Infra/proxy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: update livekit endpoints and add TURN server configuration

Browse source
This commit is contained in:
Katharina Heidenreich 2026-04-08 11:42:43 +02:00
parent eee6905637
commit 7d55e4e40a
5 changed files with 88 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

26
config/endpoints/livekit_local.nix
View file

@ -7,7 +7,7 @@ in
type = "proxy"; type = "proxy";
listenPort = 443; listenPort = 443;
domain = cfg.domain; domain = cfg.domain;
endpoint = "/livekit/jwt/"; endpoint = "/sfu/get";
force_ssl = true; force_ssl = true;
content = { content = {
host = "127.0.0.1"; host = "127.0.0.1";
@ -18,7 +18,29 @@ in
type = "proxy"; type = "proxy";
listenPort = 443; listenPort = 443;
domain = cfg.domain; domain = cfg.domain;
endpoint = "/livekit/sfu/"; endpoint = "/healthz";
force_ssl = true;
content = {
host = "127.0.0.1";
port = cfg.jwt_port;
};
}
{
type = "proxy";
listenPort = 443;
domain = cfg.domain;
endpoint = "/get_token";
force_ssl = true;
content = {
host = "127.0.0.1";
port = cfg.jwt_port;
};
}
{
type = "proxy";
listenPort = 443;
domain = cfg.domain;
endpoint = "/";
force_ssl = true; force_ssl = true;
content = { content = {
host = "127.0.0.1"; host = "127.0.0.1";

9
config/endpoints/pi_tunnel.nix
View file

@ -8,6 +8,15 @@ let
domain = "vikunja.nudelerde.de"; domain = "vikunja.nudelerde.de";
tls = true; tls = true;
} }
{
port = 80;
domain = "wekan.nudelerde.de";
}
{
port = 443;
domain = "wekan.nudelerde.de";
tls = true;
}
{ {
port = 80; port = 80;
domain = "nudelerde.de"; domain = "nudelerde.de";

4
config/services.nix
View file

@ -15,5 +15,9 @@
trusted_homeservers = [ "nudelerde.de" ]; trusted_homeservers = [ "nudelerde.de" ];
rtc_port_range_start = 50000; rtc_port_range_start = 50000;
rtc_port_range_end = 51000; rtc_port_range_end = 51000;
turn_port = 3478;
turn_tls_port = 5349;
turn_relay_range_start = 50300;
turn_relay_range_end = 50400;
}; };
} }

2
intermediate/nginx.nix
View file

@ -96,7 +96,7 @@ let
forceSSL = false; forceSSL = false;
}; };
location = { location = {
proxyPass = "http://${endpoint.content.host}:${toString endpoint.content.port}/"; proxyPass = "http://${endpoint.content.host}:${toString endpoint.content.port}";
} // lib.optionalAttrs (endpoint.content ? websocket && endpoint.content.websocket) { } // lib.optionalAttrs (endpoint.content ? websocket && endpoint.content.websocket) {
proxyWebsockets = true; proxyWebsockets = true;
}; };

58
services/livekit.nix
View file

@ -1,9 +1,10 @@
{ lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
serviceConfig = import ../config/services.nix; serviceConfig = import ../config/services.nix;
cfg = serviceConfig.livekit; cfg = serviceConfig.livekit;
keyFile = cfg.keyFile; keyFile = cfg.keyFile;
publicUrl = "wss://${cfg.domain}/livekit/sfu/"; acmeDir = config.security.acme.certs.${cfg.domain}.directory;
publicUrl = "wss://${cfg.domain}";
trustedHomeservers = trustedHomeservers =
if builtins.isList cfg.trusted_homeservers then if builtins.isList cfg.trusted_homeservers then
cfg.trusted_homeservers cfg.trusted_homeservers
@ -23,9 +24,28 @@ in
port_range_start = cfg.rtc_port_range_start; port_range_start = cfg.rtc_port_range_start;
port_range_end = cfg.rtc_port_range_end; port_range_end = cfg.rtc_port_range_end;
}; };
turn = {
enabled = true;
udp_port = cfg.turn_port;
tls_port = cfg.turn_tls_port;
relay_range_start = cfg.turn_relay_range_start;
relay_range_end = cfg.turn_relay_range_end;
domain = cfg.domain;
cert_file = "/run/credentials/livekit.service/turn-cert";
key_file = "/run/credentials/livekit.service/turn-key";
};
}; };
}; };
# Provide ACME cert/key to livekit via systemd credentials.
systemd.services.livekit.serviceConfig.LoadCredential = lib.mkIf cfg.enable (lib.mkAfter [
"turn-cert:${acmeDir}/full.pem"
"turn-key:${acmeDir}/key.pem"
]);
# Restart livekit when ACME renews the cert used for built-in TURN TLS.
security.acme.certs.${cfg.domain}.postRun = lib.mkIf cfg.enable "systemctl restart livekit.service";
services.lk-jwt-service = lib.mkIf cfg.enable { services.lk-jwt-service = lib.mkIf cfg.enable {
enable = true; enable = true;
livekitUrl = publicUrl; livekitUrl = publicUrl;
@ -34,13 +54,20 @@ in
}; };
systemd.services.livekit-key = lib.mkIf cfg.enable { systemd.services.livekit-key = lib.mkIf cfg.enable {
before = [ "lk-jwt-service.service" "livekit.service" ]; before = [
"lk-jwt-service.service"
"livekit.service"
];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = with pkgs; [ livekit coreutils gawk ]; path = with pkgs; [
livekit
coreutils
gawk
];
script = '' script = ''
echo "Key missing, generating key" echo "Key missing, generating key"
mkdir -p "$(dirname "${keyFile}")" mkdir -p "$(dirname "${keyFile}")"
echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}" echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"
''; '';
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
unitConfig.ConditionPathExists = "!${keyFile}"; unitConfig.ConditionPathExists = "!${keyFile}";
@ -49,4 +76,19 @@ in
systemd.services.lk-jwt-service = lib.mkIf cfg.enable { systemd.services.lk-jwt-service = lib.mkIf cfg.enable {
environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = trustedHomeserversEnv; environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = trustedHomeserversEnv;
}; };
}
# Open firewall for livekit RTC ports
networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable (
(lib.range cfg.rtc_port_range_start cfg.rtc_port_range_end)
++ (lib.range cfg.turn_relay_range_start cfg.turn_relay_range_end)
++ [ cfg.turn_port ]
);
# Open firewall for livekit API/JWT and TURN TCP/TLS ports
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [
7880
7881
cfg.turn_port
cfg.turn_tls_port
];
}