(gnu services telephony) module contains Guix service
definitions for telephony services. Currently it provides the following
This section describes how to configure a Jami server that can be used to host video (or audio) conferences, among other uses. The following example demonstrates how to specify Jami account archives (backups) to be provisioned automatically:
(service jami-service-type (jami-configuration (accounts (list (jami-account (archive "/etc/jami/unencrypted-account-1.gz")) (jami-account (archive "/etc/jami/unencrypted-account-2.gz"))))))
When the accounts field is specified, the Jami account files of the service found under /var/lib/jami are recreated every time the service starts.
Jami accounts and their corresponding backup archives can be generated
jami-gnome Jami clients. The accounts
should not be password-protected, but it is wise to ensure their files
are only readable by ‘root’.
The next example shows how to declare that only some contacts should be allowed to communicate with a given account:
(service jami-service-type (jami-configuration (accounts (list (jami-account (archive "/etc/jami/unencrypted-account-1.gz") (peer-discovery? #t) (rendezvous-point? #t) (allowed-contacts '("1dbcb0f5f37324228235564b79f2b9737e9a008f" "2dbcb0f5f37324228235564b79f2b9737e9a008f")))))))
In this mode, only the declared
allowed-contacts can initiate
communication with the Jami account. This can be used, for example,
with rendezvous point accounts to create a private video conferencing
To put the system administrator in full control of the conferences hosted on their system, the Jami service supports the following actions:
# herd doc jami list-actions (list-accounts list-account-details list-banned-contacts list-contacts list-moderators add-moderator ban-contact enable-account disable-account)
The above actions aim to provide the most valuable actions for
moderation purposes, not to cover the whole Jami API. Users wanting to
interact with the Jami daemon from Guile may be interested in
experimenting with the
(gnu build jami-service) module, which
powers the above Shepherd actions.
ban-contact actions accept a contact
fingerprint (40 characters long hash) as first argument and an
account fingerprint or username as second argument:
# herd add-moderator jami 1dbcb0f5f37324228235564b79f2b9737e9a008f \ f3345f2775ddfe07a4b0d95daea111d15fbc1199 # herd list-moderators jami Moderators for account f3345f2775ddfe07a4b0d95daea111d15fbc1199: - 1dbcb0f5f37324228235564b79f2b9737e9a008f
In the case of
ban-contact, the second username argument is
optional; when omitted, the account is banned from all Jami accounts:
# herd ban-contact jami 1dbcb0f5f37324228235564b79f2b9737e9a008f # herd list-banned-contacts jami Banned contacts for account f3345f2775ddfe07a4b0d95daea111d15fbc1199: - 1dbcb0f5f37324228235564b79f2b9737e9a008f
Banned contacts are also stripped from their moderation privileges.
disable-account action allows to completely disconnect an
account from the network, making it unreachable, while
enable-account does the inverse. They accept a single account
username or fingerprint as first argument:
# herd disable-account jami f3345f2775ddfe07a4b0d95daea111d15fbc1199 # herd list-accounts jami The following Jami accounts are available: - f3345f2775ddfe07a4b0d95daea111d15fbc1199 (dummy) [disabled]
list-account-details action prints the detailed parameters of
each accounts in the Recutils format, which means the
command can be used to select accounts of interest (see Selection
Expressions in GNU recutils manual). Note that period
characters (‘.’) found in the account parameter keys are mapped to
underscores (‘_’) in the output, to meet the requirements of the
Recutils format. The following example shows how to print the account
fingerprints for all accounts operating in the rendezvous point mode:
# herd list-account-details jami | \ recsel -p Account.username -e 'Account.rendezVous ~ "true"' Account_username: f3345f2775ddfe07a4b0d95daea111d15fbc1199
The remaining actions should be self-explanatory.
The complete set of available configuration options is detailed below.
jami-configuration fields are:
libjami) (type: package)
The Jami daemon package to use.
dbus) (type: package)
The D-Bus package to use to start the required D-Bus session.
nss-certs) (type: package)
The nss-certs package to use to provide TLS certificates.
#t) (type: boolean)
Whether to enable logging to syslog.
#f) (type: boolean)
Whether to enable debug level messages.
#f) (type: boolean)
Whether to force automatic answer to incoming calls.
disabled) (type: maybe-jami-account-list)
A list of Jami accounts to be (re-)provisioned every time the Jami daemon service starts. When providing this field, the account directories under /var/lib/jami/ are recreated every time the service starts, ensuring a consistent state.
jami-account fields are:
The account archive (backup) file name of the account. This is used to provision the account when the service starts. The account archive should not be encrypted. It is highly recommended to make it readable only to the ‘root’ user (i.e., not in the store), to guard against leaking the secret key material of the Jami account it contains.
disabled) (type: maybe-account-fingerprint-list)
The list of allowed contacts for the account, entered as their 40 characters long fingerprint. Messages or calls from accounts not in that list will be rejected. When unspecified, the configuration of the account archive is used as-is with respect to contacts and public inbound calls/messaging allowance, which typically defaults to allow any contact to communicate with the account.
