c29add0748
- Add snikket_turn service (coturn/coturn) with STUN/TURN/TURNS support - Mount snikket_data volume read-only for TLS certificates from snikket_certs - Add TURN_SECRET to secrets.env.example - Enable mod_external_services in Prosody and configure STUN/TURN/TURNS endpoints so clients receive time-limited credentials via XMPP IQ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
93 lines
2.8 KiB
Plaintext
93 lines
2.8 KiB
Plaintext
-- Custom Prosody configuration for Snikket
|
|
-- This file is included alongside the auto-generated Snikket config.
|
|
|
|
----------------------------------------------------------------------
|
|
-- PostgreSQL storage
|
|
----------------------------------------------------------------------
|
|
storage = "sql"
|
|
|
|
sql = {
|
|
driver = "PostgreSQL";
|
|
database = "snikket";
|
|
host = "127.0.0.1";
|
|
port = 5432;
|
|
username = "snikket";
|
|
password = os.getenv("POSTGRES_PASSWORD");
|
|
}
|
|
|
|
----------------------------------------------------------------------
|
|
-- S3 HTTP Upload (via mod_http_upload_external)
|
|
----------------------------------------------------------------------
|
|
|
|
-- Disable built-in upload module, enable external upload
|
|
modules_disabled = {
|
|
"http_upload";
|
|
}
|
|
|
|
modules_enabled = {
|
|
"http_upload_external";
|
|
"external_services";
|
|
}
|
|
|
|
-- URL of the external upload service that handles S3 interaction.
|
|
-- This is NOT the S3 bucket URL directly. You need to run a separate
|
|
-- upload handler service (e.g. prosody-filer, or a custom Lambda/endpoint)
|
|
-- that validates Prosody's HMAC signature and proxies files to/from S3.
|
|
http_upload_external_base_url = "http://chat.example.org:5050/upload/"
|
|
|
|
-- Shared secret between Prosody and the upload handler service
|
|
-- (must match the secret configured in the upload handler)
|
|
http_upload_external_secret = os.getenv("UPLOAD_SECRET")
|
|
|
|
-- How long (seconds) the upload URL remains valid
|
|
http_upload_external_expire_after = 3600
|
|
|
|
-- Max file size in bytes (10 MB)
|
|
http_upload_external_file_size_limit = 10485760
|
|
|
|
-- звонки
|
|
webrtc = {
|
|
stun_servers = { "stun:stun.l.google.com:19302" },
|
|
turn_servers = {
|
|
{
|
|
host = "turn.jbr.bvn13.me",
|
|
port = 3478,
|
|
username = os.getenv("TURN_SERVER_USERNAME"),
|
|
password = os.getenv("TURN_SERVER_PASSWORD"),
|
|
}
|
|
}
|
|
}
|
|
|
|
----------------------------------------------------------------------
|
|
-- TURN/STUN for voice/video calls (via mod_external_services)
|
|
-- Credentials are generated on-the-fly using TURN REST API (RFC 8489 §9.2)
|
|
-- Shared secret must match TURN_SECRET in secrets.env
|
|
----------------------------------------------------------------------
|
|
|
|
external_services = {
|
|
{
|
|
type = "stun";
|
|
host = os.getenv("SNIKKET_DOMAIN");
|
|
port = 3478;
|
|
transport = "udp";
|
|
},
|
|
{
|
|
type = "turn";
|
|
host = os.getenv("SNIKKET_DOMAIN");
|
|
port = 3478;
|
|
transport = "udp";
|
|
secret = os.getenv("TURN_SECRET");
|
|
algorithm = "turn";
|
|
ttl = 86400;
|
|
},
|
|
{
|
|
type = "turns";
|
|
host = os.getenv("SNIKKET_DOMAIN");
|
|
port = 5349;
|
|
transport = "tcp";
|
|
secret = os.getenv("TURN_SECRET");
|
|
algorithm = "turn";
|
|
ttl = 86400;
|
|
},
|
|
};
|