TURN

services/coturn.nix

@@ -13,17 +13,11 @@
   };
 
   networking.firewall = {
-    allowedUDPPorts = [
+    allowedUDPPorts = [ 5349 ];
-      3478
+    allowedTCPPorts = [ 5349 ];
-      5349
-    ];
-    allowedTCPPorts = [
-      3478
-      5349
-    ];
     allowedUDPPortRanges = [
       {
-        from = 49152;
+        from = 50201;
         to = 65535;
       }
     ];
@@ -47,10 +41,15 @@
     listening-port = 3478;
     tls-listening-port = 5349;
 
+    # Plain TURN disabled; only TURNS on 5349 is reachable.
+    no-udp = true;
+    no-tcp = true;
+
     lt-cred-mech = true;
     no-tcp-relay = true;
 
-    min-port = 49152;
+    # Stay above LiveKit's 50000-50200 UDP range (services/livekit.nix).
+    min-port = 50201;
     max-port = 65535;
   };
 

services/lk-jwt.nix

@@ -48,6 +48,7 @@ in
 
     environment = {
       LIVEKIT_URL = "wss://livekit.ellie.town";
+      LIVEKIT_FULL_ACCESS_HOMESERVERS = "ellie.town";
       LK_JWT_PORT = "8080";
     };
 

services/matrix.nix

@@ -21,8 +21,19 @@
       address = [ "10.10.0.2" ];
       port = [ 8008 ];
 
-      turn_uris = [ "turns:turn.ellie.town" ];
+      turn_uris = [
+        "turns:turn.ellie.town?transport=udp"
+        "turns:turn.ellie.town?transport=tcp"
+      ];
       turn_secret_file = config.sops.secrets."coturn/auth_secret_home".path;
+      turn_ttl = 86400;
+
+      matrix_rtc.foci = [
+        {
+          type = "livekit";
+          livekit_service_url = "https://lk-jwt.ellie.town";
+        }
+      ];
 
       well_known = {
         client = "https://matrix.ellie.town";