disabled) (type: maybe-account-fingerprint-list)
The list of contacts that should have moderation privileges (to ban, mute, etc. other users) in rendezvous conferences, entered as their 40 characters long fingerprint. When unspecified, the configuration of the account archive is used as-is with respect to moderation, which typically defaults to allow anyone to moderate.
disabled) (type: maybe-boolean)
Whether the account should operate in the rendezvous mode. In this mode, all the incoming audio/video calls are mixed into a conference. When left unspecified, the value from the account archive prevails.
disabled) (type: maybe-boolean)
Whether peer discovery should be enabled. Peer discovery is used to discover other OpenDHT nodes on the local network, which can be useful to maintain communication between devices on such network even when the connection to the the Internet has been lost. When left unspecified, the value from the account archive prevails.
disabled) (type: maybe-string-list)
A list of hostnames or IPs pointing to OpenDHT nodes, that should be used to initially join the OpenDHT network. When left unspecified, the value from the account archive prevails.
disabled) (type: maybe-string)
The URI of the name server to use, that can be used to retrieve the account fingerprint for a registered username.
This section describes how to set up and run a Murmur server. Murmur is the server of the Mumble voice-over-IP (VoIP) suite.
The service type for the Murmur server. An example configuration can look like this:
(service murmur-service-type (murmur-configuration (welcome-text "Welcome to this Mumble server running on Guix!") (cert-required? #t) ;disallow text password logins (ssl-cert "/etc/letsencrypt/live/mumble.example.com/fullchain.pem") (ssl-key "/etc/letsencrypt/live/mumble.example.com/privkey.pem")))
After reconfiguring your system, you can manually set the murmur
password with the command that is printed during the activation phase.
It is recommended to register a normal Mumble user account
and grant it admin or moderator rights.
You can use the
mumble client to
login as new normal user, register yourself, and log out.
For the next step login with the name
SuperUser password that you set previously,
and grant your newly registered mumble user administrator or moderator
rights and create some channels.
murmur-configuration fields are:
Package that contains
User who will run the Murmur server.
Group of the user who will run the murmur server.
Port on which the server will listen.
Welcome text sent to clients when they connect.
Password the clients have to enter in order to connect.
Maximum of users that can be connected to the server at once.
Maximum voice traffic a user can send per second.
File name of the sqlite database. The service’s user will become the owner of the directory.
File name of the log file. The service’s user will become the owner of the directory.
Maximum number of logins a user can make in
without getting auto banned for
Timeframe for autoban in seconds.
Amount of time in seconds for which a client gets banned when violating the autoban limits.
Percentage of clients that need to support opus before switching over to opus audio codec.
How deep channels can be nested at maximum.
A string in form of a Qt regular expression that channel names must conform to.
A string in form of a Qt regular expression that user names must conform to.
Maximum size in bytes that a user can send in one text chat message.
(* 128 1024))
Maximum size in bytes that a user can send in one image message.
If it is set to
#t clients that use weak password authentication
will not be accepted. Users must have completed the certificate wizard to join.
Should murmur remember the last channel each user was in when they disconnected and put them into the remembered channel when they rejoin.
Should html be allowed in text messages, user comments, and channel descriptions.
Setting to true exposes the current user count, the maximum user count, and the server’s maximum bandwidth per client to unauthenticated users. In the Mumble client, this information is shown in the Connect dialog.
Disabling this setting will prevent public listing of the server.
Should the server advertise itself in the local network through the bonjour protocol.
Should the murmur server version be exposed in ping requests.
Murmur also stores logs in the database, which are accessible via RPC. The default is 31 days of months, but you can set this setting to 0 to keep logs forever, or -1 to disable logging to the database.
Should logged ips be obfuscated to protect the privacy of users.
File name of the SSL/TLS certificate used for encrypted connections.
Filepath to the ssl private key used for encrypted connections.
File name of a PEM-encoded file with Diffie-Hellman parameters
for the SSL/TLS encryption. Alternatively you set it to
"@ffdhe8192" to use bundled parameters from RFC 7919.
ssl-ciphers option chooses the cipher suites to make available for use
This option is specified using OpenSSL cipher list notation.
It is recommended that you try your cipher string using ’openssl ciphers <string>’ before setting it here, to get a feel for which cipher suites you will get. After setting this option, it is recommend that you inspect your Murmur log to ensure that Murmur is using the cipher suites that you expected it to.
Note: Changing this option may impact the backwards compatibility of your Murmur server, and can remove the ability for older Mumble clients to be able to connect to it.
Must be a
<murmur-public-registration-configuration> record or
You can optionally register your server in the public server list that the
mumble client shows on startup.
You cannot register your server if you have set a
It might take a few hours until it shows up in the public list.
Optional alternative override for this configuration.
Configuration for public registration of a murmur service.
This is a display name for your server. Not to be confused with the hostname.
A password to identify your registration. Subsequent updates will need the same password. Don’t lose your password.
This should be a
https:// link to your web
By default your server will be listed by its IP address. If it is set your server will be linked by this host name instead.