From 0fe7ab4924eeaf40fbef4bbe1022485c6f5f0dd6 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Wed, 4 Dec 2024 11:09:44 +0100 Subject: [PATCH] Small updates to LiveKit and coturn. --- matrix/coturn/README.md | 66 +++++++++++++++++------------------ matrix/element-call/README.md | 6 +++- 2 files changed, 37 insertions(+), 35 deletions(-) diff --git a/matrix/coturn/README.md b/matrix/coturn/README.md index 5165a75..d1d81f3 100644 --- a/matrix/coturn/README.md +++ b/matrix/coturn/README.md @@ -56,7 +56,7 @@ coturn doesn't run as root. This prepares us for the next step: configuring the whole thing. -# DNS and certificate +# DNS and certificate {#dnscert} As stated before, we only use IPv4, so a CNAME to our machine that also does IPv6 is a bad idea. Fix a new entry in DNS for TURN only, we'll use @@ -72,7 +72,36 @@ certbot certonly --nginx -d turn.example.com This assumes you've already setup and started nginx (see [nginx](../nginx)). -Of course, when this certificate is renewed, coturn must be restarted! +The certificate files reside under `/etc/letsencrypt/live`, but coturn doesn't +run as root, and can't read them. Therefore we create the directory +`/etc/coturn/ssl` where we copy the files to. This script should be run after +each certificate renewal: + +``` +#!/bin/bash + +# This script is hooked after a renewal of the certificate, so +# that it's copied and chowned and made readable by coturn: + +cd /etc/coturn/ssl +cp /etc/letsencrypt/live/turn.example.com/{fullchain,privkey}.pem . +chown turnserver:turnserver *.pem + +# We should restart either coturn or LiveKit, they cannot run both! +systemctl restart coturn +#systemctl restart livekit-server + +``` + +Run this automatically after every renewal by adding this line to +`/etc/letsencrypt/renewal/turn.example.com.conf`: + +``` +renew_hook = /etc/coturn/fixssl +``` + +Yes, it's a bit primitive and could (should?) be polished. But for now: it +works. # Configuration {#configuration} @@ -138,35 +167,4 @@ no-tlsv1_1 All other options in the configuration file are either commented out, or defaults. -The certificate files reside under `/etc/letsencrypt/live`, but coturn doesn't -run as root, and can't read them. Therefore we create the directory -`/etc/coturn/ssl` where we copy the files to. This script should be run after -each certificate renewal: - -``` -#!/bin/bash - -# This script is hooked after a renewal of the certificate, so -# that it's copied and chowned and made readable by coturn: - -cd /etc/coturn/ssl -cp /etc/letsencrypt/live/turn.example.com/{fullchain,privkey}.pem . -chown turnserver:turnserver *.pem - -# We should restart either coturn or LiveKit, they cannot run both! -systemctl restart coturn -#systemctl restart livekit-server - -``` - -Run this automatically after every renewal by adding this line to -`/etc/letsencrypt/renewal/turn.example.com.conf`: - -``` -renew_hook = /etc/coturn/fixssl -``` - -Yes, it's a bit primitive and could (should?) be polished. But for now: it -works. - -Be sure to open the correct ports in the [firewall](../firewall). +Make sure you've opened the correct ports in the [firewall](../firewall). diff --git a/matrix/element-call/README.md b/matrix/element-call/README.md index 90d9b95..71b03c6 100644 --- a/matrix/element-call/README.md +++ b/matrix/element-call/README.md @@ -183,7 +183,7 @@ rtc: enable_loopback_candidate: false turn: enabled: true - domain: livekit.procolix.com + domain: livekit.example.com cert_file: /etc/coturn/ssl/fullchain.pem key_file: /etc/coturn/ssl/privkey.pem tls_port: 5349 @@ -199,6 +199,10 @@ The LiveKit API listens on localhost, IPv6, port 7880. Traffic to this port is forwarded from port 443by nginx, which handles TLS, so it shouldn't be reachable from the outside world. +The certificate files are not in the usual place under +`/etc/letsencrypt/live`, see [DNS and +certificate](../coturn/README.md#dnscert) why that is. + The `xxx: xxxx` is the key and secret as generated before. See [LiveKit's config documentation](https://github.com/livekit/livekit/blob/master/config-sample.yaml)