environment = pythonEnvironment;

		serviceConfig = {
		ExecStart = utils.escapeSystemdExecArgs (
		[ (lib.getExe' cfg.backendPackage "celery") ]
		++ cfg.celery.extraArgs
		++ [
		"--app=meet.celery_app"
		"worker"
		]
		);
		} // commonServiceConfig;
		};

		services.postgresql = mkIf cfg.postgresql.createLocally {
		enable = true;
		ensureDatabases = [ "lasuite-meet" ];
		ensureUsers = [
		{
		name = "lasuite-meet";
		ensureDBOwnership = true;
		}
		];
		};

		services.redis.servers.lasuite-meet = mkIf cfg.redis.createLocally { enable = true; };

		services.livekit = mkIf cfg.livekit.enable {
		inherit (cfg.livekit)
		enable
		settings
		keyFile
		openFirewall
		;
		};

		services.nginx = mkIf cfg.enableNginx {
		enable = true;

		virtualHosts.${cfg.domain} = {
		root = cfg.frontendPackage;

		extraConfig = ''
		error_page 404 = /index.html;
		'';

		locations."/api" = {
		proxyPass = "http://${cfg.bind}";
		recommendedProxySettings = true;
		};

		locations."/admin" = {
		proxyPass = "http://${cfg.bind}";
		recommendedProxySettings = true;
		};

		locations."/livekit" = mkIf cfg.livekit.enable {
		proxyPass = "http://localhost:${toString config.services.livekit.settings.port}";
		recommendedProxySettings = true;
		proxyWebsockets = true;
		extraConfig = ''
		rewrite ^/livekit/(.*)$ /$1 break;
		'';
		};
		};
		};
		};

		meta = {
		buildDocsInSandbox = false;
		maintainers = [ lib.maintainers.soyouzpanda ];
		};
		}

nixos/tests/all-tests.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -771,6 +771,7 @@ in
		_module.args.latestKernel = true;
		};
		lasuite-docs = runTest ./web-apps/lasuite-docs.nix;
		lasuite-meet = runTest ./web-apps/lasuite-meet.nix;
		lavalink = runTest ./lavalink.nix;
		leaps = runTest ./leaps.nix;
		lemmy = runTest ./lemmy.nix;

nixos/tests/web-apps/lasuite-meet.nix

0 → 100644

+141 −0

Original line number	Diff line number	Diff line
		{ lib, ... }:
		let
		domain = "meet.local";
		oidcDomain = "127.0.0.1:8080";
		in

		{
		name = "lasuite-meet";
		meta.maintainers = with lib.maintainers; [ soyouzpanda ];

		nodes.machine =
		{ pkgs, ... }:
		{
		virtualisation.memorySize = 4 * 1024;

		networking.hosts."127.0.0.1" = [ domain ];

		environment.systemPackages = with pkgs; [ jq ];

		services.lasuite-meet = {
		enable = true;
		enableNginx = true;
		livekit = {
		enable = true;
		keyFile = pkgs.writeText "lasuite-meet-livekit-keys" ''
		lasuite-meet: ca50qKzxEXVIu61wHshAyJNzlWw8vlIwUuzxQbUK1rG
		'';
		};
		redis.createLocally = true;
		postgresql.createLocally = true;

		inherit domain;

		settings = {
		DJANGO_SECRET_KEY_FILE = pkgs.writeText "django-secret-file" ''
		8540db59c03943d48c3ed1a0f96ce3b560e0f45274f120f7ee4dace3cc366a6b
		'';

		OIDC_OP_JWKS_ENDPOINT = "http://${oidcDomain}/dex/keys";
		OIDC_OP_AUTHORIZATION_ENDPOINT = "http://${oidcDomain}/dex/auth/mock";
		OIDC_OP_TOKEN_ENDPOINT = "http://${oidcDomain}/dex/token";
		OIDC_OP_USER_ENDPOINT = "http://${oidcDomain}/dex/userinfo";
		OIDC_RP_CLIENT_ID = "lasuite-meet";
		OIDC_RP_SIGN_ALGO = "RS256";
		OIDC_RP_SCOPES = "openid email";
		OIDC_RP_CLIENT_SECRET = "lasuitemeetclientsecret";

