Fediversity/matrix/element-call/README.md

---
gitea: none
include_toc: true
---

# Element Call

This bit needs to be updated: Go compiler and the whole Node.js/yarn/npm stuff
needs to be cleaned up and standardized. For now the procedure below will
probably work.

Element Call enables users to have audio and videocalls with groups, while
maintaining full E2E encryption.

It requires several bits of software and entries in .well-known/matrix/client

This bit is for later, but here's a nice bit of documentation to start:

https://sspaeth.de/2024/11/sfu/


# Install prerequisites

Define an entry in DNS for Livekit and Call, e.g. `livekit.example.com`
and `call.example.com`. Get certificates for them and make sure to
[automatically renew them](../nginx/README.md#certrenew).

Expand `.well-known/matrix/client` to contain the pointer to the SFU:

```
"org.matrix.msc4143.rtc_foci": [
      {
        "type": "livekit",
        "livekit_service_url": "https://livekit.example.com"
      }
  ]
```

Create `.well-known/element/element.json`, which is opened by Element-web and
ElementX to find the Element Call widget. It should contain something like
this:

```
{
    "call": {
        "widget_url": "https://call.example.com"
    }
}
```

Make sure it is served as `application/json`, just like the other .well-known
files.


lk-jwt-service is a small Go program that handles authorization tokens. You'll need a
Go compiler, so install that:

```
apt install golang
```


# lk-jwt-service {#lkjwt}

Get the latest source code and comile it (preferably *NOT* as root):

```
git clone https://github.com/element-hq/lk-jwt-service.git
cd lk-jwt-service
go build -o lk-jwt-service
```

You'll then notice that you need a newer compiler, so we'll download that and add it to
our PATH (again not as root):

```
wget https://go.dev/dl/go1.23.3.linux-amd64.tar.gz
tar xvfz go1.23.3.linux-amd64.tar.gz
cd go/bin
export PATH=`pwd`:$PATH
cd
```

Now, compile:

```
cd lk-jwt-service
go build -o lk-jwt-service
```

Copy and chown the binary to `/usr/local/sbin` (yes: as root):

```
cp ~user/lk-jwt-service/lk-jwt-service /usr/local/sbin
chown root:root /usr/local/sbin/lk-jwt-service
```

Create a service file for systemd, something like this:

```
# This thing does authorization for Element Call

[Unit]
Description=LiveKit JWT Service
After=network.target

[Service]
Restart=always
User=www-data
Group=www-data
WorkingDirectory=/etc/lk-jwt-service
EnvironmentFile=/etc/lk-jwt-service/config
ExecStart=/usr/local/sbin/lk-jwt-service

[Install]
WantedBy=multi-user.target
```

We read the options from `/etc/lk-jwt-service/config`,
which we make read-only for group `www-data` and non-accessible by anyone
else.

```
mkdir /etc/lk-jwt-service
vi /etc/lk-jwt-service/config
chgrp -R www-data /etc/lk-jwt-service
chmod -R o-rwx /etc/lk-jwt-service
```

The contents of `/etc/lk-jwt-service/config` are not fully known yet (see
further, installation of the actual LiveKit, the SFU), but for now it's enough
to fill it with this:

```
LIVEKIT_URL=wss://livekit.example.com
LIVEKIT_SECRET=xxx
LIVEKIT_KEY=xxx
LK_JWT_PORT=8080
```

Now enable and start this thing:

```
systemctl enable --now lk-jwt-service
```

# LiveKit {#livekit}

The actual SFU, Selective Forwarding Unit, is LiveKit. Downloading and
installing is easy: download the [binary from Github](https://github.com/livekit/livekit/releases/download/v1.8.0/livekit_1.8.0_linux_amd64.tar.gz)
 to /usr/local/bin, chown
it to root:root and you're done.

The quickest way to do precisely that, is to run the script:

```
curl -sSL https://get.livekit.io | bash
```

You can do this as a normal user, it will use sudo to do its job.

Configuring this thing is [documented
here](https://docs.livekit.io/home/self-hosting/deployment/).

Create a key and secret:

```
livekit-server generate-keys
```

This key/secret has to be fed to lk-jwt-service, of course. Create a
configuration file for livekit, `/etc/livekit/livekit.yaml`:

```
port: 7880
bind_addresses:
    - ::1
rtc:
    tcp_port: 7881
    port_range_start: 50000
    port_range_end: 60000
    use_external_ip: true
    enable_loopback_candidate: false
turn:
    enabled: true
    domain: livekit.example.com
    cert_file: /etc/coturn/ssl/fullchain.pem
    key_file: /etc/coturn/ssl/privkey.pem
    tls_port: 5349
    udp_port: 3478
    external_tls: true
keys:
    # KEY: secret were autogenerated by livekit/generate
    # in the lk-jwt-service environment variables
    xxxxxxxxxxxxxxx: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```

The LiveKit API listens on localhost, IPv6, port 7880. Traffic to this port is
forwarded from port 443by nginx, which handles TLS, so it shouldn't be reachable
from the outside world.

The certificate files are not in the usual place under
`/etc/letsencrypt/live`, see [DNS and
certificate (coturn)](../coturn/README.md#dnscert) why that is.

The `xxx: xxxx` is the key and secret as generated before.

See [LiveKit's config documentation](https://github.com/livekit/livekit/blob/master/config-sample.yaml)
for more options.

Now define a systemd servicefile, like this:

```
[Unit]
Description=LiveKit Server
After=network.target
Documentation=https://docs.livekit.io

[Service]
User=turnserver
Group=turnserver
LimitNOFILE=500000
Restart=on-failure
WorkingDirectory=/etc/livekit
ExecStart=/usr/local/bin/livekit-server --config /etc/livekit/livekit.yaml

[Install]
WantedBy=multi-user.target
```

Enable and start it.

IMPORTANT!

LiveKit is configured to use its built-in TURN server, using the same ports as
[coturn](../coturn). Obviously, LiveKit and coturn are mutually exclusive in
this setup. Shutdown and disable coturn if you use LiveKit's TURN server.


# Element Call widget {#widget}

This is a Node.js thingy, so start by installing yarn. Unfortunately both npm
and `yarnpkg` in Debian are antique, so we need to update them after installation.
Install Node.js and upgrade everything. Do not do this as root, we'll only
need to "compile" Element Call once.

See [the Node.js
website](https://nodejs.org/en/download/package-manager/current) for
instructions.


```
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh | bash
```

Exit and login again to set some environment variables (yes, the installation
changes .bashrc). Then install and upgrade:
 
```
nvm install 23
sudo apt install yarnpkg
/usr/share/nodejs/yarn/bin/yarn set version stable
/usr/share/nodejs/yarn/bin/yarn install
```

Now clone the Element Call repository and "compile" stuff (again: not as
root):

```
git clone https://github.com/element-hq/element-call.git
cd element-call
/usr/share/nodejs/yarn/bin/yarn
/usr/share/nodejs/yarn/bin/yarn build
```

After that, you can find the whole shebang under "dist". Copy that to
`/var/www/element-call` and point nginx to it ([see nginx](../nginx#callwidget)).

It needs a tiny bit of configuring. The default configuration under `config/config.sample.json`
is a good place to start, copy it to `/etc/element-call` and change where
necessary:

```
{
  "default_server_config": {
      "m.homeserver": {
          "base_url": "https://matrix.example.com",
          "server_name": "example.com"
      }
  },

  "livekit": {
    "livekit_service_url": "https://livekit.example.com"
  },

  "features": {
    "feature_use_device_session_member_events": true
  },

  "eula": "https://www.example.com/online-EULA.pdf"
}
```