TURN

2026-04-19 15:33:09 -07:00 · 2026-04-19 15:33:09 -07:00 · eb1e0b9556
commit eb1e0b9556
parent f732b95b60
3 changed files with 22 additions and 11 deletions
--- a/services/coturn.nix
+++ b/services/coturn.nix
@ -13,17 +13,11 @@
  };

  networking.firewall = {
-    allowedUDPPorts = [
-      3478
-      5349
-    ];
-    allowedTCPPorts = [
-      3478
-      5349
-    ];
+    allowedUDPPorts = [ 5349 ];
+    allowedTCPPorts = [ 5349 ];
    allowedUDPPortRanges = [
      {
-        from = 49152;
+        from = 50201;
        to = 65535;
      }
    ];
@ -47,10 +41,15 @@
    listening-port = 3478;
    tls-listening-port = 5349;

+    # Plain TURN disabled; only TURNS on 5349 is reachable.
+    no-udp = true;
+    no-tcp = true;
+
    lt-cred-mech = true;
    no-tcp-relay = true;

-    min-port = 49152;
+    # Stay above LiveKit's 50000-50200 UDP range (services/livekit.nix).
+    min-port = 50201;
    max-port = 65535;
  };

--- a/services/lk-jwt.nix
+++ b/services/lk-jwt.nix
@ -48,6 +48,7 @@ in

    environment = {
      LIVEKIT_URL = "wss://livekit.ellie.town";
+      LIVEKIT_FULL_ACCESS_HOMESERVERS = "ellie.town";
      LK_JWT_PORT = "8080";
    };

--- a/services/matrix.nix
+++ b/services/matrix.nix
@ -21,8 +21,19 @@
      address = [ "10.10.0.2" ];
      port = [ 8008 ];

-      turn_uris = [ "turns:turn.ellie.town" ];
+      turn_uris = [
+        "turns:turn.ellie.town?transport=udp"
+        "turns:turn.ellie.town?transport=tcp"
+      ];
      turn_secret_file = config.sops.secrets."coturn/auth_secret_home".path;
+      turn_ttl = 86400;
+
+      matrix_rtc.foci = [
+        {
+          type = "livekit";
+          livekit_service_url = "https://lk-jwt.ellie.town";
+        }
+      ];

      well_known = {
        client = "https://matrix.ellie.town";