Small updates to LiveKit and coturn.

2024-12-04 11:09:44 +01:00 · 2024-12-04 11:09:44 +01:00 · 0fe7ab4924
parent 8337b4c1d5
commit 0fe7ab4924
2 changed files with 37 additions and 35 deletions
--- a/matrix/coturn/README.md
+++ b/matrix/coturn/README.md
@ -56,7 +56,7 @@ coturn doesn't run as root.
 This prepares us for the next step: configuring the whole thing.
-# DNS and certificate
+# DNS and certificate {#dnscert}
 As stated before, we only use IPv4, so a CNAME to our machine that also does
 IPv6 is a bad idea. Fix a new entry in DNS for TURN only, we'll use
@ -72,7 +72,36 @@ certbot certonly --nginx -d turn.example.com
 This assumes you've already setup and started nginx (see [nginx](../nginx)).
-Of course, when this certificate is renewed, coturn must be restarted!
+The certificate files reside under `/etc/letsencrypt/live`, but coturn doesn't
 run as root, and can't read them. Therefore we create the directory
 `/etc/coturn/ssl` where we copy the files to. This script should be run after
 each certificate renewal:
 ```
 #!/bin/bash
 # This script is hooked after a renewal of the certificate, so
 # that it's copied and chowned and made readable by coturn:
 cd /etc/coturn/ssl
 cp /etc/letsencrypt/live/turn.example.com/{fullchain,privkey}.pem .
 chown turnserver:turnserver *.pem
 # We should restart either coturn or LiveKit, they cannot run both!
 systemctl restart coturn
 #systemctl restart livekit-server
 ```
 Run this automatically after every renewal by adding this line to
 `/etc/letsencrypt/renewal/turn.example.com.conf`:
 ```
 renew_hook = /etc/coturn/fixssl
 ```
 Yes, it's a bit primitive and could (should?) be polished. But for now: it
 works.
 # Configuration {#configuration}
@ -138,35 +167,4 @@ no-tlsv1_1
 All other options in the configuration file are either commented out, or
 defaults.
-The certificate files reside under `/etc/letsencrypt/live`, but coturn doesn't
+Make sure you've opened the correct ports in the [firewall](../firewall).
 run as root, and can't read them. Therefore we create the directory
 `/etc/coturn/ssl` where we copy the files to. This script should be run after
 each certificate renewal:
 ```
 #!/bin/bash
 # This script is hooked after a renewal of the certificate, so
 # that it's copied and chowned and made readable by coturn:
 cd /etc/coturn/ssl
 cp /etc/letsencrypt/live/turn.example.com/{fullchain,privkey}.pem .
 chown turnserver:turnserver *.pem
 # We should restart either coturn or LiveKit, they cannot run both!
 systemctl restart coturn
 #systemctl restart livekit-server
 ```
 Run this automatically after every renewal by adding this line to
 `/etc/letsencrypt/renewal/turn.example.com.conf`:
 ```
 renew_hook = /etc/coturn/fixssl
 ```
 Yes, it's a bit primitive and could (should?) be polished. But for now: it
 works.
 Be sure to open the correct ports in the [firewall](../firewall).
--- a/matrix/element-call/README.md
+++ b/matrix/element-call/README.md
@ -183,7 +183,7 @@ rtc:
    enable_loopback_candidate: false
 turn:
    enabled: true
-    domain: livekit.procolix.com
+    domain: livekit.example.com
    cert_file: /etc/coturn/ssl/fullchain.pem
    key_file: /etc/coturn/ssl/privkey.pem
    tls_port: 5349
@ -199,6 +199,10 @@ The LiveKit API listens on localhost, IPv6, port 7880. Traffic to this port is
 forwarded from port 443by nginx, which handles TLS, so it shouldn't be reachable
 from the outside world.
 The certificate files are not in the usual place under
 `/etc/letsencrypt/live`, see [DNS and
 certificate](../coturn/README.md#dnscert) why that is.
 The `xxx: xxxx` is the key and secret as generated before.
 See [LiveKit's config documentation](https://github.com/livekit/livekit/blob/master/config-sample.yaml)