chahine/rebreak-monorepo
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
rebreak-monorepo/ops/calls/turnserver.conf
chahinebrini 0cac3c9d1a feat(calls): Phase 1a — TURN ice-servers endpoint + coturn ops + DM call-button header 
Backend:
- GET /api/calls/ice-servers: ephemeral HMAC TURN credentials (10-min TTL),
  iceTransportPolicy:"relay" (no IP leak), 503 until coturn configured
- nitro runtimeConfig: turnHost/turnSecret/turnRealm (Infisical staging set)

Ops:
- ops/calls/ runbook + turnserver.conf (self-hosted coturn, force-relay,
  use-auth-secret, hardening). coturn provisioned + verified on rebreak-server.

Frontend (DM header redesign):
- removed standalone "i" button; header center (avatar+name+chevron) opens info sheet
- call icon top-right, only when canCall (mutual-follow + callsEnabled);
  shows "coming soon" until the WebRTC client lands

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-04 03:06:33 +02:00

41 lines
2.0 KiB
Plaintext
Raw Blame History

# coturn — Rebreak Voice-Calls TURN-Server (self-hosted)
# ────────────────────────────────────────────────────────────────────────────
# Ephemere Credentials via use-auth-secret (TURN-REST-API). Das Backend mintet
# username/credential per HMAC-SHA1 aus `static-auth-secret` — coturn validiert
# ohne DB. static-auth-secret MUSS exakt = Infisical TURN_SECRET sein.
#
# Force-Relay-Design: Clients nutzen iceTransportPolicy:"relay" → coturn ist die
# EINZIGE Vermittlung, Peers sehen nie die fremde IP (Anonymität).
listening-port=3478
tls-listening-port=5349
fingerprint
# ─── Auth (ephemere HMAC-Credentials) ──────────────────────────────────────
use-auth-secret
static-auth-secret=__SET_TO_INFISICAL_TURN_SECRET__
realm=rebreak.org
# ─── Relay-Port-Range (Firewall: diese UDP-Range öffnen) ────────────────────
min-port=49160
max-port=49200
# ─── TLS (turns:// auf 5349) — Let's Encrypt für turn.rebreak.org ───────────
cert=/etc/letsencrypt/live/turn.rebreak.org/fullchain.pem
pkey=/etc/letsencrypt/live/turn.rebreak.org/privkey.pem
# ─── Hardening ──────────────────────────────────────────────────────────────
no-cli
no-multicast-peers
no-tcp-relay
# SSRF-Schutz: Relay zu privaten/Loopback-Netzen verbieten
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
# Hetzner hat i.d.R. eine öffentliche IP direkt am Interface. Falls hinter NAT:
# external-ip=<PUBLIC_IP>
Reference in New Issue View Git Blame Copy Permalink