fix(element-calling): enable LiveKit embedded TURN with runtime matrix domain + cert
LiveKit was exiting cleanly with "TURN domain required" because turn.enabled
was set in the build-time config but turn.domain was never provided to the
process (the old livekit-runtime-config.service wrote a YAML that nothing
read). A clean exit (status 0) meant Restart=on-failure never restarted it,
so the Hub reported the service as Inactive.
This replaces the dead runtime-config oneshot with livekit-turn-setup.service,
which at runtime:
- reads the matrix domain from /var/lib/domains/matrix (no hardcoding)
- copies Caddy's already-issued matrix cert/key into /var/lib/livekit
- generates a complete LiveKit config (incl. turn.domain + TLS cert/key)
at /run/livekit/livekit.yaml
The livekit.service ExecStart is overridden to load that runtime config
(mirroring the existing Caddy ExecStart override pattern in
modules/core/caddy.nix), since turn.domain is only known at runtime. The cert
is delivered via LoadCredential so it is readable under DynamicUser=true
without weakening the sandbox.
Also aligns the RTC media port range (rtc.port_range_start/end = 30000-40000)
so it matches the forwarded ports, and drops the now-redundant manual
30000-40000 firewall ranges (covered by services.livekit settings/openFirewall).
This commit is contained in:
Sovran Systems
+57
-17
@@ -34,8 +34,8 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
|
|||||||
};
|
};
|
||||||
|
|
||||||
####### ENSURE SERVICES START AFTER KEY EXISTS #######
|
####### ENSURE SERVICES START AFTER KEY EXISTS #######
|
||||||
systemd.services.livekit.after = [ "livekit-key-setup.service" ];
|
systemd.services.livekit.after = [ "livekit-key-setup.service" "livekit-turn-setup.service" ];
|
||||||
systemd.services.livekit.wants = [ "livekit-key-setup.service" ];
|
systemd.services.livekit.wants = [ "livekit-key-setup.service" "livekit-turn-setup.service" ];
|
||||||
systemd.services.lk-jwt-service.after = [ "livekit-key-setup.service" ];
|
systemd.services.lk-jwt-service.after = [ "livekit-key-setup.service" ];
|
||||||
systemd.services.lk-jwt-service.wants = [ "livekit-key-setup.service" ];
|
systemd.services.lk-jwt-service.wants = [ "livekit-key-setup.service" ];
|
||||||
|
|
||||||
@@ -89,11 +89,17 @@ EOF
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
####### LIVEKIT RUNTIME CONFIG #######
|
####### LIVEKIT TURN SETUP (runtime cert + config) #######
|
||||||
systemd.services.livekit-runtime-config = {
|
# Replaces the old dead livekit-runtime-config.service. At runtime this:
|
||||||
description = "Generate LiveKit runtime config from domain files";
|
# * reads the matrix domain from /var/lib/domains/matrix (never hardcoded)
|
||||||
|
# * copies Caddy's already-issued matrix cert/key into /var/lib/livekit
|
||||||
|
# so LoadCredential can stage them for the (DynamicUser) livekit unit
|
||||||
|
# * writes a complete LiveKit config (with turn.domain substituted) that the
|
||||||
|
# overridden ExecStart loads.
|
||||||
|
systemd.services.livekit-turn-setup = {
|
||||||
|
description = "Stage TURN cert and generate LiveKit runtime config from domain files";
|
||||||
|
after = [ "caddy.service" "livekit-key-setup.service" ];
|
||||||
before = [ "livekit.service" ];
|
before = [ "livekit.service" ];
|
||||||
after = [ "livekit-key-setup.service" ];
|
|
||||||
requiredBy = [ "livekit.service" ];
|
requiredBy = [ "livekit.service" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
@@ -103,20 +109,42 @@ EOF
|
|||||||
unitConfig = {
|
unitConfig = {
|
||||||
ConditionPathExists = "/var/lib/domains/element-calling";
|
ConditionPathExists = "/var/lib/domains/element-calling";
|
||||||
};
|
};
|
||||||
path = [ pkgs.coreutils ];
|
path = [ pkgs.coreutils pkgs.findutils ];
|
||||||
script = ''
|
script = ''
|
||||||
MATRIX=$(cat /var/lib/domains/matrix)
|
MATRIX=$(cat /var/lib/domains/matrix)
