diff --git a/matrix/coturn/README.md b/matrix/coturn/README.md index b6e7a2f..44368a2 100644 --- a/matrix/coturn/README.md +++ b/matrix/coturn/README.md @@ -72,7 +72,8 @@ certbot certonly --nginx -d turn.example.com This assumes you've already setup and started nginx (see [nginx](../nginx)). -{#fixssl}The certificate files reside under `/etc/letsencrypt/live`, but coturn +{#fixssl} +The certificate files reside under `/etc/letsencrypt/live`, but coturn doesn't run as root, and can't read them. Therefore we create the directory `/etc/coturn/ssl` where we copy the files to. This script should be run after each certificate renewal: diff --git a/matrix/element-call/README.md b/matrix/element-call/README.md index df3d380..ccf643f 100644 --- a/matrix/element-call/README.md +++ b/matrix/element-call/README.md @@ -51,13 +51,21 @@ haven't installed that, you should create the user yourself: adduser --system turnserver ``` -Create a key and secret:{#keysecret} +Create a key and secret: {#keysecret} ``` livekit-server generate-keys ``` This key and secret have to be fed to lk-jwt-service too, [see here](#jwtconfig). +Create the directory for LiveKit's configuration: + +``` +mkdir /etc/livekit +chown root:turnserver /etc/livekit +chmod 750 /etc/livekit +``` + Create a configuration file for livekit, `/etc/livekit/livekit.yaml`: ``` @@ -84,9 +92,16 @@ keys: : ``` -The certificate files are not in the usual place under +Being a bit paranoid: make sure LiveKit can only read this file, not write it: + +``` +chown root:turnserver /etc/livekit/livekit.yaml +chmod 640 /etc/livekit/livekit.yaml +``` + +The TLS-certificate files are not in the usual place under `/etc/letsencrypt/live`, see [DNS and -certificate (coturn)](../coturn/README.md#dnscert) why that is. +certificate](../coturn/README.md#dnscert) under coturn why that is. As stated before, we use the same user as for coturn. Because this user does not have the permission to read private keys under `/etc/letsencrypt`, we copy @@ -97,7 +112,7 @@ read them there too. If you don't have coturn installed, you should create a directory under `/etc/livekit` and copy the files to there. Modify the `livekit.yaml` file and the [script to copy the files](../coturn/README.md#fixssl) to use that -directory. +directory. Don't forget to update the `renew_hook` in Letsencrypt. The LiveKit API listens on localhost, IPv6, port 7880. Traffic to this port is forwarded from port 443 by nginx, which handles TLS, so it shouldn't be reachable @@ -128,20 +143,17 @@ WantedBy=multi-user.target Enable and start it. +<<<<< IMPORTANT! LiveKit is configured to use its built-in TURN server, using the same ports as [coturn](../coturn). Obviously, LiveKit and coturn are mutually exclusive in this setup. Shutdown and disable coturn if you use LiveKit's TURN server. +>>>>> - -# Install prerequisites - -Define an entry in DNS for Livekit and Call, e.g. `livekit.example.com` -and `call.example.com`. Get certificates for them and make sure to -[automatically renew them](../nginx/README.md#certrenew). - -Expand `.well-known/matrix/client` to contain the pointer to the SFU: +Clients don't know about LiveKit yet, you'll have to give them the information +via the `.well-known/matrix/client`: add this bit to it to point them at the +SFU: ``` "org.matrix.msc4143.rtc_foci": [ @@ -152,18 +164,6 @@ Expand `.well-known/matrix/client` to contain the pointer to the SFU: ] ``` -Create `.well-known/element/element.json`, which is opened by Element-web and -ElementX to find the Element Call widget. It should contain something like -this: - -``` -{ - "call": { - "widget_url": "https://call.example.com" - } -} -``` - Make sure it is served as `application/json`, just like the other .well-known files. @@ -323,3 +323,16 @@ necessary: "eula": "https://www.example.com/online-EULA.pdf" } ``` + +Now tell the clients about this widget. Create +`.well-known/element/element.json`, which is opened by Element Web, Element Desktop +and ElementX to find the Element Call widget. It should this: + +``` +{ + "call": { + "widget_url": "https://call.example.com" + } +} +``` +