jared
68a6acfa24
Add a fail-open Python sidecar (livekit/voice-limit-guard.py) that fronts lk-jwt-service to enforce per-room voice participant caps for ALL Matrix clients, not just Lotus Chat: - lk-jwt-service moved to :8071 (systemd drop-in), guard owns :8070 so NPM's existing /sfu/get + /get_token proxy targets are unchanged - guard reads io.lotus.voice_limit.max_users (Synapse admin API, cached), forwards to lk-jwt-service, and on an issued token decodes the LiveKit alias + requester, counts distinct Matrix users via LiveKit ListParticipants, and returns 403 when the room is full (rejoins/extra devices allowed) - any error fails open (returns upstream response) so calls never break - systemd/voice-limit-guard.service; README documents ports, setup, revert Also update landing page: voice limit is now server-enforced for all clients. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
23 lines
800 B
Desktop File
23 lines
800 B
Desktop File
[Unit]
|
|
Description=Voice Limit Guard (hard per-room voice channel participant limits, fronts lk-jwt-service)
|
|
After=network.target livekit-server.service lk-jwt-service.service
|
|
Wants=lk-jwt-service.service
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=/usr/bin/env python3 /opt/voice-limit-guard/voice-limit-guard.py
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
# MATRIX_TOKEN (server-admin) is read from the existing deploy env file.
|
|
EnvironmentFile=/etc/matrix-deploy.env
|
|
Environment=GUARD_BIND_HOST=0.0.0.0
|
|
Environment=GUARD_BIND_PORT=8070
|
|
Environment=GUARD_UPSTREAM=http://127.0.0.1:8071
|
|
Environment=LIVEKIT_API=http://127.0.0.1:7880
|
|
Environment=SYNAPSE_API=http://127.0.0.1:8008
|
|
Environment=LIVEKIT_KEY=lotuskey
|
|
Environment=LIVEKIT_SECRET=GoI5PPLbNXZlQHlfdAzLFy0B/QoqA9uXiyb/p6dQEtc=
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|