talk: configure janus to use local TURN server for relay candidates

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/43a0bf9c-28e1-4cd4-ab0e-08999fafe3bf Use NC_DOMAIN as janus TURN server address instead of 127.0.0.1 Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/43a0bf9c-28e1-4cd4-ab0e-08999fafe3bf Simplify janus TURN config: static creds, single file copy, sed+cat nat block Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/aadf3820-dfeb-462a-9ff9-145d0bf92cfc talk: use ephemeral TURN credentials with random username and 3-month TTL for Janus Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/7626994e-6a81-44e5-8205-73ba9ebfd91f adjust some paths Signed-off-by: Simon L. <szaimen@e.mail.de> talk: increase TURN username entropy from 64-bit to 128-bit (rand -hex 16) Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d6de0472-9f63-416e-9003-8e224e25aaec Signed-off-by: Simon L. <szaimen@e.mail.de> Signed-off-by: Simon L. <szaimen@e.mail.de> Signed-off-by: Simon L. <szaimen@e.mail.de> Co-Authored-By: szaimen <42591237+szaimen@users.noreply.github.com>
2026-05-21 10:50:10 +00:00 · 2026-04-16 18:03:06 +00:00
parent 4f929a8141
commit 1a22272441
2 changed files with 31 additions and 1 deletions
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@@ -129,4 +129,34 @@ maxstreambitrate = ${TALK_MAX_STREAM_BITRATE}
 maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE}
 SIGNALING_CONF

+# Configure Janus to use the local TURN server for its own relay candidates.
+# Ephemeral TURN credentials (TURN REST API pattern):
+#   username = "<expiry_unix_timestamp>:<random_hex>"  (valid for 3 months)
+#   password  = base64(HMAC-SHA1(TURN_SECRET, username))
+# eturnal validates both the HMAC and the embedded expiry on every Allocate,
+# so a captured credential stops working after at most 3 months.
+JANUS_TURN_USER="$(( $(date +%s) + 7776000 )):$(openssl rand -hex 16)"
+JANUS_TURN_PWD="$(printf '%s' "$JANUS_TURN_USER" | openssl dgst -sha1 -hmac "$TURN_SECRET" -binary | openssl base64)"
+
+if [ -z "$TURN_DOMAIN" ]; then
+    TURN_DOMAIN="$NC_DOMAIN"
+fi
+
+# Build janus.jcfg: strip the entire nat block from the original and append a
+# clean minimal one that points at the TURN server.
+{
+    sed '/^nat:/,/^}/d' /usr/local/etc/janus/janus.jcfg
+    cat << NAT_CONF
+nat: {
+	turn_server = "$TURN_DOMAIN"
+	turn_port = $TALK_PORT
+	turn_type = "udp"
+	turn_user = "$JANUS_TURN_USER"
+	turn_pwd = "$JANUS_TURN_PWD"
+    # The ice ignore list is set by janus by default, so also do this here
+    ice_ignore_list = "vmnet"
+}
+NAT_CONF
+} > /conf/janus.jcfg
+
 exec "$@"
--- a/Containers/talk/supervisord.conf
+++ b/Containers/talk/supervisord.conf
@@ -27,7 +27,7 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 # debug-level 3 means warning
-command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3

 [program:signaling]
 stdout_logfile=/dev/stdout