diff --git a/Containers/talk/start.sh b/Containers/talk/start.sh index 57344ee0..9a04333c 100644 --- a/Containers/talk/start.sh +++ b/Containers/talk/start.sh @@ -129,4 +129,34 @@ maxstreambitrate = ${TALK_MAX_STREAM_BITRATE} maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE} SIGNALING_CONF +# Configure Janus to use the local TURN server for its own relay candidates. +# Ephemeral TURN credentials (TURN REST API pattern): +# username = ":" (valid for 3 months) +# password = base64(HMAC-SHA1(TURN_SECRET, username)) +# eturnal validates both the HMAC and the embedded expiry on every Allocate, +# so a captured credential stops working after at most 3 months. +JANUS_TURN_USER="$(( $(date +%s) + 7776000 )):$(openssl rand -hex 16)" +JANUS_TURN_PWD="$(printf '%s' "$JANUS_TURN_USER" | openssl dgst -sha1 -hmac "$TURN_SECRET" -binary | openssl base64)" + +if [ -z "$TURN_DOMAIN" ]; then + TURN_DOMAIN="$NC_DOMAIN" +fi + +# Build janus.jcfg: strip the entire nat block from the original and append a +# clean minimal one that points at the TURN server. +{ + sed '/^nat:/,/^}/d' /usr/local/etc/janus/janus.jcfg + cat << NAT_CONF +nat: { + turn_server = "$TURN_DOMAIN" + turn_port = $TALK_PORT + turn_type = "udp" + turn_user = "$JANUS_TURN_USER" + turn_pwd = "$JANUS_TURN_PWD" + # The ice ignore list is set by janus by default, so also do this here + ice_ignore_list = "vmnet" +} +NAT_CONF +} > /conf/janus.jcfg + exec "$@" diff --git a/Containers/talk/supervisord.conf b/Containers/talk/supervisord.conf index 89287db5..f83cdfd8 100644 --- a/Containers/talk/supervisord.conf +++ b/Containers/talk/supervisord.conf @@ -27,7 +27,7 @@ stdout_logfile_maxbytes=0 stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 # debug-level 3 means warning -command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3 +command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3 [program:signaling] stdout_logfile=/dev/stdout