Prosody and ACME (for Jitsi): trouble with key permissions

buovjaga · May 3, 2025, 3:25pm

Here is my jitsi.nix:

# Adapted from
# https://nixos.org/manual/nixos/stable/#module-services-jitsi-meet
# https://nixos.org/manual/nixos/stable/#module-services-prosody
# https://discourse.nixos.org/t/setting-up-authentication-on-a-jitsi-server/17549
# https://github.com/NixOS/nixpkgs/issues/141641#issuecomment-1780184369
{ config, lib, pkgs, ... }:
let
  jitsi_fqdn = "jitsi.example.com";
in {
  services.jitsi-meet = {
    enable = true;
    hostName = jitsi_fqdn;
    prosody.lockdown = true;
    config = {
      authdomain = jitsi_fqdn;
      enableWelcomePage = false;
      prejoinPageEnabled = true;
      defaultLang = "fi";
      hosts = {
        domain = jitsi_fqdn;
        anonymousdomain = "guests.${jitsi_fqdn}";
      };
    };
    interfaceConfig = {
      SHOW_JITSI_WATERMARK = false;
      SHOW_WATERMARK_FOR_GUESTS = false;
    };
  };
  services.jitsi-videobridge = {
    enable = true;
    openFirewall = true;
  };
  services.prosody = {
    allowRegistration = true;
    ssl.cert = "/var/lib/acme/${jitsi_fqdn}/fullchain.pem";
    ssl.key = "/var/lib/acme/${jitsi_fqdn}/key.pem";
    virtualHosts = {
      "${jitsi_fqdn}" = {
        enabled = true;
        domain = "${jitsi_fqdn}";
        extraConfig = ''
          authentication = "internal_hashed"
          c2s_require_encryption = false
          admins = { "focus@auth.${jitsi_fqdn}" }
          smacks_max_unacked_stanzas = 5
          smacks_hibernation_time = 60
          smacks_max_hibernated_sessions = 1
          smacks_max_old_sessions = 1
          '';
      };
      "guests.${jitsi_fqdn}" = {
        enabled = true;
        domain = "guests.${jitsi_fqdn}";
        extraConfig = ''
          authentication = "anonymous"
          c2s_require_encryption = false
          '';
      };
    };
  };
  services.jicofo = {
    enable = true;
    config = {
      jicofo = {
        authentication = {
          enabled = true;
          type = "XMPP";
          login-url = "${jitsi_fqdn}";
        };
        xmpp = {
          client = {
            client-proxy = "focus.${jitsi_fqdn}";
          };
        };
      };
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults.email = "me@example.com";
    defaults.group = "prosody";
  };
}

When running prosodyctl register, I get these errors:

certmanager         error       Error indexing certificate directory /etc/prosody/certs: cannot open /etc/prosody/certs: No such file or directory
certmanager         error       SSL/TLS: Failed to load '/var/lib/acme/jitsi.example.com/key.pem': Check that the file exists and the permissions are correct (for client_https port 0)

The acme dirs and files are owned by group nginx:

$ ls -l /var/lib/acme/
total 8
drwxr-xr-x 3 acme nginx 4096 May  3 16:52 acme-challenge
drwxr-x--- 2 acme nginx 4096 May  3 16:52 jitsi.example.com

When building, I had not initially set defaults.group = "prosody" for acme. The group stays as nginx even if I remove the dirs and rebuild. The dir and file timestamps also seem to be from the earlier build, as if they are resurrected from somewhere. What could be the reason?

Edit: uff, now I realise doing this will mess up all my other sites, which run under Caddy. Those certs are under /var/lib/caddy/.local/share/caddy/certificates/. I wonder how to solve this.

Edit2: probably I should focus on clues like this for now: Jitsi Meet Caddy Config Error! - Help - Caddy Community