finish hooking up livekit

2026-01-24 22:26:13 +03:00 · 2024-11-05 14:03:17 +00:00
parent 01b3f9f435
commit defa69734a
8 changed files with 426 additions and 11 deletions
--- a/compose.yml
+++ b/compose.yml
@@ -3,10 +3,14 @@ networks:
  backend:

 secrets:
-   postgres_password:
-      file: secrets/postgres/postgres_password
-   synapse_signing_key:
-      file: secrets/synapse/${DOMAIN}.signing.key
+  postgres_password:
+    file: secrets/postgres/postgres_password
+  synapse_signing_key:
+    file: secrets/synapse/${DOMAIN}.signing.key
+  livekit_api_key:
+    file: secrets/livekit/livekit_api_key
+  livekit_secret_key:
+    file: secrets/livekit/livekit_secret_key

 services:
  # dependencies for optionally generating default configs + secrets
@@ -145,7 +149,7 @@ services:
      redis:
        condition: service_started
      postgres:
-        condition: service_healthy
+        condition: service_started
      init:
        condition: service_completed_successfully

@@ -208,7 +212,7 @@ services:
    command: "server --config=/data/config.yaml"
    depends_on:
      postgres:
-        condition: service_healthy
+        condition: service_started
      init:
        condition: service_completed_successfully

@@ -261,9 +265,16 @@ services:
    command: --config /etc/livekit.yaml --node-ip ${LIVEKIT_NODE_IP}
    ports:
      # - 7880:7880 # HTTP listener
-      - 7881:7881 # WS signalling
-      # - 50000-60000:50000-60000/tcp # TCP media
-      # - 50000-60000:50000-60000/udp # UDP media
+      - 7881:7881 # TCP WebRTC transport, advertised via SDP
+
+      # TODO: expose livekit-turn on TCP & UDP 443 via nginx
+      # At least this would allow UDP turn on port 443 for better perf.
+
+      # You can't expose a massive range here as it literally sets up 10,000 userland listeners, which takes forever
+      # and will clash with any existing high-numbered ports.
+      # So for now, tunnel everything via TCP 7881. FIXME!
+      #- 50000-60000:50000-60000/tcp # TCP media
+      #- 50000-60000:50000-60000/udp # UDP media
    networks:
      - backend
    depends_on:
@@ -271,3 +282,32 @@ services:
        condition: service_completed_successfully
      redis:
        condition: service_started
+
+  livekit-jwt:
+    build:
+      # evil hack to pull in bash so we can run an entrypoint.sh
+      # FIXME: it's a bit wasteful; the alternative would be to modify lk-jwt-service to pick up secrets from disk
+      dockerfile_inline: |
+        FROM ghcr.io/element-hq/lk-jwt-service:latest-ci AS builder
+        FROM alpine:latest
+        RUN apk update && apk add bash
+        COPY --from=builder /lk-jwt-service /
+    restart: unless-stopped
+    volumes:
+      - ${VOLUME_PATH}/data/nginx/ssl/rootCA.pem:/etc/ssl/certs/ca-certificates.crt
+      - ${VOLUME_PATH}/init/livekit-jwt-entrypoint.sh:/entrypoint.sh
+    entrypoint: /entrypoint.sh
+    env_file: .env
+    deploy:
+      restart_policy:
+        condition: on-failure
+    networks:
+      - backend
+    secrets:
+      - livekit_api_key
+      - livekit_secret_key
+    depends_on:
+      init:
+        condition: service_completed_successfully
+      livekit:
+        condition: service_started