spektr/niom-turn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
niom-turn/docs/deployment.md

152 lines
3.6 KiB
Markdown
Raw Permalink Blame History

# Deployment (niom-turn)
This page describes a pragmatic deployment of `niom-turn` as a systemd service.
TL;DR:
- TURN/STUN: UDP + TCP on port 3478
- TURN over TLS (`turns:`): TCP/TLS on port 5349
- Relay ports: optional UDP port range (e.g. 49152-49200)
## Important pitfall: config path
The server currently **always** loads `appsettings.json` from the **current working directory** (`Config::load_default()`).
For systemd, that means: set `WorkingDirectory=` to the directory that contains `appsettings.json`.
## 1) Provide the binary
```bash
cargo build --release
ls -lah target/release/niom-turn
```
Typical layout (example):
- binary: `/opt/niom-turn/target/release/niom-turn`
- config: `/etc/niom-turn/appsettings.json`
- TLS: `/etc/niom-turn/fullchain.pem`, `/etc/niom-turn/privkey.pem`
## 2) Create the configuration
```bash
sudo mkdir -p /etc/niom-turn
sudo cp appsettings.example.json /etc/niom-turn/appsettings.json
sudoedit /etc/niom-turn/appsettings.json
```
Example `appsettings.json` (schema matches `src/config.rs`):
```json
{
"server": {
"bind": "0.0.0.0:3478",
"udp_bind": null,
"tcp_bind": null,
"tls_bind": "0.0.0.0:5349",
"enable_udp": true,
"enable_tcp": true,
"enable_tls": true,
"tls_cert": "/etc/niom-turn/fullchain.pem",
"tls_key": "/etc/niom-turn/privkey.pem"
},
"relay": {
"relay_port_min": 49152,
"relay_port_max": 49200,
"relay_bind_ip": "0.0.0.0",
"advertised_ip": "YOUR_PUBLIC_IP_OR_HOSTNAME"
},
"auth": {
"realm": "turn.example.com",
"nonce_secret": null,
"nonce_ttl_seconds": 300,
"rest_secret": null,
"rest_max_ttl_seconds": 600
},
"credentials": [
{ "username": "testuser", "password": "secretpassword" }
],
"logging": {
"default_directive": "warn,niom_turn=info"
},
"limits": {
"max_allocations_per_ip": null,
"max_permissions_per_allocation": null,
"max_channel_bindings_per_allocation": null,
"unauth_rps": null,
"unauth_burst": null,
"binding_rps": null,
"binding_burst": null
}
}
```
### NAT / public IP / hostnames
- If the server runs behind NAT, set `relay.advertised_ip` to the public IP so clients receive a reachable address in `XOR-RELAYED-ADDRESS`.
- As a workaround, `relay.relay_bind_ip` and `relay.advertised_ip` can also be hostnames; they are resolved **once at startup**.
## 3) TLS certificates
You need PEM files:
- `fullchain.pem` (certificate chain)
- `privkey.pem` (private key)
Set restrictive permissions, e.g.:
```bash
sudo chown root:root /etc/niom-turn/fullchain.pem /etc/niom-turn/privkey.pem
sudo chmod 0644 /etc/niom-turn/fullchain.pem
sudo chmod 0600 /etc/niom-turn/privkey.pem
```
## 4) systemd unit
Example: `/etc/systemd/system/niom-turn.service`
```ini
[Unit]
Description=niom-turn TURN server
After=network.target
[Service]
User=niomturn
Group=niomturn
# Important: appsettings.json is loaded from WorkingDirectory
WorkingDirectory=/etc/niom-turn
ExecStart=/opt/niom-turn/target/release/niom-turn
Restart=on-failure
RestartSec=2
# Optional: enable temporarily for debugging
# Environment=RUST_LOG=debug,niom_turn=debug
# Environment=NIOM_TURN_DEBUG_CONFIG=1
# Environment=NIOM_TURN_DEBUG_CONFIG_JSON=1
[Install]
WantedBy=multi-user.target
```
Enable:
```bash
sudo systemctl daemon-reload
sudo systemctl enable --now niom-turn
```
## 5) Firewall / port forwarding
Open/forward at least:
- UDP 3478
- TCP 3478
- TCP 5349
- UDP relay range (if `relay_port_min/max` is set)
## 6) Debugging / checks
- Ports: `ss -tulpen | grep -E '3478|5349'`
- Logs: `journalctl -u niom-turn -f -o cat`
- Nur letzte Logs: `journalctl -u niom-turn -n 200 --no-pager -o cat`
Reference in New Issue View Git Blame Copy Permalink