lasuite-meet/README.md

# lasuite-meet

> [Meet](https://github.com/suitenumerique/meet) (part of [La Suite Numerique](https://lasuite.numerique.gouv.fr/en)) for Co-op Cloud

<!-- metadata -->

* **Category**: Apps
* **Status**: 2, beta
* **Image**: [`lasuite/meet-backend`](https://hub.docker.com/r/lasuite/meet-backend), 4, upstream
* **Healthcheck**: Yes
* **Backups**: Yes
* **Email**: 3
* **Tests**: 2
* **SSO**: Yes

<!-- endmetadata -->

## Quick start

### Setting up domains

This recipe requires two domains: one for the app and one for LiveKit WebSocket signaling (e.g. `meet.yourdomain.tld` and `livekit.meet.yourdomain.tld`). Both domains need an A record pointing to your server's IP address.

### Installation steps

* `abra app new lasuite-meet --secrets`
* `abra app config <app-name>`
    - set `LIVEKIT_NODE_IP` to your server's public IP address
* `abra app deploy <app-name>`

You should then be able to visit the landing page of your app, but not yet login. To login, you need to deploy and integrate single sign on (described below in the "Configure Authentication" section).

## Configure Authentication

lasuite-meet **requires** an OpenID Connect (OIDC) single sign-on provider; deployment has been tested with [Keycloak](https://git.coopcloud.tech/coop-cloud/keycloak), which we recommend, or you could also try [Authentik](https://git.coopcloud.tech/coop-cloud/authentik), both of which are installable using Co-op Cloud.

Instructions for integrating keycloak with meet after deploying it, are below.

* In keycloak, create a realm (save the name of this realm, you will need it later)
* Within that realm, create a client
    * during client creation, ensure:
        - Standard flow: True
        - Direct access grants: True
        - Authorization: True
        - Client authentication: True
        - PKCE method: none
* Within the client tab, for your client, click on "Credentials". Click on the copy button to copy "Client Secret" so you can insert this into your coop cloud deployment in the next step.
* `abra app secret insert <app-name> oidc_rpcs v2 <yoursecret>`
* `abra app config <app-name>` # set SECRET_OIDC_RPCS_VERSION=v2

* Now create a user for this client within keycloak. Within the Users tab, click "Add User". Any username and password works. Save this info.

You then additionally need to modify the config of meet to point to your keycloak deployment.

* `abra app config <app-name>`
```
OIDC_REALM=<the realm you configured in keycloak>
AUTH_DOMAIN=<the domain of your keycloak instance>
OIDC_RP_CLIENT_ID=<yourkeycloakclientid>
```

then redeploy meet:
`abra app deploy <app-name> --force`

At this point, when you go to your meet url, you should be able to click "login" and login with the username and password for the user you created in keycloak.

You can make additional users in keycloak for this "client" and they will all be able to login to meet and create video calls.

## Configure E-Mail

Using `abra app config <app-name>` you need to set the following for your smtp server:

```
DJANGO_EMAIL_HOST="yourmailserver.com"
DJANGO_EMAIL_PORT=587
DJANGO_EMAIL_FROM=meet@example.com
```

You then need to insert the password for your smtp server as a secret:

* `abra app secret insert <app-name> email_pass v2 <youremailpass>`
* `abra app config <app-name>` # set SECRET_EMAIL_PASS_VERSION=v2

Then redeploy the app, and automated e-mail sending should work:

`abra app deploy <app-name> --force`

## Limitations

* **One instance per server.** LiveKit requires host-published ports (7881, 7882, 443, 30000-30009) which can only be bound once per host.
* **Server must have a direct public IP.** LiveKit's built-in TURN server does not work on servers behind a NAT gateway due to hairpin NAT issues. Configuring hairpin NAT on the gateway may be possible but has not been successfully tested yet.
* **Mobile browser must be Chrome** - there are various open issues wrt Firefox and WebRTC, so on mobile you have
to use a chromium based browser, else the connections fail!

## Network ports

This recipe publishes ports directly on the host for WebRTC media transport. These carry raw RTP media packets and are not routed through Traefik. The WebSocket signaling endpoint (`wss://LIVEKIT_DOMAIN`) is routed through Traefik as normal.

- **7881/TCP** — WebRTC ICE over TCP (fallback when UDP is blocked)
- **7882/UDP** — WebRTC ICE over UDP (primary media transport)
- **443/UDP** — TURN relay (enabled by default via `compose.turn.yml`)
- **30000-30009/UDP** — TURN relay allocation ports

Your firewall must allow inbound traffic on these ports.

### Host kernel tuning

LiveKit logs a warning at startup if the kernel's UDP socket buffers are too small:

```
WARN livekit rtcconfig/rtc_unix.go:31 UDP receive buffer is too small for a production set-up {"current": 425984, "suggested": 5000000}
```

The Linux default (`net.core.rmem_max = 212992`) is well under what LiveKit needs once
several participants are forced through the TURN relay path. The resulting packet
loss shows up as `dtls timeout: read/write timeout: context deadline exceeded` on
publisher transports, intermittent media stalls, or one peer seeing a black tile
while the other sees video.

These sysctls are read by LiveKit when it opens its UDP sockets, so they must be
set on the **host** (not in the container) before the LiveKit container starts.

On the host, create `/etc/sysctl.d/99-livekit.conf`:

```
net.core.rmem_max = 7500000
net.core.wmem_max = 7500000
```

Then apply and restart the service:

```
sudo sysctl --system
docker service update --force <stack>_livekit
```

The warning should be gone from the LiveKit boot log.

### TURN server

TURN is enabled by default and helps users behind CGNAT/symmetric NAT connect to video calls. To disable it, remove `compose.turn.yml` from `COMPOSE_FILE` in your app config and set `LIVEKIT_TURN_ENABLED=false`.

See `docs/multinode.md` for multi-node deployment considerations.

## Maintainers

coop cloud recipe maintained by @notplants