Fix call drops, always-on TURN, JVB public IP, health checks

- Add runAsInit to all s6-based daemons (prosody, web, jicofo, jvb)
- Fix BOSH proxy timeout: write custom-meet.conf via nginx-patch oneshot
  on every boot to set proxy_read_timeout 3600s
- Remove TURN toggle: always register TURN interface, coturn runs when a
  public domain is available and idles otherwise
- Add ENABLE_AUTH + ENABLE_GUESTS to jicofo env for room creation auth
- Resolve JVB public IPs from the jvb-media interface and pass via
  JVB_ADVERTISE_IPS so JVB advertises correct addresses behind VPS/proxy
- Add health check: JVB fails if UI is public but no public IPv4 for
  video bridge media
- Add health check: TURN fails if UI is public but no public domain for
  TURN relay; disabled with informational message otherwise
- Extract shared constants (jvbMediaPort, jvbHttpPort, jicofoHealthPort,
  jvbMediaInterfaceId) to utils.ts
- Remove setTurn action, taskSetTurn init, turnEnabled from store schema

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: MattDHill

startos/actions/index.ts

@@ -1,5 +1,4 @@
 import { sdk } from '../sdk'
 import { resetPassword } from './resetPassword'
-import { setTurn } from './setTurn'
 
-export const actions = sdk.Actions.of().addAction(resetPassword).addAction(setTurn)
+export const actions = sdk.Actions.of().addAction(resetPassword)

startos/actions/setTurn.ts

@@ -5,7 +5,7 @@ const shape = z.object({
   JICOFO_AUTH_PASSWORD: z.string(),
   JVB_AUTH_PASSWORD: z.string(),
   TURN_SECRET: z.string(),
-  turnEnabled: z.boolean().catch(false),
+
   ADMIN_PASSWORD: z.string().catch(''),
 })
 

startos/fileModels/store.json.ts

@@ -19,6 +19,10 @@ const dict = {
   'The TURN server is ready': 14,
   'The TURN server is not ready': 15,
 
+  'Required to support mobile carriers, hotel WiFi, and UDP-blocking firewalls. To enable, add a public domain to the "TURN Relay" interface.': 37,
+  'Required for clearnet. Enable a public IPv4 address in the "Video Bridge Media" interface.': 38,
+  'Only needed if using a public domain.': 39,
+
   // interfaces.ts
   'Web UI': 16,
   'The web interface of Jitsi Meet': 17,
@@ -27,16 +31,7 @@ const dict = {
   'TURN Relay': 20,
   'TURN relay server for NAT traversal': 21,
 
-  // actions
-  'Configure TURN': 22,
-  'Enable or disable the TURN relay server for participants behind restrictive NATs or firewalls. Requires a public address configured in StartOS.': 23,
-  'Enable TURN': 24,
-
-  // main.ts (TURN)
-  'Waiting for a public domain on the TURN interface. Please configure a domain in StartOS.': 25,
-
   // init
-  'Enable a TURN relay server to help participants behind restrictive firewalls or NATs join video calls.': 26,
   'Create an admin password so only you can start meetings.': 27,
 
   // actions (auth)