		LOGIN_REDIRECT_URL = "http://${domain}";
		LOGIN_REDIRECT_URL_FAILURE = "http://${domain}";
		LOGOUT_REDIRECT_URL = "http://${domain}";

		LIVEKIT_API_KEY = "lasuite-meet";
		LIVEKIT_API_SECRET = "ca50qKzxEXVIu61wHshAyJNzlWw8vlIwUuzxQbUK1rG";

		# Disable HTTPS feature in tests because we're running on a HTTP connection
		DJANGO_SECURE_PROXY_SSL_HEADER = "";
		DJANGO_SECURE_SSL_REDIRECT = false;
		DJANGO_CSRF_COOKIE_SECURE = false;
		DJANGO_SESSION_COOKIE_SECURE = false;
		DJANGO_CSRF_TRUSTED_ORIGINS = "http://*";
		};
		};

		services.dex = {
		enable = true;
		settings = {
		issuer = "http://${oidcDomain}/dex";
		storage = {
		type = "postgres";
		config.host = "/var/run/postgresql";
		};
		web.http = "127.0.0.1:8080";
		oauth2.skipApprovalScreen = true;
		staticClients = [
		{
		id = "lasuite-meet";
		name = "Meet";
		redirectURIs = [ "http://${domain}/api/v1.0/callback/" ];
		secretFile = "/etc/dex/lasuite-meet";
		}
		];
		connectors = [
		{
		type = "mockPassword";
		id = "mock";
		name = "Example";
		config = {
		username = "admin";
		password = "password";
		};
		}
		];
		};
		};

		environment.etc."dex/lasuite-meet" = {
		mode = "0400";
		user = "dex";
		text = "lasuitemeetclientsecret";
		};

		services.postgresql = {
		enable = true;
		ensureDatabases = [ "dex" ];
		ensureUsers = [
		{
		name = "dex";
		ensureDBOwnership = true;
		}
		];
		};
		};

		testScript = ''
		with subtest("Wait for units to start"):
		machine.wait_for_unit("dex.service")
		machine.wait_for_unit("lasuite-meet.service")
		machine.wait_for_unit("lasuite-meet-celery.service")

		with subtest("Wait for web servers to start"):
		machine.wait_until_succeeds("curl -fs 'http://${domain}/api/v1.0/authenticate/'", timeout=120)
		machine.wait_until_succeeds("curl -fs '${oidcDomain}/dex/auth/mock?client_id=lasuite-meet&response_type=code&redirect_uri=http://${domain}/api/v1.0/callback/&scope=openid'", timeout=120)

		with subtest("Login"):
		state, nonce = machine.succeed("curl -fs -c cjar 'http://${domain}/api/v1.0/authenticate/' -w '%{redirect_url}' \| sed -n 's/.state=\$.\$&nonce=\$.*\$/\\1 \\2/p'").strip().split(' ')

		oidc_state = machine.succeed(f"curl -fs '${oidcDomain}/dex/auth/mock?client_id=lasuite-meet&response_type=code&redirect_uri=http://${domain}/api/v1.0/callback/&scope=openid+email&state={state}&nonce={nonce}' \| sed -n 's/.state=\$.\$\">.*/\\1/p'").strip()

		code = machine.succeed(f"curl -fs '${oidcDomain}/dex/auth/mock/login?back=&state={oidc_state}' -d 'login=admin&password=password' -w '%{{redirect_url}}' \| sed -n 's/.code=\$.\$&.*/\\1/p'").strip()
		print(f"Got approval code {code}")

		machine.succeed(f"curl -fs -c cjar -b cjar 'http://${domain}/api/v1.0/callback/?code={code}&state={state}'")

		with subtest("Create a room"):
		csrf_token = machine.succeed("grep csrftoken cjar \| cut -f 7 \| tr -d '\n'")

		room_id = machine.succeed(f"curl -fs -c cjar -b cjar 'http://${domain}/api/v1.0/rooms/' -X POST -H 'Content-Type: application/json' -H 'X-CSRFToken: {csrf_token}' -H 'Referer: http://${domain}' -d '{{\"name\": \"aaa-bbbb-ccc\"}}' \| jq .id -r").strip()

		print(f"Created room with id {room_id}")
		'';
		}

Admin message