jitsi-meet: Default NAT harvester, Excalidraw Caddy, Prosody lockdown (#280615)

2025-07-14 14:10:33 +03:00 · 2024-10-02 21:08:06 +01:00 · 2024-10-02 21:08:06 +01:00 · def08aa2e3
commit def08aa2e3
parent 0b86640b43 40c1971b82
4 changed files with 88 additions and 11 deletions
--- a/nixos/modules/services/web-apps/jitsi-meet.md
+++ b/nixos/modules/services/web-apps/jitsi-meet.md
@ -19,6 +19,13 @@ A minimal configuration using Let's Encrypt for TLS certificates looks like this
 }
 ```

+Jitsi Meet depends on the Prosody XMPP server only for message passing from
+the web browser while the default Prosody configuration is intended for use
+with standalone XMPP clients and XMPP federation. If you only use Prosody as
+a backend for Jitsi Meet it is therefore recommended to also enable
+{option}`services.jitsi-meet.prosody.lockdown` option to disable unnecessary
+Prosody features such as federation or the file proxy.
+
 ## Configuration {#module-services-jitsi-configuration}

 Here is the minimal configuration with additional configurations:
@ -27,6 +34,7 @@ Here is the minimal configuration with additional configurations:
  services.jitsi-meet = {
    enable = true;
    hostName = "jitsi.example.com";
+    prosody.lockdown = true;
    config = {
      enableWelcomePage = false;
      prejoinPageEnabled = true;
--- a/nixos/modules/services/web-apps/jitsi-meet.nix
+++ b/nixos/modules/services/web-apps/jitsi-meet.nix
@ -175,11 +175,26 @@ in
    prosody.enable = mkOption {
      type = bool;
      default = true;
+      example = false;
      description = ''
        Whether to configure Prosody to relay XMPP messages between Jitsi Meet components. Turn this
        off if you want to configure it manually.
      '';
    };
+    prosody.lockdown = mkOption {
+      type = bool;
+      default = false;
+      example = true;
+      description = ''
+        Whether to disable Prosody features not needed by Jitsi Meet.
+
+        The default Prosody configuration assumes that it will be used as a
+        general-purpose XMPP server rather than as a companion service for
+        Jitsi Meet. This option reconfigures Prosody to only listen on
+        localhost without support for TLS termination, XMPP federation or
+        the file transfer proxy.
+      '';
+    };

    excalidraw.enable = mkEnableOption "Excalidraw collaboration backend for Jitsi";
    excalidraw.port = mkOption {
@ -211,7 +226,10 @@ in
        smacks = mkDefault true;
        tls = mkDefault true;
        websocket = mkDefault true;
+        proxy65 = mkIf cfg.prosody.lockdown (mkDefault false);
      };
+      httpInterfaces = mkIf cfg.prosody.lockdown (mkDefault [ "127.0.0.1" ]);
+      httpsPorts = mkIf cfg.prosody.lockdown (mkDefault []);
      muc = [
        {
          domain = "conference.${cfg.hostName}";
@ -232,7 +250,7 @@ in
          extraConfig = ''
            restrict_room_creation = true
            storage = "memory"
-            admins = { "focus@auth.${cfg.hostName}" }
+            admins = { "focus@auth.${cfg.hostName}", "jvb@auth.${cfg.hostName}" }
          '';
        }
        {
@ -300,7 +318,7 @@ in
            muc_component = "conference.${cfg.hostName}"
            breakout_rooms_component = "breakout.${cfg.hostName}"
        '')
-        (mkBefore ''
+        (mkBefore (''
          muc_mapper_domain_base = "${cfg.hostName}"

          cross_domain_websocket = true;
@ -310,7 +328,10 @@ in
            "focus@auth.${cfg.hostName}",
            "jvb@auth.${cfg.hostName}"
          }
-        '')
+        '' + optionalString cfg.prosody.lockdown ''
+          c2s_interfaces = { "127.0.0.1" };
+          modules_disabled = { "s2s" };
+        ''))
      ];
      virtualHosts.${cfg.hostName} = {
        enabled = true;
@ -444,7 +465,29 @@ in
        Type = "simple";
        ExecStart = "${pkgs.jitsi-excalidraw}/bin/jitsi-excalidraw-backend";
        Restart = "on-failure";
+
+        DynamicUser = true;
        Group = "jitsi-meet";
+        CapabilityBoundingSet = "";
+        NoNewPrivileges = true;
+        ProtectSystem = "strict";
+        ProtectClock = true;
+        ProtectHome = true;
+        ProtectProc = true;
+        ProtectKernelLogs = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallFilter = [ "@system-service @pkey" "~@privileged" ];
      };
    };

@ -513,7 +556,11 @@ in
            cp ${overrideJs "${pkgs.jitsi-meet}/interface_config.js" "interfaceConfig" cfg.interfaceConfig ""} $out/interface_config.js
            cp ./libs/external_api.min.js $out/external_api.js
          '';
-        in ''
+        in (optionalString cfg.excalidraw.enable ''
+          handle /socket.io/ {
+            reverse_proxy 127.0.0.1:${toString cfg.excalidraw.port}
+          }
+        '') + ''
          handle /http-bind {
            header Host ${cfg.hostName}
            reverse_proxy 127.0.0.1:5280