startos/i18n/dictionaries/default.ts

@@ -24,11 +24,6 @@ export default {
     19: 'Transporte de medios WebRTC para video y audio',
     20: 'Relevo TURN',
     21: 'Servidor de relevo TURN para travesia NAT',
-    22: 'Configurar TURN',
-    23: 'Habilitar o deshabilitar el servidor de relevo TURN para participantes detras de NATs o firewalls restrictivos. Requiere una direccion publica configurada en StartOS.',
-    24: 'Habilitar TURN',
-    25: 'Esperando un dominio publico en la interfaz TURN. Configure un dominio en StartOS.',
-    26: 'Habilitar un servidor de relevo TURN para ayudar a los participantes detras de firewalls o NATs restrictivos a unirse a videollamadas.',
     27: 'Crea una contrasena de administrador para que solo tu puedas iniciar reuniones.',
     28: 'Restablecer contrasena de administrador',
     29: 'Crear contrasena de administrador',
@@ -38,6 +33,9 @@ export default {
     33: 'Tu contrasena de administrador ha sido establecida. Usa estas credenciales para crear reuniones.',
     34: 'Usuario',
     35: 'Contrasena',
+    37: 'Necesario para operadores moviles, WiFi de hoteles y firewalls que bloquean UDP. Para habilitar, agregue un dominio publico a la interfaz "TURN Relay".',
+    38: 'Necesario para clearnet. Habilite una direccion IPv4 publica en la interfaz "Video Bridge Media".',
+    39: 'Solo necesario si se usa un dominio publico.',
   },
   de_DE: {
     0: 'Starte Jitsi Meet!',
@@ -62,11 +60,6 @@ export default {
     19: 'WebRTC-Medientransport fur Video und Audio',
     20: 'TURN-Relay',
     21: 'TURN-Relay-Server fur NAT-Traversierung',
-    22: 'TURN konfigurieren',
-    23: 'TURN-Relay-Server fur Teilnehmer hinter restriktiven NATs oder Firewalls aktivieren oder deaktivieren. Erfordert eine offentliche Adresse in StartOS.',
-    24: 'TURN aktivieren',
-    25: 'Warten auf eine offentliche Domain auf der TURN-Schnittstelle. Bitte konfigurieren Sie eine Domain in StartOS.',
-    26: 'Einen TURN-Relay-Server aktivieren um Teilnehmern hinter restriktiven Firewalls oder NATs die Teilnahme an Videoanrufen zu ermoglichen.',
     27: 'Erstellen Sie ein Administratorpasswort damit nur Sie Meetings starten konnen.',
     28: 'Administratorpasswort zurucksetzen',
     29: 'Administratorpasswort erstellen',
@@ -76,6 +69,9 @@ export default {
     33: 'Ihr Administratorpasswort wurde festgelegt. Verwenden Sie diese Anmeldedaten um Meetings zu erstellen.',
     34: 'Benutzername',
     35: 'Passwort',
+    37: 'Erforderlich fur Mobilfunknetze, Hotel-WLAN und UDP-blockierende Firewalls. Zum Aktivieren fugen Sie eine offentliche Domain zur "TURN Relay"-Schnittstelle hinzu.',
+    38: 'Erforderlich fur Clearnet. Aktivieren Sie eine offentliche IPv4-Adresse in der "Video Bridge Media"-Schnittstelle.',
+    39: 'Nur erforderlich bei Verwendung einer offentlichen Domain.',
   },
   pl_PL: {
     0: 'Uruchamianie Jitsi Meet!',
@@ -100,11 +96,6 @@ export default {
     19: 'Transport mediow WebRTC dla wideo i audio',
     20: 'Przekaznik TURN',
     21: 'Serwer przekaznikowy TURN do przechodzenia NAT',
-    22: 'Skonfiguruj TURN',
-    23: 'Wlacz lub wylacz serwer przekaznikowy TURN dla uczestnikow za restrykcyjnymi NAT-ami lub firewallami. Wymaga publicznego adresu skonfigurowanego w StartOS.',
-    24: 'Wlacz TURN',
-    25: 'Oczekiwanie na publiczna domene na interfejsie TURN. Skonfiguruj domene w StartOS.',
-    26: 'Wlacz serwer przekaznikowy TURN aby pomoc uczestnikom za restrykcyjnymi firewallami lub NAT-ami dolaczyc do rozmow wideo.',
     27: 'Utworz haslo administratora aby tylko Ty mogl rozpoczynac spotkania.',
     28: 'Zresetuj haslo administratora',
     29: 'Utworz haslo administratora',
@@ -114,6 +105,9 @@ export default {
     33: 'Haslo administratora zostalo ustawione. Uzyj tych danych logowania aby tworzyc spotkania.',
     34: 'Nazwa uzytkownika',
     35: 'Haslo',
+    37: 'Wymagane dla operatorow komorkowych, WiFi hotelowego i zapor blokujacych UDP. Aby wlaczyc, dodaj publiczna domene do interfejsu "TURN Relay".',
+    38: 'Wymagane dla clearnet. Wlacz publiczny adres IPv4 w interfejsie "Video Bridge Media".',
+    39: 'Potrzebne tylko przy uzyciu domeny publicznej.',
   },
   fr_FR: {
     0: 'Demarrage de Jitsi Meet !',
@@ -138,11 +132,6 @@ export default {
     19: 'Transport de medias WebRTC pour la video et audio',
     20: 'Relais TURN',
     21: 'Serveur relais TURN pour la traversee NAT',
-    22: 'Configurer TURN',
-    23: "Activer ou desactiver le serveur relais TURN pour les participants derriere des NATs ou pare-feux restrictifs. Necessite une adresse publique configuree dans StartOS.",
-    24: 'Activer TURN',
-    25: "En attente d'un domaine public sur l'interface TURN. Veuillez configurer un domaine dans StartOS.",
-    26: "Activer un serveur relais TURN pour aider les participants derriere des pare-feux ou NATs restrictifs a rejoindre les appels video.",
     27: "Creez un mot de passe administrateur pour que vous seul puissiez demarrer des reunions.",
     28: "Reinitialiser le mot de passe administrateur",
     29: "Creer le mot de passe administrateur",
@@ -152,5 +141,8 @@ export default {
     33: "Votre mot de passe administrateur a ete defini. Utilisez ces identifiants pour creer des reunions.",
     34: "Nom d'utilisateur",
     35: 'Mot de passe',
+    37: "Requis pour les operateurs mobiles, le WiFi d'hotel et les pare-feux bloquant UDP. Pour activer, ajoutez un domaine public a l'interface \"TURN Relay\".",
+    38: 'Requis pour le clearnet. Activez une adresse IPv4 publique dans l\'interface "Video Bridge Media".',
+    39: "Necessaire uniquement si vous utilisez un domaine public.",
   },
 } satisfies Record<string, LangDict>

