Cleaned up Element Call documentation.

matrix/coturn/README.md

@@ -72,7 +72,8 @@ certbot certonly --nginx -d turn.example.com
 
 This assumes you've already setup and started nginx (see [nginx](../nginx)).
 
-{#fixssl}The certificate files reside under `/etc/letsencrypt/live`, but coturn
+{#fixssl}
+The certificate files reside under `/etc/letsencrypt/live`, but coturn
 doesn't run as root, and can't read them. Therefore we create the directory
 `/etc/coturn/ssl` where we copy the files to. This script should be run after
 each certificate renewal:

matrix/element-call/README.md

@@ -51,13 +51,21 @@ haven't installed that, you should create the user yourself:
 adduser --system turnserver
 ```
 
-Create a key and secret:{#keysecret}
+Create a key and secret: {#keysecret}
 
 ```
 livekit-server generate-keys
 ```
 
 This key and secret have to be fed to lk-jwt-service too, [see here](#jwtconfig).
+Create the directory for LiveKit's configuration:
+
+```
+mkdir /etc/livekit
+chown root:turnserver /etc/livekit
+chmod 750 /etc/livekit
+```
+
 Create a configuration file for livekit, `/etc/livekit/livekit.yaml`:
 
 ```
@@ -84,9 +92,16 @@ keys:
     <KEY>: <SECRET>
 ```
 
-The certificate files are not in the usual place under
+Being a bit paranoid: make sure LiveKit can only read this file, not write it:
+
+```
+chown root:turnserver /etc/livekit/livekit.yaml
+chmod 640 /etc/livekit/livekit.yaml
+```
+
+The TLS-certificate files are not in the usual place under
 `/etc/letsencrypt/live`, see [DNS and
-certificate (coturn)](../coturn/README.md#dnscert) why that is.
+certificate](../coturn/README.md#dnscert) under coturn why that is.
 
 As stated before, we use the same user as for coturn. Because this user does
 not have the permission to read private keys under `/etc/letsencrypt`, we copy
@@ -97,7 +112,7 @@ read them there too.
 If you don't have coturn installed, you should create a directory under
 `/etc/livekit` and copy the files to there. Modify the `livekit.yaml` file and
 the [script to copy the files](../coturn/README.md#fixssl) to use that
-directory.
+directory. Don't forget to update the `renew_hook` in Letsencrypt.
 
 The LiveKit API listens on localhost, IPv6, port 7880. Traffic to this port is
 forwarded from port 443 by nginx, which handles TLS, so it shouldn't be reachable
@@ -128,20 +143,17 @@ WantedBy=multi-user.target
 
 Enable and start it.
 
+<<<<<
 IMPORTANT!
 
 LiveKit is configured to use its built-in TURN server, using the same ports as
 [coturn](../coturn). Obviously, LiveKit and coturn are mutually exclusive in
 this setup. Shutdown and disable coturn if you use LiveKit's TURN server.
+>>>>>
 
-
-# Install prerequisites
-
-Define an entry in DNS for Livekit and Call, e.g. `livekit.example.com`
-and `call.example.com`. Get certificates for them and make sure to
-[automatically renew them](../nginx/README.md#certrenew).
-
-Expand `.well-known/matrix/client` to contain the pointer to the SFU:
+Clients don't know about LiveKit yet, you'll have to give them the information
+via the `.well-known/matrix/client`: add this bit to it to point them at the
+SFU:
 
 ```
 "org.matrix.msc4143.rtc_foci": [
@@ -152,18 +164,6 @@ Expand `.well-known/matrix/client` to contain the pointer to the SFU:
   ]
 ```
 
-Create `.well-known/element/element.json`, which is opened by Element-web and
-ElementX to find the Element Call widget. It should contain something like
-this:
-
-```
-{
-    "call": {
-        "widget_url": "https://call.example.com"
-    }
-}
-```
-
 Make sure it is served as `application/json`, just like the other .well-known
 files.
 
@@ -323,3 +323,16 @@ necessary:
   "eula": "https://www.example.com/online-EULA.pdf"
 }
 ```
+
+Now tell the clients about this widget.  Create
+`.well-known/element/element.json`, which is opened by Element Web, Element Desktop
+and ElementX to find the Element Call widget. It should this:
+
+```
+{
+    "call": {
+        "widget_url": "https://call.example.com"
+    }
+}
+```
+