recipe-maintainers/lasuite-meet
0
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Working on public server

Browse Source
This commit is contained in:
notplants
2026-02-27 22:25:04 -05:00
parent c61aed32ff
commit 6ef5db5826
6 changed files with 188 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
.env.sample
View File

@ -1,4 +1,5 @@
TYPE=lasuite-meet
COMPOSE_FILE=compose.yml:compose.turn.yml
DOMAIN=lasuite-meet.example.com
## LiveKit domain — separate domain for WebSocket signaling
@ -61,10 +62,31 @@ OIDC_AUTH_REQUEST_EXTRA_PARAMS='{"acr_values": "eidas1"}'
##############################################################################
# LIVEKIT
##############################################################################
# note: this is an identifier, but does not need to be secret
# note: this is an identifier, not a secret
LIVEKIT_API_KEY=meet
## The server's public IP address — LiveKit advertises this in ICE candidates
## so WebRTC clients can reach the media ports (7881/7882).
## Required: STUN-based detection does not work reliably inside Docker.
LIVEKIT_NODE_IP=
## Force clients to use TCP for media transport (default: false)
## Enable in environments where UDP NAT traversal is unreliable
#LIVEKIT_FORCE_TCP=false
#ALLOW_UNREGISTERED_ROOMS=False
##############################################################################
# TURN SERVER (enabled by default — improves connectivity for restrictive NATs)
##############################################################################
## LiveKit's built-in TURN server helps users behind CGNAT/symmetric NAT.
## Enabled by default via COMPOSE_FILE and LIVEKIT_TURN_ENABLED.
## To disable TURN, remove compose.turn.yml from COMPOSE_FILE and set:
#LIVEKIT_TURN_ENABLED=false
## TURN domain — must resolve to this server's IP.
## Defaults to LIVEKIT_DOMAIN, which works for TURN/UDP setups.
#TURN_DOMAIN=turn.example.com
## TURN/UDP port (default: 443). Recommended because UDP 443 is rarely
## blocked and doesn't conflict with Traefik's TCP 443.
#TURN_UDP_PORT=443
##############################################################################
# LOGGING (defaults to INFO, uncomment to override)
##############################################################################

123
README.md
View File

@ -1,27 +1,6 @@
# La Suite Meet
# lasuite-meet
Video conferencing for [La Suite Numérique](https://lasuite.numerique.gouv.fr/), built on [LiveKit](https://livekit.io/) WebRTC and Django.
**Upstream:** https://github.com/suitenumerique/meet
## Requirements
- An OIDC provider (e.g. Keycloak) for authentication — there is no local login
- A dedicated domain for LiveKit WebSocket signaling (e.g. `livekit.example.com`)
- Firewall ports open: TCP 7881 (WebRTC ICE/TCP), UDP 7882 (WebRTC/UDP)
## Network ports
This recipe publishes two ports directly on the host for WebRTC media transport:
| Port | Protocol | Purpose |
|------|----------|---------|
| 7881 | TCP | WebRTC ICE over TCP (fallback when UDP is blocked) |
| 7882 | UDP | WebRTC ICE over UDP (primary media transport) |
These ports carry raw RTP media packets and cannot be routed through Traefik. The WebSocket signaling endpoint (`wss://LIVEKIT_DOMAIN`) is routed through Traefik as normal.
See `docs/multinode.md` for multi-node deployment considerations.
> [Meet](https://github.com/suitenumerique/meet) (part of [La Suite Numerique](https://lasuite.numerique.gouv.fr/en)) for Co-op Cloud
<!-- metadata -->
@ -35,3 +14,101 @@ See `docs/multinode.md` for multi-node deployment considerations.
* **SSO**: Yes
<!-- endmetadata -->
## Quick start
### Setting up domains
This recipe requires two domains: one for the app and one for LiveKit WebSocket signaling (e.g. `meet.yourdomain.tld` and `livekit.meet.yourdomain.tld`). Both domains need an A record pointing to your server's IP address.
### Installation steps
* `abra app new lasuite-meet --secrets`
* `abra app config <app-name>`
- set `LIVEKIT_NODE_IP` to your server's public IP address
* `abra app deploy <app-name>`
You should then be able to visit the landing page of your app, but not yet login. To login, you need to deploy and integrate single sign on (described below in the "Configure Authentication" section).
## Configure Authentication
lasuite-meet **requires** an OpenID Connect (OIDC) single sign-on provider; deployment has been tested with [Keycloak](https://git.coopcloud.tech/coop-cloud/keycloak), which we recommend, or you could also try [Authentik](https://git.coopcloud.tech/coop-cloud/authentik), both of which are installable using Co-op Cloud.
Instructions for integrating keycloak with meet after deploying it, are below.
* In keycloak, create a realm (save the name of this realm, you will need it later)
* Within that realm, create a client
* during client creation, ensure:
- Standard flow: True
- Direct access grants: True
- Authorization: True
- Client authentication: True
- PKCE method: none
* Within the client tab, for your client, click on "Credentials". Click on the copy button to copy "Client Secret" so you can insert this into your coop cloud deployment in the next step.
* `abra app secret insert <app-name> oidc_rpcs v2 <yoursecret>`
* `abra app config <app-name>` # set SECRET_OIDC_RPCS_VERSION=v2
* Now create a user for this client within keycloak. Within the Users tab, click "Add User". Any username and password works. Save this info.
You then additionally need to modify the config of meet to point to your keycloak deployment.
* `abra app config <app-name>`
```
OIDC_REALM=<the realm you configured in keycloak>
AUTH_DOMAIN=<the domain of your keycloak instance>
OIDC_RP_CLIENT_ID=<yourkeycloakclientid>
```
then redeploy meet:
`abra app deploy <app-name> --force`
At this point, when you go to your meet url, you should be able to click "login" and login with the username and password for the user you created in keycloak.
You can make additional users in keycloak for this "client" and they will all be able to login to meet and create video calls.
## Configure E-Mail
Using `abra app config <app-name>` you need to set the following for your smtp server:
```
DJANGO_EMAIL_HOST="yourmailserver.com"
DJANGO_EMAIL_PORT=587
DJANGO_EMAIL_FROM=meet@example.com
```
You then need to insert the password for your smtp server as a secret:
* `abra app secret insert <app-name> email_pass v2 <youremailpass>`
* `abra app config <app-name>` # set SECRET_EMAIL_PASS_VERSION=v2
Then redeploy the app, and automated e-mail sending should work:
`abra app deploy <app-name> --force`
## Limitations
* **One instance per server.** LiveKit requires host-published ports (7881, 7882, 443, 30000-30009) which can only be bound once per host.
* **Server must have a direct public IP.** LiveKit's built-in TURN server does not work on servers behind a NAT gateway due to hairpin NAT issues. Configuring hairpin NAT on the gateway may be possible but has not been successfully tested yet.
## Network ports
This recipe publishes ports directly on the host for WebRTC media transport. These carry raw RTP media packets and are not routed through Traefik. The WebSocket signaling endpoint (`wss://LIVEKIT_DOMAIN`) is routed through Traefik as normal.
| Port | Protocol | Purpose |
|------|----------|---------|
| 7881 | TCP | WebRTC ICE over TCP (fallback when UDP is blocked) |
| 7882 | UDP | WebRTC ICE over UDP (primary media transport) |
| 443 | UDP | TURN relay (enabled by default via `compose.turn.yml`) |
| 30000-30009 | UDP | TURN relay allocation ports |
Your firewall must allow inbound traffic on these ports.
### TURN server
TURN is enabled by default and helps users behind CGNAT/symmetric NAT connect to video calls. To disable it, remove `compose.turn.yml` from `COMPOSE_FILE` in your app config and set `LIVEKIT_TURN_ENABLED=false`.
See `docs/multinode.md` for multi-node deployment considerations.
## Maintainers
coop cloud recipe maintained by @notplants

