From 8eef89b63ce755fe22050165565ee3e0f0f0c0d9 Mon Sep 17 00:00:00 2001 From: Egutierrez Date: Sun, 24 May 2026 22:43:49 +0000 Subject: [PATCH] feat(livekit): rotate secret + hardcode external_ip + expand UDP range + hygiene - Rotate API key/secret (previously exposed in agent session, issue 0169) - Hardcode node_ip + disable use_external_ip (kill Google STUN leak, issue 0167) - Expand UDP range 50000-50200 -> 50000-50500 (capacity, issue 0168) - Refresh livekit.example.yaml template + add *.bak.* to gitignore (issue 0170) Note: live secrets in configs/livekit/livekit.yaml + .env (gitignored) docker-compose.livekit.yml has pre-existing operator TURN changes (issue 0166) left untouched. --- .gitignore | 1 + configs/livekit/livekit.example.yaml | 9 ++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index b2fa436..b50c972 100644 --- a/.gitignore +++ b/.gitignore @@ -50,3 +50,4 @@ mas/keys/* element-call +*.bak.* diff --git a/configs/livekit/livekit.example.yaml b/configs/livekit/livekit.example.yaml index ca53e26..54d9eda 100644 --- a/configs/livekit/livekit.example.yaml +++ b/configs/livekit/livekit.example.yaml @@ -5,13 +5,16 @@ port: 7880 bind_addresses: - "0.0.0.0" log_level: info -region: "us-east-1" +region: "REGION_PLACEHOLDER" rtc: tcp_port: 7881 port_range_start: 50000 - port_range_end: 50200 - use_external_ip: true + port_range_end: 50500 + # Set use_external_ip to false and hardcode node_ip to your public IPv4 to + # prevent LiveKit from probing Google STUN at startup. + use_external_ip: false + node_ip: "PUBLIC_IPV4_PLACEHOLDER" force_tcp: false # Optional TURN forwarding. Enable only if you already operate a TURN server.