jitsi-meet: Add option to disable Prosody services not used by Jitsi Meet

The default Prosody config assumes that Prosody will be used as a federated XMPP server, while the usecase for Jitsi Meet is much narrower.
2025-06-11 20:25:32 +03:00 · 2024-01-12 23:21:47 +01:00 · 2024-01-12 23:21:47 +01:00 · 56581588c3
commit 56581588c3
parent 7ab8f255b9
2 changed files with 31 additions and 2 deletions
--- a/nixos/modules/services/web-apps/jitsi-meet.md
+++ b/nixos/modules/services/web-apps/jitsi-meet.md
@ -19,6 +19,13 @@ A minimal configuration using Let's Encrypt for TLS certificates looks like this
 }
 ```

+Jitsi Meet depends on the Prosody XMPP server only for message passing from
+the web browser while the default Prosody configuration is intended for use
+with standalone XMPP clients and XMPP federation. If you only use Prosody as
+a backend for Jitsi Meet it is therefore recommended to also enable
+{option}`services.jitsi-meet.prosody.lockdown` option to disable unnecessary
+Prosody features such as federation or the file proxy.
+
 ## Configuration {#module-services-jitsi-configuration}

 Here is the minimal configuration with additional configurations:
@ -27,6 +34,7 @@ Here is the minimal configuration with additional configurations:
  services.jitsi-meet = {
    enable = true;
    hostName = "jitsi.example.com";
+    prosody.lockdown = true;
    config = {
      enableWelcomePage = false;
      prejoinPageEnabled = true;
--- a/nixos/modules/services/web-apps/jitsi-meet.nix
+++ b/nixos/modules/services/web-apps/jitsi-meet.nix
@ -175,11 +175,26 @@ in
    prosody.enable = mkOption {
      type = bool;
      default = true;
+      example = false;
      description = ''
        Whether to configure Prosody to relay XMPP messages between Jitsi Meet components. Turn this
        off if you want to configure it manually.
      '';
    };
+    prosody.lockdown = mkOption {
+      type = bool;
+      default = false;
+      example = true;
+      description = ''
+        Whether to disable Prosody features not needed by Jitsi Meet.
+
+        The default Prosody configuration assumes that it will be used as a
+        general-purpose XMPP server rather than as a companion service for
+        Jitsi Meet. This option reconfigures Prosody to only listen on
+        localhost without support for TLS termination, XMPP federation or
+        the file transfer proxy.
+      '';
+    };

    excalidraw.enable = mkEnableOption "Excalidraw collaboration backend for Jitsi";
    excalidraw.port = mkOption {
@ -211,7 +226,10 @@ in
        smacks = mkDefault true;
        tls = mkDefault true;
        websocket = mkDefault true;
+        proxy65 = mkIf cfg.prosody.lockdown (mkDefault false);
      };
+      httpInterfaces = mkIf cfg.prosody.lockdown (mkDefault [ "127.0.0.1" ]);
+      httpsPorts = mkIf cfg.prosody.lockdown (mkDefault []);
      muc = [
        {
          domain = "conference.${cfg.hostName}";
@ -300,7 +318,7 @@ in
            muc_component = "conference.${cfg.hostName}"
            breakout_rooms_component = "breakout.${cfg.hostName}"
        '')
-        (mkBefore ''
+        (mkBefore (''
          muc_mapper_domain_base = "${cfg.hostName}"

          cross_domain_websocket = true;
@ -310,7 +328,10 @@ in
            "focus@auth.${cfg.hostName}",
            "jvb@auth.${cfg.hostName}"
          }
-        '')
+        '' + optionalString cfg.prosody.lockdown ''
+          c2s_interfaces = { "127.0.0.1" };
+          modules_disabled = { "s2s" };
+        ''))
      ];
      virtualHosts.${cfg.hostName} = {
        enabled = true;