LiveKit was exiting cleanly with "TURN domain required" because turn.enabled
was set in the build-time config but turn.domain was never provided to the
process (the old livekit-runtime-config.service wrote a YAML that nothing
read). A clean exit (status 0) meant Restart=on-failure never restarted it,
so the Hub reported the service as Inactive.
This replaces the dead runtime-config oneshot with livekit-turn-setup.service,
which at runtime:
- reads the matrix domain from /var/lib/domains/matrix (no hardcoding)
- copies Caddy's already-issued matrix cert/key into /var/lib/livekit
- generates a complete LiveKit config (incl. turn.domain + TLS cert/key)
at /run/livekit/livekit.yaml
The livekit.service ExecStart is overridden to load that runtime config
(mirroring the existing Caddy ExecStart override pattern in
modules/core/caddy.nix), since turn.domain is only known at runtime. The cert
is delivered via LoadCredential so it is readable under DynamicUser=true
without weakening the sandbox.
Also aligns the RTC media port range (rtc.port_range_start/end = 30000-40000)
so it matches the forwarded ports, and drops the now-redundant manual
30000-40000 firewall ranges (covered by services.livekit settings/openFirewall).
Sovran Systems
8baefe1bfd