2
abra.sh
View File

@ -4,7 +4,7 @@ export ABRA_ENTRYPOINT_VERSION=v1
export NGINX_CONF_VERSION=v2
export PG_BACKUP_VERSION=v1
export MIGRATE_VERSION=v1
export LIVEKIT_CONFIG_VERSION=v1
export LIVEKIT_CONFIG_VERSION=v2
environment() {
# this exports all the secrets as environment variables

49
compose.turn.yml Normal file
View File

@ -0,0 +1,49 @@
services:
livekit:
ports:
- target: 443
published: 443
protocol: udp
mode: host
# TURN relay ports — published in host mode so the SFU can reach them
# via the public IP. Each concurrent TURN user needs ~3 relay ports.
- target: 30000
published: 30000
protocol: udp
mode: host
- target: 30001
published: 30001
protocol: udp
mode: host
- target: 30002
published: 30002
protocol: udp
mode: host
- target: 30003
published: 30003
protocol: udp
mode: host
- target: 30004
published: 30004
protocol: udp
mode: host
- target: 30005
published: 30005
protocol: udp
mode: host
- target: 30006
published: 30006
protocol: udp
mode: host
- target: 30007
published: 30007
protocol: udp
mode: host
- target: 30008
published: 30008
protocol: udp
mode: host
- target: 30009
published: 30009
protocol: udp
mode: host

5
compose.yml
View File

@ -188,6 +188,11 @@ services:
environment:
- STACK_NAME
- LIVEKIT_API_KEY
- LIVEKIT_NODE_IP
- LIVEKIT_FORCE_TCP=${LIVEKIT_FORCE_TCP:-false}
- LIVEKIT_TURN_ENABLED=${LIVEKIT_TURN_ENABLED:-true}
- TURN_DOMAIN=${TURN_DOMAIN:-${LIVEKIT_DOMAIN}}
- TURN_UDP_PORT=${TURN_UDP_PORT:-443}
# WebRTC ICE ports must be published directly on the host.
# These carry raw RTP media, not HTTP — cannot be proxied through Traefik without extra traefik compose.
# See docs/multinode.md for multi-node deployment considerations.

11
livekit-server.yaml.tmpl
View File

@ -6,7 +6,16 @@ keys:
rtc:
udp_port: 7882
tcp_port: 7881
use_external_ip: true
node_ip: {{ env "LIVEKIT_NODE_IP" }}
use_external_ip: false
force_tcp: {{ env "LIVEKIT_FORCE_TCP" }}
turn:
enabled: {{ env "LIVEKIT_TURN_ENABLED" }}
udp_port: {{ env "TURN_UDP_PORT" }}
tls_port: 0
domain: {{ env "TURN_DOMAIN" }}
relay_range_start: 30000
relay_range_end: 30009
webhook:
api_key: {{ env "LIVEKIT_API_KEY" }}
urls: