fix: update livekit endpoints and add TURN server configuration
This commit is contained in:
Katharina Heidenreich
parent
eee6905637
commit
7d55e4e40a
5 changed files with 88 additions and 11 deletions
|
|
@ -7,7 +7,7 @@ in
|
|||
type = "proxy";
|
||||
listenPort = 443;
|
||||
domain = cfg.domain;
|
||||
endpoint = "/livekit/jwt/";
|
||||
endpoint = "/sfu/get";
|
||||
force_ssl = true;
|
||||
content = {
|
||||
host = "127.0.0.1";
|
||||
|
|
@ -18,7 +18,29 @@ in
|
|||
type = "proxy";
|
||||
listenPort = 443;
|
||||
domain = cfg.domain;
|
||||
endpoint = "/livekit/sfu/";
|
||||
endpoint = "/healthz";
|
||||
force_ssl = true;
|
||||
content = {
|
||||
host = "127.0.0.1";
|
||||
port = cfg.jwt_port;
|
||||
};
|
||||
}
|
||||
{
|
||||
type = "proxy";
|
||||
listenPort = 443;
|
||||
domain = cfg.domain;
|
||||
endpoint = "/get_token";
|
||||
force_ssl = true;
|
||||
content = {
|
||||
host = "127.0.0.1";
|
||||
port = cfg.jwt_port;
|
||||
};
|
||||
}
|
||||
{
|
||||
type = "proxy";
|
||||
listenPort = 443;
|
||||
domain = cfg.domain;
|
||||
endpoint = "/";
|
||||
force_ssl = true;
|
||||
content = {
|
||||
host = "127.0.0.1";
|
||||
|
|
|
|||
|
|
@ -8,6 +8,15 @@ let
|
|||
domain = "vikunja.nudelerde.de";
|
||||
tls = true;
|
||||
}
|
||||
{
|
||||
port = 80;
|
||||
domain = "wekan.nudelerde.de";
|
||||
}
|
||||
{
|
||||
port = 443;
|
||||
domain = "wekan.nudelerde.de";
|
||||
tls = true;
|
||||
}
|
||||
{
|
||||
port = 80;
|
||||
domain = "nudelerde.de";
|
||||
|
|
|
|||
|
|
@ -15,5 +15,9 @@
|
|||
trusted_homeservers = [ "nudelerde.de" ];
|
||||
rtc_port_range_start = 50000;
|
||||
rtc_port_range_end = 51000;
|
||||
turn_port = 3478;
|
||||
turn_tls_port = 5349;
|
||||
turn_relay_range_start = 50300;
|
||||
turn_relay_range_end = 50400;
|
||||
};
|
||||
}
|
||||
|
|
@ -96,7 +96,7 @@ let
|
|||
forceSSL = false;
|
||||
};
|
||||
location = {
|
||||
proxyPass = "http://${endpoint.content.host}:${toString endpoint.content.port}/";
|
||||
proxyPass = "http://${endpoint.content.host}:${toString endpoint.content.port}";
|
||||
} // lib.optionalAttrs (endpoint.content ? websocket && endpoint.content.websocket) {
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,9 +1,10 @@
|
|||
{ lib, pkgs, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
serviceConfig = import ../config/services.nix;
|
||||
cfg = serviceConfig.livekit;
|
||||
keyFile = cfg.keyFile;
|
||||
publicUrl = "wss://${cfg.domain}/livekit/sfu/";
|
||||
acmeDir = config.security.acme.certs.${cfg.domain}.directory;
|
||||
publicUrl = "wss://${cfg.domain}";
|
||||
trustedHomeservers =
|
||||
if builtins.isList cfg.trusted_homeservers then
|
||||
cfg.trusted_homeservers
|
||||
|
|
@ -23,9 +24,28 @@ in
|
|||
port_range_start = cfg.rtc_port_range_start;
|
||||
port_range_end = cfg.rtc_port_range_end;
|
||||
};
|
||||
turn = {
|
||||
enabled = true;
|
||||
udp_port = cfg.turn_port;
|
||||
tls_port = cfg.turn_tls_port;
|
||||
relay_range_start = cfg.turn_relay_range_start;
|
||||
relay_range_end = cfg.turn_relay_range_end;
|
||||
domain = cfg.domain;
|
||||
cert_file = "/run/credentials/livekit.service/turn-cert";
|
||||
key_file = "/run/credentials/livekit.service/turn-key";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Provide ACME cert/key to livekit via systemd credentials.
|
||||
systemd.services.livekit.serviceConfig.LoadCredential = lib.mkIf cfg.enable (lib.mkAfter [
|
||||
"turn-cert:${acmeDir}/full.pem"
|
||||
"turn-key:${acmeDir}/key.pem"
|
||||
]);
|
||||
|
||||
# Restart livekit when ACME renews the cert used for built-in TURN TLS.
|
||||
security.acme.certs.${cfg.domain}.postRun = lib.mkIf cfg.enable "systemctl restart livekit.service";
|
||||
|
||||
services.lk-jwt-service = lib.mkIf cfg.enable {
|
||||
enable = true;
|
||||
livekitUrl = publicUrl;
|
||||
|
|
@ -34,13 +54,20 @@ in
|
|||
};
|
||||
|
||||
systemd.services.livekit-key = lib.mkIf cfg.enable {
|
||||
before = [ "lk-jwt-service.service" "livekit.service" ];
|
||||
before = [
|
||||
"lk-jwt-service.service"
|
||||
"livekit.service"
|
||||
];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = with pkgs; [ livekit coreutils gawk ];
|
||||
path = with pkgs; [
|
||||
livekit
|
||||
coreutils
|
||||
gawk
|
||||
];
|
||||
script = ''
|
||||
echo "Key missing, generating key"
|
||||
mkdir -p "$(dirname "${keyFile}")"
|
||||
echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"
|
||||
echo "Key missing, generating key"
|
||||
mkdir -p "$(dirname "${keyFile}")"
|
||||
echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"
|
||||
'';
|
||||
serviceConfig.Type = "oneshot";
|
||||
unitConfig.ConditionPathExists = "!${keyFile}";
|
||||
|
|
@ -49,4 +76,19 @@ in
|
|||
systemd.services.lk-jwt-service = lib.mkIf cfg.enable {
|
||||
environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = trustedHomeserversEnv;
|
||||
};
|
||||
}
|
||||
|
||||
# Open firewall for livekit RTC ports
|
||||
networking.firewall.allowedUDPPorts = lib.mkIf cfg.enable (
|
||||
(lib.range cfg.rtc_port_range_start cfg.rtc_port_range_end)
|
||||
++ (lib.range cfg.turn_relay_range_start cfg.turn_relay_range_end)
|
||||
++ [ cfg.turn_port ]
|
||||
);
|
||||
|
||||
# Open firewall for livekit API/JWT and TURN TCP/TLS ports
|
||||
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [
|
||||
7880
|
||||
7881
|
||||
cfg.turn_port
|
||||
cfg.turn_tls_port
|
||||
];
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue