# Deployment (niom-turn) This page describes a pragmatic deployment of `niom-turn` as a systemd service. TL;DR: - TURN/STUN: UDP + TCP on port 3478 - TURN over TLS (`turns:`): TCP/TLS on port 5349 - Relay ports: optional UDP port range (e.g. 49152-49200) ## Important pitfall: config path The server currently **always** loads `appsettings.json` from the **current working directory** (`Config::load_default()`). For systemd, that means: set `WorkingDirectory=` to the directory that contains `appsettings.json`. ## 1) Provide the binary ```bash cargo build --release ls -lah target/release/niom-turn ``` Typical layout (example): - binary: `/opt/niom-turn/target/release/niom-turn` - config: `/etc/niom-turn/appsettings.json` - TLS: `/etc/niom-turn/fullchain.pem`, `/etc/niom-turn/privkey.pem` ## 2) Create the configuration ```bash sudo mkdir -p /etc/niom-turn sudo cp appsettings.example.json /etc/niom-turn/appsettings.json sudoedit /etc/niom-turn/appsettings.json ``` Example `appsettings.json` (schema matches `src/config.rs`): ```json { "server": { "bind": "0.0.0.0:3478", "udp_bind": null, "tcp_bind": null, "tls_bind": "0.0.0.0:5349", "enable_udp": true, "enable_tcp": true, "enable_tls": true, "tls_cert": "/etc/niom-turn/fullchain.pem", "tls_key": "/etc/niom-turn/privkey.pem" }, "relay": { "relay_port_min": 49152, "relay_port_max": 49200, "relay_bind_ip": "0.0.0.0", "advertised_ip": "YOUR_PUBLIC_IP_OR_HOSTNAME" }, "auth": { "realm": "turn.example.com", "nonce_secret": null, "nonce_ttl_seconds": 300, "rest_secret": null, "rest_max_ttl_seconds": 600 }, "credentials": [ { "username": "testuser", "password": "secretpassword" } ], "logging": { "default_directive": "warn,niom_turn=info" }, "limits": { "max_allocations_per_ip": null, "max_permissions_per_allocation": null, "max_channel_bindings_per_allocation": null, "unauth_rps": null, "unauth_burst": null, "binding_rps": null, "binding_burst": null } } ``` ### NAT / public IP / hostnames - If the server runs behind NAT, set `relay.advertised_ip` to the public IP so clients receive a reachable address in `XOR-RELAYED-ADDRESS`. - As a workaround, `relay.relay_bind_ip` and `relay.advertised_ip` can also be hostnames; they are resolved **once at startup**. ## 3) TLS certificates You need PEM files: - `fullchain.pem` (certificate chain) - `privkey.pem` (private key) Set restrictive permissions, e.g.: ```bash sudo chown root:root /etc/niom-turn/fullchain.pem /etc/niom-turn/privkey.pem sudo chmod 0644 /etc/niom-turn/fullchain.pem sudo chmod 0600 /etc/niom-turn/privkey.pem ``` ## 4) systemd unit Example: `/etc/systemd/system/niom-turn.service` ```ini [Unit] Description=niom-turn TURN server After=network.target [Service] User=niomturn Group=niomturn # Important: appsettings.json is loaded from WorkingDirectory WorkingDirectory=/etc/niom-turn ExecStart=/opt/niom-turn/target/release/niom-turn Restart=on-failure RestartSec=2 # Optional: enable temporarily for debugging # Environment=RUST_LOG=debug,niom_turn=debug # Environment=NIOM_TURN_DEBUG_CONFIG=1 # Environment=NIOM_TURN_DEBUG_CONFIG_JSON=1 [Install] WantedBy=multi-user.target ``` Enable: ```bash sudo systemctl daemon-reload sudo systemctl enable --now niom-turn ``` ## 5) Firewall / port forwarding Open/forward at least: - UDP 3478 - TCP 3478 - TCP 5349 - UDP relay range (if `relay_port_min/max` is set) ## 6) Debugging / checks - Ports: `ss -tulpen | grep -E '3478|5349'` - Logs: `journalctl -u niom-turn -f -o cat` - Nur letzte Logs: `journalctl -u niom-turn -n 200 --no-pager -o cat`