cqrenet/matrix-docker-ansible-deploy
3
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2026-02-28 09:53:09 +00:00
Code Issues Wiki Activity
Files
39f867a1c9d06fee68ee0e85b2573e2f4f1d8257
matrix-docker-ansible-deploy/docs/configuring-playbook-livekit-server.md
Slavi Pantaleev b55444e44f LiveKit TURN docs clarity update
2026-02-21 16:30:56 +02:00

4.4 KiB
Raw Blame History

Setting up LiveKit Server (optional)

The playbook can install and configure LiveKit Server for you.

LiveKit Server is an open source project that provides scalable, multi-user conferencing based on WebRTC. It's designed to provide everything you need to build real-time video audio data capabilities in your applications.

💡 LiveKit Server is automatically installed and configured when either Element Call or the Matrix RTC stack is enabled, so you don't need to do anything extra.

The Ansible role for LiveKit Server is developed and maintained by the MASH (mother-of-all-self-hosting) project. For details about configuring LiveKit Server, you can check them via:

Adjusting firewall rules

To ensure LiveKit Server functions correctly, the following firewall rules and port forwarding settings are required:

  • 7881/tcp: ICE/TCP

  • 7882/udp: ICE/UDP Mux

  • 3479/udp: TURN/UDP. Also see the Limitations section below.

  • 5350/tcp: TURN/TCP. Also see the Limitations section below.

💡 The suggestions above are inspired by the upstream Ports and Firewall documentation based on how LiveKit is configured in the playbook. If you've using custom configuration for the LiveKit Server role, you may need to adjust the firewall rules accordingly.

TURN TLS handling

When matrix_playbook_reverse_proxy_type is playbook-managed-traefik (which is the default for this playbook), TURN over TCP is terminated by Traefik and forwarded to LiveKit with turn.external_tls = true. In this playbook default, this mode is enabled automatically when SSL is enabled and TURN is enabled.

  • The playbook installs a dedicated Traefik TCP entrypoint for TURN (matrix-livekit-turn) by default and binds it to tcp/5350.
  • livekit_server_config_turn_external_tls is automatically enabled for this setup.
  • Because Traefik handles TLS, LiveKit no longer needs certificate-file paths for TURN in this mode.

To opt out and keep TURN TLS termination in LiveKit itself, set:

livekit_server_config_turn_external_tls: false

In this playbook, certificate paths are managed automatically via group_vars/matrix_servers when certificate dumping is enabled.

If your setup uses other-traefik-container or another reverse-proxy, behavior is unchanged by default and still relies on certificates being available inside the container as before.

Deployments using other-traefik-container can opt into the same Traefik-terminated mode there, by setting:

livekit_server_config_turn_external_tls: true
livekit_server_container_labels_turn_traefik_enabled: true
livekit_server_container_labels_turn_traefik_entrypoints: "<your-livekit-turn-traffic-entrypoint>"

and configuring their own Traefik TCP entrypoint dedicated to LiveKit TURN traffic.

Limitations

LiveKit Server's TURN listener behavior depends on where TLS is terminated:

  • Direct LiveKit TURN listeners (livekit_server_config_turn_external_tls: false) still use IPv4-only sockets for 3479/udp and 5350/tcp, so IPv6 connectivity to these endpoints is not possible.
  • With TURN TLS handling (livekit_server_config_turn_external_tls: true), the playbook's dedicated matrix-livekit-turn TCP entrypoint can still listen on both IPv4 and IPv6. Traefik then forwards TURN/TCP to LiveKit.

It appears that LiveKit Server intentionally only listens on udp4 and tcp4 in direct mode, as seen here and here.