hans/Fediversity
1
0
Fork 0
forked from fediversity/fediversity
Code Pull requests Activity

Small updates to LiveKit and coturn.

Browse source
This commit is contained in:
Hans van Zijst 2024-12-04 11:09:44 +01:00
parent 8337b4c1d5
commit 0fe7ab4924
Signed by: hans
GPG key ID: 43DBCC37BFDEFD72
2 changed files with 37 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
matrix/coturn/README.md
View file

@ -56,7 +56,7 @@ coturn doesn't run as root.
This prepares us for the next step: configuring the whole thing.
# DNS and certificate
# DNS and certificate {#dnscert}
As stated before, we only use IPv4, so a CNAME to our machine that also does
IPv6 is a bad idea. Fix a new entry in DNS for TURN only, we'll use
@ -72,7 +72,36 @@ certbot certonly --nginx -d turn.example.com
This assumes you've already setup and started nginx (see [nginx](../nginx)).
Of course, when this certificate is renewed, coturn must be restarted!
The certificate files reside under `/etc/letsencrypt/live`, but coturn doesn't
run as root, and can't read them. Therefore we create the directory
`/etc/coturn/ssl` where we copy the files to. This script should be run after
each certificate renewal:
```
#!/bin/bash
# This script is hooked after a renewal of the certificate, so
# that it's copied and chowned and made readable by coturn:
cd /etc/coturn/ssl
cp /etc/letsencrypt/live/turn.example.com/{fullchain,privkey}.pem .
chown turnserver:turnserver *.pem
# We should restart either coturn or LiveKit, they cannot run both!
systemctl restart coturn
#systemctl restart livekit-server
```
Run this automatically after every renewal by adding this line to
`/etc/letsencrypt/renewal/turn.example.com.conf`:
```
renew_hook = /etc/coturn/fixssl
```
Yes, it's a bit primitive and could (should?) be polished. But for now: it
works.
# Configuration {#configuration}
@ -138,35 +167,4 @@ no-tlsv1_1
All other options in the configuration file are either commented out, or
defaults.
The certificate files reside under `/etc/letsencrypt/live`, but coturn doesn't
run as root, and can't read them. Therefore we create the directory
`/etc/coturn/ssl` where we copy the files to. This script should be run after
each certificate renewal:
```
#!/bin/bash
# This script is hooked after a renewal of the certificate, so
# that it's copied and chowned and made readable by coturn:
cd /etc/coturn/ssl
cp /etc/letsencrypt/live/turn.example.com/{fullchain,privkey}.pem .
chown turnserver:turnserver *.pem
# We should restart either coturn or LiveKit, they cannot run both!
systemctl restart coturn
#systemctl restart livekit-server
```
Run this automatically after every renewal by adding this line to
`/etc/letsencrypt/renewal/turn.example.com.conf`:
```
renew_hook = /etc/coturn/fixssl
```
Yes, it's a bit primitive and could (should?) be polished. But for now: it
works.
Be sure to open the correct ports in the [firewall](../firewall).
Make sure you've opened the correct ports in the [firewall](../firewall).

6
matrix/element-call/README.md
View file

@ -183,7 +183,7 @@ rtc:
enable_loopback_candidate: false
turn:
enabled: true
domain: livekit.procolix.com
domain: livekit.example.com
cert_file: /etc/coturn/ssl/fullchain.pem
key_file: /etc/coturn/ssl/privkey.pem
tls_port: 5349
@ -199,6 +199,10 @@ The LiveKit API listens on localhost, IPv6, port 7880. Traffic to this port is
forwarded from port 443by nginx, which handles TLS, so it shouldn't be reachable
from the outside world.
The certificate files are not in the usual place under
`/etc/letsencrypt/live`, see [DNS and
certificate](../coturn/README.md#dnscert) why that is.
The `xxx: xxxx` is the key and secret as generated before.
See [LiveKit's config documentation](https://github.com/livekit/livekit/blob/master/config-sample.yaml)