startos/i18n/dictionaries/translations.ts

@@ -6,11 +6,9 @@ import { actions } from '../actions'
 import { restoreInit } from '../backups'
 import { seedFiles } from './seedFiles'
 import { taskSetPassword } from './taskSetPassword'
-import { taskSetTurn } from './taskSetTurn'
 export const init = sdk.setupInit(
   seedFiles,
   taskSetPassword,
-  taskSetTurn,
   restoreInit,
   versionGraph,
   setInterfaces,

startos/init/index.ts

@@ -1,13 +1,44 @@
 import { storeJson } from '../fileModels/store.json'
 import { sdk } from '../sdk'
-import { getPassword } from '../utils'
+import { getPassword, prosodyEnv, prosodyMounts, prosodyPort } from '../utils'
 
 export const seedFiles = sdk.setupOnInit(async (effects, kind) => {
   if (kind !== 'install') return
 
+  const JICOFO_AUTH_PASSWORD = getPassword()
+  const JVB_AUTH_PASSWORD = getPassword()
+  const TURN_SECRET = getPassword()
+
   await storeJson.merge(effects, {
-    JICOFO_AUTH_PASSWORD: getPassword(),
-    JVB_AUTH_PASSWORD: getPassword(),
-    TURN_SECRET: getPassword(),
+    JICOFO_AUTH_PASSWORD,
+    JVB_AUTH_PASSWORD,
+    TURN_SECRET,
   })
+
+  // Start prosody briefly so its entrypoint generates config files.
+  // The resetPassword action needs /config/prosody.cfg.lua to exist.
+  await sdk.Daemons.of(effects)
+    .addDaemon('prosody', {
+      subcontainer: await sdk.SubContainer.of(
+        effects,
+        { imageId: 'prosody' },
+        prosodyMounts,
+        'prosody-seed',
+      ),
+      exec: {
+        command: sdk.useEntrypoint(),
+        runAsInit: true,
+        env: prosodyEnv({ JICOFO_AUTH_PASSWORD, JVB_AUTH_PASSWORD, TURN_SECRET }),
+      },
+      ready: {
+        display: null,
+        fn: () =>
+          sdk.healthCheck.checkPortListening(effects, prosodyPort, {
+            successMessage: '',
+            errorMessage: '',
+          }),
+      },
+      requires: [],
+    })
+    .runUntilSuccess(30_000)
 })

