diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c5fc6e5097ddc..a64086c3329b8 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1377,6 +1377,7 @@ ./services/video/mirakurun.nix ./services/video/photonvision.nix ./services/video/mediamtx.nix + ./services/video/moq-relay.nix ./services/video/v4l2-relayd.nix ./services/wayland/cage.nix ./services/wayland/hypridle.nix diff --git a/nixos/modules/services/video/moq-relay.nix b/nixos/modules/services/video/moq-relay.nix new file mode 100644 index 0000000000000..bb2feb43cebe0 --- /dev/null +++ b/nixos/modules/services/video/moq-relay.nix @@ -0,0 +1,100 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.services.moq-relay; +in +{ + options.services.moq-relay = { + enable = lib.mkEnableOption "moq-relay"; + port = lib.mkOption { + type = lib.types.port; + default = 443; + description = "Relay server port"; + }; + user = lib.mkOption { + type = with lib.types; uniq str; + description = '' + User account that runs moq-relay. + + ::: {.note} + This user must have access to the TLS certificate and key. + ::: + ''; + }; + group = lib.mkOption { + type = with lib.types; uniq str; + description = '' + Group account that runs moq-relay. + + ::: {.note} + This group must have access to the TLS certificate and key. + ::: + ''; + }; + tls = { + keyPath = lib.mkOption { + type = lib.types.path; + example = "/var/lib/acme/moq-relay.example.org/key.pem"; + description = '' + Path to TLS private key + ''; + }; + certPath = lib.mkOption { + type = lib.types.path; + example = "/var/lib/acme/moq-relay.example.org/cert.pem"; + description = '' + Path to TLS certificate + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.moq-relay = { + description = "Media over QUIC relay server"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${pkgs.moq-relay}/bin/moq-relay --bind [::]:${builtins.toString cfg.port} --tls-cert ${cfg.tls.certPath} --tls-key ${cfg.tls.keyPath}"; + Restart = "on-failure"; + RestartSec = "1"; + + # hardening + RemoveIPC = true; + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + RestrictNamespaces = true; + RestrictSUIDSGID = true; + ProtectHostname = true; + LockPersonality = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictRealtime = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectHome = true; + PrivateUsers = true; + PrivateTmp = true; + }; + }; + }; +} diff --git a/pkgs/by-name/mo/moq-relay/package.nix b/pkgs/by-name/mo/moq-relay/package.nix new file mode 100644 index 0000000000000..c065b6ea23015 --- /dev/null +++ b/pkgs/by-name/mo/moq-relay/package.nix @@ -0,0 +1,35 @@ +{ + lib, + stdenv, + fetchFromGitHub, + libressl, + pkg-config, + rustPlatform, +}: + +rustPlatform.buildRustPackage rec { + pname = "moq-relay"; + version = "0.6.2"; + + src = fetchFromGitHub { + owner = "kixelated"; + repo = "moq-rs"; + rev = "moq-relay-v${version}"; + hash = "sha256-/2+2785FGXErG0uNVuReaf/GCFv2gypMOnrAXrA4qvs="; + }; + + cargoHash = "sha256-ih1UXbTHQA3wjkmajT1rHN1BUlOE/nkD+EUay1R3twE="; + + nativeBuildInputs = [ pkg-config ]; + + buildInputs = [ libressl ]; + + meta = { + description = "Media Over QUIC relay server"; + mainProgram = "moq-relay"; + homepage = "https://quic.video/"; + license = lib.licenses.asl20; + changelog = "https://github.com/kixelated/moq-rs/releases/tag/moq-relay-v${version}"; + maintainers = [ lib.maintainers.therishidesai ]; + }; +}