Small updates to LiveKit and coturn.

This commit is contained in:
Hans van Zijst 2024-12-04 11:09:44 +01:00
parent 8337b4c1d5
commit 0fe7ab4924
Signed by: hans
GPG key ID: 43DBCC37BFDEFD72
2 changed files with 37 additions and 35 deletions

View file

@ -56,7 +56,7 @@ coturn doesn't run as root.
This prepares us for the next step: configuring the whole thing. This prepares us for the next step: configuring the whole thing.
# DNS and certificate # DNS and certificate {#dnscert}
As stated before, we only use IPv4, so a CNAME to our machine that also does As stated before, we only use IPv4, so a CNAME to our machine that also does
IPv6 is a bad idea. Fix a new entry in DNS for TURN only, we'll use IPv6 is a bad idea. Fix a new entry in DNS for TURN only, we'll use
@ -72,7 +72,36 @@ certbot certonly --nginx -d turn.example.com
This assumes you've already setup and started nginx (see [nginx](../nginx)). This assumes you've already setup and started nginx (see [nginx](../nginx)).
Of course, when this certificate is renewed, coturn must be restarted! The certificate files reside under `/etc/letsencrypt/live`, but coturn doesn't
run as root, and can't read them. Therefore we create the directory
`/etc/coturn/ssl` where we copy the files to. This script should be run after
each certificate renewal:
```
#!/bin/bash
# This script is hooked after a renewal of the certificate, so
# that it's copied and chowned and made readable by coturn:
cd /etc/coturn/ssl
cp /etc/letsencrypt/live/turn.example.com/{fullchain,privkey}.pem .
chown turnserver:turnserver *.pem
# We should restart either coturn or LiveKit, they cannot run both!
systemctl restart coturn
#systemctl restart livekit-server
```
Run this automatically after every renewal by adding this line to
`/etc/letsencrypt/renewal/turn.example.com.conf`:
```
renew_hook = /etc/coturn/fixssl
```
Yes, it's a bit primitive and could (should?) be polished. But for now: it
works.
# Configuration {#configuration} # Configuration {#configuration}
@ -138,35 +167,4 @@ no-tlsv1_1
All other options in the configuration file are either commented out, or All other options in the configuration file are either commented out, or
defaults. defaults.
The certificate files reside under `/etc/letsencrypt/live`, but coturn doesn't Make sure you've opened the correct ports in the [firewall](../firewall).
run as root, and can't read them. Therefore we create the directory
`/etc/coturn/ssl` where we copy the files to. This script should be run after
each certificate renewal:
```
#!/bin/bash
# This script is hooked after a renewal of the certificate, so
# that it's copied and chowned and made readable by coturn:
cd /etc/coturn/ssl
cp /etc/letsencrypt/live/turn.example.com/{fullchain,privkey}.pem .
chown turnserver:turnserver *.pem
# We should restart either coturn or LiveKit, they cannot run both!
systemctl restart coturn
#systemctl restart livekit-server
```
Run this automatically after every renewal by adding this line to
`/etc/letsencrypt/renewal/turn.example.com.conf`:
```
renew_hook = /etc/coturn/fixssl
```
Yes, it's a bit primitive and could (should?) be polished. But for now: it
works.
Be sure to open the correct ports in the [firewall](../firewall).

View file

@ -183,7 +183,7 @@ rtc:
enable_loopback_candidate: false enable_loopback_candidate: false
turn: turn:
enabled: true enabled: true
domain: livekit.procolix.com domain: livekit.example.com
cert_file: /etc/coturn/ssl/fullchain.pem cert_file: /etc/coturn/ssl/fullchain.pem
key_file: /etc/coturn/ssl/privkey.pem key_file: /etc/coturn/ssl/privkey.pem
tls_port: 5349 tls_port: 5349
@ -199,6 +199,10 @@ The LiveKit API listens on localhost, IPv6, port 7880. Traffic to this port is
forwarded from port 443by nginx, which handles TLS, so it shouldn't be reachable forwarded from port 443by nginx, which handles TLS, so it shouldn't be reachable
from the outside world. from the outside world.
The certificate files are not in the usual place under
`/etc/letsencrypt/live`, see [DNS and
certificate](../coturn/README.md#dnscert) why that is.
The `xxx: xxxx` is the key and secret as generated before. The `xxx: xxxx` is the key and secret as generated before.
See [LiveKit's config documentation](https://github.com/livekit/livekit/blob/master/config-sample.yaml) See [LiveKit's config documentation](https://github.com/livekit/livekit/blob/master/config-sample.yaml)