oxofrmbl/jitsi-meet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cebcf4f567
jitsi-meet/infra/k3s/10-config.yaml
Dennis Paradzinski cebcf4f567
All checks were successful
deploy / deploy (push) Successful in 42s
Details
feat: coturn TURN-relay + bandwidth defaults for mobile 
Adds a coturn pod that gives clients a relay path when direct UDP to
JVB:10001 doesn't make it through carrier NAT (the typical mobile-data
failure mode the user hit). Same domain as the rest — meet.it.financeflow.de
— because TURN ports (3478/5349) don't collide with the Ingress on 443.

- 80-coturn.yaml: hostNetwork Deployment binding STUN+TURN on 3478
  (UDP/TCP) and TURNS on 5349 (UDP/TCP), inline-templates turnserver.conf
  with PUBLIC_IP + TURN_CREDENTIALS_SECRET. TLS cert mounted from the
  same jitsi-tls Secret cert-manager already manages for the web Ingress.
  CronJob restarts coturn weekly so cert renewals propagate.
- 10-config.yaml: STUN now points at our own coturn; TURN_HOST/TURNS_HOST
  set so Prosody mod_external_services hands TURN endpoints to clients
  during XMPP session init. RESOLUTION capped at 480p,
  START_VIDEO_MUTED=5 keeps large rooms light on bandwidth.
- generate-secrets.sh + 20-secrets.yaml.example: TURN_CREDENTIALS_SECRET
  added so Prosody and coturn share the HMAC key (already pre-synced
  out-of-band into the cluster).
- deploy.yml: sed __PUBLIC_IP__ in coturn manifest, rollout-status coturn.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 14:02:46 +02:00

79 lines
3.0 KiB
YAML
Raw Blame History

# Non-sensitive env shared across all jitsi components. Sensitive values
# (XMPP component passwords) live in the 20-secrets.yaml that is NOT
# committed to git — see scripts/generate-secrets.sh.
apiVersion: v1
kind: ConfigMap
metadata:
name: jitsi-config
namespace: jitsi
data:
# === Public-facing config ===
PUBLIC_URL: "https://meet.it.financeflow.de"
TZ: "Europe/Berlin"
# === XMPP topology (internal hostnames — do not change without
# updating all 4 components in lockstep) ===
XMPP_DOMAIN: "meet.jitsi"
XMPP_AUTH_DOMAIN: "auth.meet.jitsi"
XMPP_INTERNAL_MUC_DOMAIN: "internal-muc.meet.jitsi"
XMPP_MUC_DOMAIN: "muc.meet.jitsi"
XMPP_GUEST_DOMAIN: "guest.meet.jitsi"
XMPP_RECORDER_DOMAIN: "recorder.meet.jitsi"
XMPP_SERVER: "prosody.jitsi.svc.cluster.local"
XMPP_BOSH_URL_BASE: "http://prosody.jitsi.svc.cluster.local:5280"
# === JWT-based auth — Prosody validates HS256 tokens signed by
# Embertime. Only invited participants get a valid token (with
# context.user populated, optional moderator flag). The shared HMAC
# secret lives in the Kubernetes Secret as JWT_APP_SECRET. Guests are
# disabled — a missing/invalid token means no entry. ===
ENABLE_AUTH: "1"
AUTH_TYPE: "jwt"
ENABLE_GUESTS: "0"
JWT_APP_ID: "embertime"
JWT_ACCEPTED_ISSUERS: "embertime"
JWT_ACCEPTED_AUDIENCES: "embertime"
TOKEN_AUTH_URL: ""
# === TLS handled by ingress cert-manager, not by the jitsi/web container ===
ENABLE_LETSENCRYPT: "0"
ENABLE_HTTP_REDIRECT: "0"
DISABLE_HTTPS: "1"
# === Videobridge brewery (where jicofo finds JVBs over XMPP) ===
JVB_BREWERY_MUC: "jvbbrewery"
# === STUN/TURN — our own coturn (deploy 80-coturn.yaml). JVB itself
# uses STUN to discover its public-side mapping; clients additionally
# learn the TURN endpoints from Prosody via mod_external_services and
# fall back to relay when direct UDP doesn't reach JVB:10001 (typical
# for mobile-carrier NATs). ===
JVB_STUN_SERVERS: "meet.it.financeflow.de:3478"
TURN_HOST: "meet.it.financeflow.de"
TURNS_HOST: "meet.it.financeflow.de"
TURN_PORT: "3478"
TURNS_PORT: "5349"
TURN_TRANSPORT: "udp,tcp"
# === UX / lockdown ===
# Pre-join page on — gives joiners a chance to set audio/video before
# they hit the room.
ENABLE_PREJOIN_PAGE: "1"
# Welcome page off — visiting https://meet.it.financeflow.de/ bare
# shows a minimal shell instead of a "create new room" form. Combined
# with AUTH=jwt, the only way in is via a signed deep-link Embertime
# hands out.
ENABLE_WELCOME_PAGE: "0"
ENABLE_CLOSE_PAGE: "0"
ENABLE_TRANSCRIPTIONS: "0"
ENABLE_RECORDING: "0"
# === Bandwidth defaults — keep things sane on mobile ===
# Cap outgoing video at 480p so even slow connections can stream.
# Users on fat pipes can still manually bump it via the toolbar.
RESOLUTION: "480"
RESOLUTION_MIN: "180"
# In rooms with >5 people, new joiners start with video muted —
# saves bandwidth in larger team meetings, easy 1-click to enable.
START_VIDEO_MUTED: "5"
Reference in New Issue View Git Blame Copy Permalink