From 7d55e4e40a775532703ed29de1155629d1525890 Mon Sep 17 00:00:00 2001 From: Katharina Heidenreich Date: Wed, 8 Apr 2026 11:42:43 +0200 Subject: [PATCH] fix: update livekit endpoints and add TURN server configuration --- config/endpoints/livekit_local.nix | 26 ++++++++++++-- config/endpoints/pi_tunnel.nix | 9 +++++ config/services.nix | 4 +++ intermediate/nginx.nix | 2 +- services/livekit.nix | 58 +++++++++++++++++++++++++----- 5 files changed, 88 insertions(+), 11 deletions(-) diff --git a/config/endpoints/livekit_local.nix b/config/endpoints/livekit_local.nix index 0b19f65..43305bc 100644 --- a/config/endpoints/livekit_local.nix +++ b/config/endpoints/livekit_local.nix @@ -7,7 +7,7 @@ in type = "proxy"; listenPort = 443; domain = cfg.domain; - endpoint = "/livekit/jwt/"; + endpoint = "/sfu/get"; force_ssl = true; content = { host = "127.0.0.1"; @@ -18,7 +18,29 @@ in type = "proxy"; listenPort = 443; domain = cfg.domain; - endpoint = "/livekit/sfu/"; + endpoint = "/healthz"; + force_ssl = true; + content = { + host = "127.0.0.1"; + port = cfg.jwt_port; + }; + } + { + type = "proxy"; + listenPort = 443; + domain = cfg.domain; + endpoint = "/get_token"; + force_ssl = true; + content = { + host = "127.0.0.1"; + port = cfg.jwt_port; + }; + } + { + type = "proxy"; + listenPort = 443; + domain = cfg.domain; + endpoint = "/"; force_ssl = true; content = { host = "127.0.0.1"; diff --git a/config/endpoints/pi_tunnel.nix b/config/endpoints/pi_tunnel.nix index 96e4187..4e997e4 100644 --- a/config/endpoints/pi_tunnel.nix +++ b/config/endpoints/pi_tunnel.nix @@ -8,6 +8,15 @@ let domain = "vikunja.nudelerde.de"; tls = true; } + { + port = 80; + domain = "wekan.nudelerde.de"; + } + { + port = 443; + domain = "wekan.nudelerde.de"; + tls = true; + } { port = 80; domain = "nudelerde.de"; diff --git a/config/services.nix b/config/services.nix index edf0a4a..9c8344e 100644 --- a/config/services.nix +++ b/config/services.nix @@ -15,5 +15,9 @@ trusted_homeservers = [ "nudelerde.de" ]; rtc_port_range_start = 50000; rtc_port_range_end = 51000; + turn_port = 3478; + turn_tls_port = 5349; + turn_relay_range_start = 50300; + turn_relay_range_end = 50400; }; } \ No newline at end of file diff --git a/intermediate/nginx.nix b/intermediate/nginx.nix index e0af85b..17075b4 100644 --- a/intermediate/nginx.nix +++ b/intermediate/nginx.nix @@ -96,7 +96,7 @@ let forceSSL = false; }; location = { - proxyPass = "http://${endpoint.content.host}:${toString endpoint.content.port}/"; + proxyPass = "http://${endpoint.content.host}:${toString endpoint.content.port}"; } // lib.optionalAttrs (endpoint.content ? websocket && endpoint.content.websocket) { proxyWebsockets = true; }; diff --git a/services/livekit.nix b/services/livekit.nix index c3c75b8..4e45cf0 100644 --- a/services/livekit.nix +++ b/services/livekit.nix @@ -1,9 +1,10 @@ -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let serviceConfig = import ../config/services.nix; cfg = serviceConfig.livekit; keyFile = cfg.keyFile; - publicUrl = "wss://${cfg.domain}/livekit/sfu/"; + acmeDir = config.security.acme.certs.${cfg.domain}.directory; + publicUrl = "wss://${cfg.domain}"; trustedHomeservers = if builtins.isList cfg.trusted_homeservers then cfg.trusted_homeservers @@ -23,9 +24,28 @@ in port_range_start = cfg.rtc_port_range_start; port_range_end = cfg.rtc_port_range_end; }; + turn = { + enabled = true; + udp_port = cfg.turn_port; + tls_port = cfg.turn_tls_port; + relay_range_start = cfg.turn_relay_range_start; + relay_range_end = cfg.turn_relay_range_end; + domain = cfg.domain; + cert_file = "/run/credentials/livekit.service/turn-cert"; + key_file = "/run/credentials/livekit.service/turn-key"; + }; }; }; + # Provide ACME cert/key to livekit via systemd credentials. + systemd.services.livekit.serviceConfig.LoadCredential = lib.mkIf cfg.enable (lib.mkAfter [ + "turn-cert:${acmeDir}/full.pem" + "turn-key:${acmeDir}/key.pem" + ]); + + # Restart livekit when ACME renews the cert used for built-in TURN TLS. + security.acme.certs.${cfg.domain}.postRun = lib.mkIf cfg.enable "systemctl restart livekit.service"; + services.lk-jwt-service = lib.mkIf cfg.enable { enable = true; livekitUrl = publicUrl; @@ -34,13 +54,20 @@ in }; systemd.services.livekit-key = lib.mkIf cfg.enable { - before = [ "lk-jwt-service.service" "livekit.service" ]; + before = [ + "lk-jwt-service.service" + "livekit.service" + ]; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ livekit coreutils gawk ]; + path = with pkgs; [ + livekit + coreutils + gawk + ]; script = '' - echo "Key missing, generating key" - mkdir -p "$(dirname "${keyFile}")" - echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}" + echo "Key missing, generating key" + mkdir -p "$(dirname "${keyFile}")" + echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}" ''; serviceConfig.Type = "oneshot"; unitConfig.ConditionPathExists = "!${keyFile}"; @@ -49,4 +76,19 @@ in systemd.services.lk-jwt-service = lib.mkIf cfg.enable { environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = trustedHomeserversEnv; }; -} \ No newline at end of file + + # Open firewall for livekit RTC ports + networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable ( + (lib.range cfg.rtc_port_range_start cfg.rtc_port_range_end) + ++ (lib.range cfg.turn_relay_range_start cfg.turn_relay_range_end) + ++ [ cfg.turn_port ] + ); + + # Open firewall for livekit API/JWT and TURN TCP/TLS ports + networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ + 7880 + 7881 + cfg.turn_port + cfg.turn_tls_port + ]; +}