Dennis Paradzinski
cebcf4f567
All checks were successful
deploy / deploy (push) Successful in 42s
Adds a coturn pod that gives clients a relay path when direct UDP to JVB:10001 doesn't make it through carrier NAT (the typical mobile-data failure mode the user hit). Same domain as the rest — meet.it.financeflow.de — because TURN ports (3478/5349) don't collide with the Ingress on 443. - 80-coturn.yaml: hostNetwork Deployment binding STUN+TURN on 3478 (UDP/TCP) and TURNS on 5349 (UDP/TCP), inline-templates turnserver.conf with PUBLIC_IP + TURN_CREDENTIALS_SECRET. TLS cert mounted from the same jitsi-tls Secret cert-manager already manages for the web Ingress. CronJob restarts coturn weekly so cert renewals propagate. - 10-config.yaml: STUN now points at our own coturn; TURN_HOST/TURNS_HOST set so Prosody mod_external_services hands TURN endpoints to clients during XMPP session init. RESOLUTION capped at 480p, START_VIDEO_MUTED=5 keeps large rooms light on bandwidth. - generate-secrets.sh + 20-secrets.yaml.example: TURN_CREDENTIALS_SECRET added so Prosody and coturn share the HMAC key (already pre-synced out-of-band into the cluster). - deploy.yml: sed __PUBLIC_IP__ in coturn manifest, rollout-status coturn. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
37 lines
1.1 KiB
Bash
Executable File
37 lines
1.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Generates a 20-secrets.yaml with fresh random component passwords.
|
|
# Usage:
|
|
# ./scripts/generate-secrets.sh > infra/k3s/20-secrets.yaml
|
|
# kubectl apply -f infra/k3s/20-secrets.yaml
|
|
#
|
|
# Re-running rotates the passwords — every component then needs to be
|
|
# restarted (kubectl rollout restart) so they pick up the new env.
|
|
|
|
set -eu
|
|
|
|
# 24 random bytes → 32 base64 chars, stripped of slashes/+ for safety in
|
|
# env vars + URLs. Avoids the SIGPIPE issue with `tr | head` under
|
|
# pipefail.
|
|
rand() { openssl rand -hex 16; } # 32 hex chars = 16 bytes entropy, plenty for component auth
|
|
|
|
JICOFO_COMPONENT_SECRET=$(rand)
|
|
JICOFO_AUTH_PASSWORD=$(rand)
|
|
JVB_AUTH_PASSWORD=$(rand)
|
|
TURN_CREDENTIALS_SECRET=$(rand)
|
|
|
|
cat <<EOF
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: jitsi-secrets
|
|
namespace: jitsi
|
|
type: Opaque
|
|
stringData:
|
|
JICOFO_COMPONENT_SECRET: "${JICOFO_COMPONENT_SECRET}"
|
|
JICOFO_AUTH_USER: "focus"
|
|
JICOFO_AUTH_PASSWORD: "${JICOFO_AUTH_PASSWORD}"
|
|
JVB_AUTH_USER: "jvb"
|
|
JVB_AUTH_PASSWORD: "${JVB_AUTH_PASSWORD}"
|
|
TURN_CREDENTIALS_SECRET: "${TURN_CREDENTIALS_SECRET}"
|
|
EOF
|