oxofrmbl/jitsi-meet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7 Commits 1 Branch 0 Tags 63 KiB
cebcf4f567
Commit Graph

5 Commits

Author SHA1 Message Date
Dennis Paradzinski
cebcf4f567 feat: coturn TURN-relay + bandwidth defaults for mobile
All checks were successful
deploy / deploy (push) Successful in 42s
Details 
Adds a coturn pod that gives clients a relay path when direct UDP to
JVB:10001 doesn't make it through carrier NAT (the typical mobile-data
failure mode the user hit). Same domain as the rest — meet.it.financeflow.de
— because TURN ports (3478/5349) don't collide with the Ingress on 443.

- 80-coturn.yaml: hostNetwork Deployment binding STUN+TURN on 3478
  (UDP/TCP) and TURNS on 5349 (UDP/TCP), inline-templates turnserver.conf
  with PUBLIC_IP + TURN_CREDENTIALS_SECRET. TLS cert mounted from the
  same jitsi-tls Secret cert-manager already manages for the web Ingress.
  CronJob restarts coturn weekly so cert renewals propagate.
- 10-config.yaml: STUN now points at our own coturn; TURN_HOST/TURNS_HOST
  set so Prosody mod_external_services hands TURN endpoints to clients
  during XMPP session init. RESOLUTION capped at 480p,
  START_VIDEO_MUTED=5 keeps large rooms light on bandwidth.
- generate-secrets.sh + 20-secrets.yaml.example: TURN_CREDENTIALS_SECRET
  added so Prosody and coturn share the HMAC key (already pre-synced
  out-of-band into the cluster).
- deploy.yml: sed __PUBLIC_IP__ in coturn manifest, rollout-status coturn.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-13 14:02:46 +02:00
Dennis Paradzinski
cb4b2ddaba feat: disable welcome page so bare URL doesn't expose room creation
All checks were successful
deploy / deploy (push) Successful in 22s
Details
2026-05-11 15:38:32 +02:00
Dennis Paradzinski
8e76a96668 feat: switch Prosody to JWT auth (HS256, Embertime as issuer)
All checks were successful
deploy / deploy (push) Successful in 4s
Details 
Replaces the anonymous-OK setup with JWT-gated joins. Only participants
that Embertime invited get a valid token — random URL-guessers can no
longer enter rooms even if they discover the slug.

- ConfigMap: ENABLE_AUTH=1 + AUTH_TYPE=jwt + JWT_APP_ID=embertime
- 20-secrets.yaml.example: JWT_APP_SECRET placeholder with docs
- CLAUDE.md: documents the new auth model + rotation flow

Pipeline rolls config out; the secret itself stays out-of-band — admin
copies it from Embertime UI (Settings → Meeting-Server) or queries the
embertime DB directly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-11 15:19:00 +02:00
Dennis Paradzinski
d946046773 fix(jvb): shift media port to UDP 10001 (10000 taken by OpenDesk bundle)
All checks were successful
deploy / deploy (push) Successful in 11s
Details
2026-05-11 14:48:10 +02:00
Dennis Paradzinski
6efce0c8f1 chore: initial Jitsi-Meet k3s scaffold for darkemberserver
Some checks failed
deploy / deploy (push) Failing after 3s
Details 
Self-hosted Jitsi instance at meet.it.financeflow.de — avoids the
meet.jit.si moderator-auth wall. Four components (web/prosody/jicofo/jvb)
as raw k3s manifests, same deploy pattern as Embertime (Gitea Actions
+ kubectl apply + KUBECONFIG_B64 secret).

JVB uses hostNetwork + UDP 10000 for media — requires router forward.
Component passwords live in a kubectl-applied Secret (not in git);
generate-secrets.sh produces a fresh manifest.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-11 12:55:29 +02:00