115 lines
4.7 KiB
Markdown
115 lines
4.7 KiB
Markdown
# lasuite-meet
|
|
|
|
> [Meet](https://github.com/suitenumerique/meet) (part of [La Suite Numerique](https://lasuite.numerique.gouv.fr/en)) for Co-op Cloud
|
|
|
|
<!-- metadata -->
|
|
|
|
* **Category**: Apps
|
|
* **Status**: 2, beta
|
|
* **Image**: [`lasuite/meet-backend`](https://hub.docker.com/r/lasuite/meet-backend), 4, upstream
|
|
* **Healthcheck**: Yes
|
|
* **Backups**: Yes
|
|
* **Email**: 3
|
|
* **Tests**: 2
|
|
* **SSO**: Yes
|
|
|
|
<!-- endmetadata -->
|
|
|
|
## Quick start
|
|
|
|
### Setting up domains
|
|
|
|
This recipe requires two domains: one for the app and one for LiveKit WebSocket signaling (e.g. `meet.yourdomain.tld` and `livekit.meet.yourdomain.tld`). Both domains need an A record pointing to your server's IP address.
|
|
|
|
### Installation steps
|
|
|
|
* `abra app new lasuite-meet --secrets`
|
|
* `abra app config <app-name>`
|
|
- set `LIVEKIT_NODE_IP` to your server's public IP address
|
|
* `abra app deploy <app-name>`
|
|
|
|
You should then be able to visit the landing page of your app, but not yet login. To login, you need to deploy and integrate single sign on (described below in the "Configure Authentication" section).
|
|
|
|
## Configure Authentication
|
|
|
|
lasuite-meet **requires** an OpenID Connect (OIDC) single sign-on provider; deployment has been tested with [Keycloak](https://git.coopcloud.tech/coop-cloud/keycloak), which we recommend, or you could also try [Authentik](https://git.coopcloud.tech/coop-cloud/authentik), both of which are installable using Co-op Cloud.
|
|
|
|
Instructions for integrating keycloak with meet after deploying it, are below.
|
|
|
|
* In keycloak, create a realm (save the name of this realm, you will need it later)
|
|
* Within that realm, create a client
|
|
* during client creation, ensure:
|
|
- Standard flow: True
|
|
- Direct access grants: True
|
|
- Authorization: True
|
|
- Client authentication: True
|
|
- PKCE method: none
|
|
* Within the client tab, for your client, click on "Credentials". Click on the copy button to copy "Client Secret" so you can insert this into your coop cloud deployment in the next step.
|
|
* `abra app secret insert <app-name> oidc_rpcs v2 <yoursecret>`
|
|
* `abra app config <app-name>` # set SECRET_OIDC_RPCS_VERSION=v2
|
|
|
|
* Now create a user for this client within keycloak. Within the Users tab, click "Add User". Any username and password works. Save this info.
|
|
|
|
You then additionally need to modify the config of meet to point to your keycloak deployment.
|
|
|
|
* `abra app config <app-name>`
|
|
```
|
|
OIDC_REALM=<the realm you configured in keycloak>
|
|
AUTH_DOMAIN=<the domain of your keycloak instance>
|
|
OIDC_RP_CLIENT_ID=<yourkeycloakclientid>
|
|
```
|
|
|
|
then redeploy meet:
|
|
`abra app deploy <app-name> --force`
|
|
|
|
At this point, when you go to your meet url, you should be able to click "login" and login with the username and password for the user you created in keycloak.
|
|
|
|
You can make additional users in keycloak for this "client" and they will all be able to login to meet and create video calls.
|
|
|
|
## Configure E-Mail
|
|
|
|
Using `abra app config <app-name>` you need to set the following for your smtp server:
|
|
|
|
```
|
|
DJANGO_EMAIL_HOST="yourmailserver.com"
|
|
DJANGO_EMAIL_PORT=587
|
|
DJANGO_EMAIL_FROM=meet@example.com
|
|
```
|
|
|
|
You then need to insert the password for your smtp server as a secret:
|
|
|
|
* `abra app secret insert <app-name> email_pass v2 <youremailpass>`
|
|
* `abra app config <app-name>` # set SECRET_EMAIL_PASS_VERSION=v2
|
|
|
|
Then redeploy the app, and automated e-mail sending should work:
|
|
|
|
`abra app deploy <app-name> --force`
|
|
|
|
## Limitations
|
|
|
|
* **One instance per server.** LiveKit requires host-published ports (7881, 7882, 443, 30000-30009) which can only be bound once per host.
|
|
* **Server must have a direct public IP.** LiveKit's built-in TURN server does not work on servers behind a NAT gateway due to hairpin NAT issues. Configuring hairpin NAT on the gateway may be possible but has not been successfully tested yet.
|
|
|
|
## Network ports
|
|
|
|
This recipe publishes ports directly on the host for WebRTC media transport. These carry raw RTP media packets and are not routed through Traefik. The WebSocket signaling endpoint (`wss://LIVEKIT_DOMAIN`) is routed through Traefik as normal.
|
|
|
|
| Port | Protocol | Purpose |
|
|
|------|----------|---------|
|
|
| 7881 | TCP | WebRTC ICE over TCP (fallback when UDP is blocked) |
|
|
| 7882 | UDP | WebRTC ICE over UDP (primary media transport) |
|
|
| 443 | UDP | TURN relay (enabled by default via `compose.turn.yml`) |
|
|
| 30000-30009 | UDP | TURN relay allocation ports |
|
|
|
|
Your firewall must allow inbound traffic on these ports.
|
|
|
|
### TURN server
|
|
|
|
TURN is enabled by default and helps users behind CGNAT/symmetric NAT connect to video calls. To disable it, remove `compose.turn.yml` from `COMPOSE_FILE` in your app config and set `LIVEKIT_TURN_ENABLED=false`.
|
|
|
|
See `docs/multinode.md` for multi-node deployment considerations.
|
|
|
|
## Maintainers
|
|
|
|
coop cloud recipe maintained by @notplants
|