startos/init/seedFiles.ts

@@ -1,11 +1,15 @@
-import { storeJson } from './fileModels/store.json'
 import { i18n } from './i18n'
 import { sdk } from './sdk'
-import { turnInterfaceId, turnPort, uiInterfaceId, uiPort } from './utils'
+import {
+  jvbMediaInterfaceId,
+  jvbMediaPort,
+  turnInterfaceId,
+  turnPort,
+  uiInterfaceId,
+  uiPort,
+} from './utils'
 
 export const setInterfaces = sdk.setupInterfaces(async ({ effects }) => {
-  const turnEnabled = await storeJson.read((s) => s.turnEnabled).const(effects)
-
   // Web UI
   const uiMulti = sdk.MultiHost.of(effects, 'ui-multi')
   const uiOrigin = await uiMulti.bindPort(uiPort, {
@@ -27,16 +31,16 @@ export const setInterfaces = sdk.setupInterfaces(async ({ effects }) => {
 
   // JVB media
   const jvbMulti = sdk.MultiHost.of(effects, 'jvb-media-multi')
-  const jvbOrigin = await jvbMulti.bindPort(10000, {
+  const jvbOrigin = await jvbMulti.bindPort(jvbMediaPort, {
     protocol: null,
-    preferredExternalPort: 10000,
+    preferredExternalPort: jvbMediaPort,
     secure: { ssl: false },
     addSsl: null,
   })
   const jvbReceipt = await jvbOrigin.export([
     sdk.createInterface(effects, {
       name: i18n('Video Bridge Media'),
-      id: 'jvb-media',
+      id: jvbMediaInterfaceId,
       description: i18n('WebRTC media transport for video and audio'),
       type: 'api',
       masked: false,
@@ -50,33 +54,31 @@ export const setInterfaces = sdk.setupInterfaces(async ({ effects }) => {
   const receipts = [uiReceipt, jvbReceipt]
 
   // TURN relay
-  if (turnEnabled) {
-    const turnMulti = sdk.MultiHost.of(effects, 'turn-multi')
-    const turnOrigin = await turnMulti.bindPort(turnPort, {
-      protocol: null,
+  const turnMulti = sdk.MultiHost.of(effects, 'turn-multi')
+  const turnOrigin = await turnMulti.bindPort(turnPort, {
+    protocol: null,
+    preferredExternalPort: turnPort,
+    addSsl: {
       preferredExternalPort: turnPort,
-      addSsl: {
-        preferredExternalPort: turnPort,
-        alpn: null,
-        addXForwardedHeaders: false,
-      },
-      secure: null,
-    })
-    const turnReceipt = await turnOrigin.export([
-      sdk.createInterface(effects, {
-        name: i18n('TURN Relay'),
-        id: turnInterfaceId,
-        description: i18n('TURN relay server for NAT traversal'),
-        type: 'api',
-        masked: false,
-        schemeOverride: null,
-        username: null,
-        path: '',
-        query: {},
-      }),
-    ])
-    receipts.push(turnReceipt)
-  }
+      alpn: null,
+      addXForwardedHeaders: false,
+    },
+    secure: null,
+  })
+  const turnReceipt = await turnOrigin.export([
+    sdk.createInterface(effects, {
+      name: i18n('TURN Relay'),
+      id: turnInterfaceId,
+      description: i18n('TURN relay server for NAT traversal'),
+      type: 'api',
+      masked: false,
+      schemeOverride: null,
+      username: null,
+      path: '',
+      query: {},
+    }),
+  ])
+  receipts.push(turnReceipt)
 
   return receipts
 })