|
||||||
|
|
||||||
mkdir -p /run/livekit
|
mkdir -p /run/livekit
|
||||||
|
|
||||||
cat > /run/livekit/runtime-config.yaml <<EOF
|
# Copy Caddy's already-issued matrix cert/key into LiveKit's state dir.
|
||||||
|
# The ACME CA hostname directory can vary, so glob for the domain dir.
|
||||||
|
CRT=$(find /var/lib/caddy -path "*/$MATRIX/$MATRIX.crt" | head -n1)
|
||||||
|
KEY=$(find /var/lib/caddy -path "*/$MATRIX/$MATRIX.key" | head -n1)
|
||||||
|
cp "$CRT" /var/lib/livekit/turn.crt
|
||||||
|
cp "$KEY" /var/lib/livekit/turn.key
|
||||||
|
chmod 640 /var/lib/livekit/turn.crt /var/lib/livekit/turn.key
|
||||||
|
|
||||||
|
# Generate the full LiveKit config the daemon will load. turn.domain is
|
||||||
|
# only known at runtime, so it is substituted here. The cert/key paths
|
||||||
|
# point at the LoadCredential-staged copies under /run/credentials.
|
||||||
|
cat > /run/livekit/livekit.yaml <<EOF
|
||||||
|
port: 7880
|
||||||
|
rtc:
|
||||||
|
use_external_ip: true
|
||||||
|
udp_port: 7882
|
||||||
|
port_range_start: 30000
|
||||||
|
port_range_end: 40000
|
||||||
|
room:
|
||||||
|
auto_create: false
|
||||||
turn:
|
turn:
|
||||||
|
enabled: true
|
||||||
domain: $MATRIX
|
domain: $MATRIX
|
||||||
cert_file: /var/lib/livekit/$MATRIX.crt
|
tls_port: 5349
|
||||||
key_file: /var/lib/livekit/$MATRIX.key
|
udp_port: 3478
|
||||||
|
cert_file: /run/credentials/livekit.service/turn-cert
|
||||||
|
key_file: /run/credentials/livekit.service/turn-key
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
chmod 640 /run/livekit/runtime-config.yaml
|
chmod 640 /run/livekit/livekit.yaml
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -128,6 +156,8 @@ EOF
|
|||||||
settings = {
|
settings = {
|
||||||
rtc.use_external_ip = true;
|
rtc.use_external_ip = true;
|
||||||
rtc.udp_port = 7882;
|
rtc.udp_port = 7882;
|
||||||
|
rtc.port_range_start = 30000;
|
||||||
|
rtc.port_range_end = 40000;
|
||||||
room.auto_create = false;
|
room.auto_create = false;
|
||||||
turn = {
|
turn = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
@@ -137,14 +167,24 @@ EOF
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Override ExecStart to load the runtime-generated config (which carries the
|
||||||
|
# runtime-only turn.domain), mirroring the Caddy ExecStart override pattern in
|
||||||
|
# modules/core/caddy.nix. Deliver the TURN cert/key via LoadCredential so they
|
||||||
|
# are readable under the upstream unit's DynamicUser=true sandbox without
|
||||||
|
# weakening it. Everything else about the standard unit is left intact.
|
||||||
|
systemd.services.livekit.serviceConfig.ExecStart = lib.mkForce [
|
||||||
|
""
|
||||||
|
"${pkgs.livekit}/bin/livekit-server --config /run/livekit/livekit.yaml --key-file /run/credentials/livekit.service/livekit-secrets"
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.services.livekit.serviceConfig.LoadCredential = [
|
||||||
|
"livekit-secrets:${livekitKeyFile}"
|
||||||
|
"turn-cert:/var/lib/livekit/turn.crt"
|
||||||
|
"turn-key:/var/lib/livekit/turn.key"
|
||||||
|
];
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 5349 7881 ];
|
networking.firewall.allowedTCPPorts = [ 5349 7881 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 3478 7882 ];
|
networking.firewall.allowedUDPPorts = [ 3478 7882 ];
|
||||||
networking.firewall.allowedUDPPortRanges = [
|
|
||||||
{ from = 30000; to = 40000; }
|
|
||||||
];
|
|
||||||
networking.firewall.allowedTCPPortRanges = [
|
|
||||||
{ from = 30000; to = 40000; }
|
|
||||||
];
|
|
||||||
|
|
||||||
####### JWT SERVICE RUNTIME CONFIG #######
|
####### JWT SERVICE RUNTIME CONFIG #######
|
||||||
systemd.services.lk-jwt-service-runtime-config = {
|
systemd.services.lk-jwt-service-runtime-config = {
|
||||||
|
|||||||
Reference in New Issue
Block a user