From 1a22272441890069bb2ea0fea43c292e08bba434 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 16 Apr 2026 18:03:06 +0000 Subject: [PATCH] talk: configure janus to use local TURN server for relay candidates Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/43a0bf9c-28e1-4cd4-ab0e-08999fafe3bf Use NC_DOMAIN as janus TURN server address instead of 127.0.0.1 Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/43a0bf9c-28e1-4cd4-ab0e-08999fafe3bf Simplify janus TURN config: static creds, single file copy, sed+cat nat block Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/aadf3820-dfeb-462a-9ff9-145d0bf92cfc talk: use ephemeral TURN credentials with random username and 3-month TTL for Janus Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/7626994e-6a81-44e5-8205-73ba9ebfd91f adjust some paths Signed-off-by: Simon L. talk: increase TURN username entropy from 64-bit to 128-bit (rand -hex 16) Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d6de0472-9f63-416e-9003-8e224e25aaec Signed-off-by: Simon L. Signed-off-by: Simon L. Signed-off-by: Simon L. Co-Authored-By: szaimen <42591237+szaimen@users.noreply.github.com> --- Containers/talk/start.sh | 30 ++++++++++++++++++++++++++++++ Containers/talk/supervisord.conf | 2 +- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/Containers/talk/start.sh b/Containers/talk/start.sh index 57344ee0..9a04333c 100644 --- a/Containers/talk/start.sh +++ b/Containers/talk/start.sh @@ -129,4 +129,34 @@ maxstreambitrate = ${TALK_MAX_STREAM_BITRATE} maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE} SIGNALING_CONF +# Configure Janus to use the local TURN server for its own relay candidates. +# Ephemeral TURN credentials (TURN REST API pattern): +# username = ":" (valid for 3 months) +# password = base64(HMAC-SHA1(TURN_SECRET, username)) +# eturnal validates both the HMAC and the embedded expiry on every Allocate, +# so a captured credential stops working after at most 3 months. +JANUS_TURN_USER="$(( $(date +%s) + 7776000 )):$(openssl rand -hex 16)" +JANUS_TURN_PWD="$(printf '%s' "$JANUS_TURN_USER" | openssl dgst -sha1 -hmac "$TURN_SECRET" -binary | openssl base64)" + +if [ -z "$TURN_DOMAIN" ]; then + TURN_DOMAIN="$NC_DOMAIN" +fi + +# Build janus.jcfg: strip the entire nat block from the original and append a +# clean minimal one that points at the TURN server. +{ + sed '/^nat:/,/^}/d' /usr/local/etc/janus/janus.jcfg + cat << NAT_CONF +nat: { + turn_server = "$TURN_DOMAIN" + turn_port = $TALK_PORT + turn_type = "udp" + turn_user = "$JANUS_TURN_USER" + turn_pwd = "$JANUS_TURN_PWD" + # The ice ignore list is set by janus by default, so also do this here + ice_ignore_list = "vmnet" +} +NAT_CONF +} > /conf/janus.jcfg + exec "$@" diff --git a/Containers/talk/supervisord.conf b/Containers/talk/supervisord.conf index 89287db5..f83cdfd8 100644 --- a/Containers/talk/supervisord.conf +++ b/Containers/talk/supervisord.conf @@ -27,7 +27,7 @@ stdout_logfile_maxbytes=0 stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 # debug-level 3 means warning -command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3 +command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3 [program:signaling] stdout_logfile=/dev/stdout