Installation for lk-jwt-service added.

This commit is contained in:
Hans van Zijst 2024-11-18 18:36:24 +01:00 committed by Valentin Gagarin
parent a62adaf873
commit eed77ceb64
3 changed files with 123 additions and 4 deletions

View file

@ -47,9 +47,7 @@ Make sure it is served as `application/json`, just like the other .well-known
files.
# Livekit
Livekit is a small Go program that handles authorization tokens. You'll need a
lk-jwt-service is a small Go program that handles authorization tokens. You'll need a
Go compiler, so install that:
```
@ -57,3 +55,89 @@ apt install golang
```
# lk-jwt-service {#livekit}
Get the latest source code and comile it (preferably *NOT* as root):
```
git clone https://github.com/element-hq/lk-jwt-service.git
cd lk-jwt-service
go build -o lk-jwt-service
```
You'll then notice that you need a newer compiler, so we'll download that and add it to
our PATH (again not as root):
```
wget https://go.dev/dl/go1.23.3.linux-amd64.tar.gz
tar xvfz go1.23.3.linux-amd64.tar.gz
cd go/bin
export PATH=`pwd`:$PATH
cd
```
Now, compile:
```
cd lk-jwt-service
go build -o lk-jwt-service
```
Copy and chown the binary to `/usr/local/sbin` (yes: as root):
```
cp ~user/lk-jwt-service/lk-jwt-service /usr/local/sbin
chown root:root /usr/local/sbin/lk-jwt-service
```
Create a service file for systemd, something like this:
```
# This thing does authorization for Element Call
[Unit]
Description=LiveKit JWT Service
After=network.target
[Service]
Restart=always
User=www-data
Group=www-data
#WorkingDirectory=/opt/lk-jwt-service
EnvironmentFile=/etc/lk-jwt-service/config
ExecStart=/usr/local/sbin/lk-jwt-service
[Install]
WantedBy=multi-user.target
```
Not sure about the `WorkingDirectory`, so it's commented out until it turns
out to be necessary. We read the options from `/etc/lk-jwt-service/config`,
which we make read-only for group `www-data` and non-accessible by anyone
else.
```
mkdir /etc/lk-jwt-service
vi /etc/lk-jwt-service/config
chgrp -R www-data /etc/lk-jwt-service
chmod -R o-rwx /etc/lk-jwt-service
```
The contents of `/etc/lk-jwt-service/config` are not fully known yet (see
further, installation of the actual LiveKit, the SFU), but for now it's enough
to fill it with this:
```
LIVEKIT_URL=wss://livekit.matrixdev.example.com
LIVEKIT_SECRET=xxx
LIVEKIT_KEY=xxx
LK_JWT_PORT=8080
```
Now enable and start this thing:
```
systemctl enable --now lk-jwt-service
```

View file

@ -192,6 +192,41 @@ mentioned, but will be forwarded to Synapse in exactly the same way as
"normal" requests.
# LiveKit {#livekit}
If you run an SFU for Element Call, you need a virtual host for LiveKit. Make
sure you install, configure and run [Element Call LiveKit](../element-call#livekit).
Then create a virtual host much like this:
```
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/livekit.matrixdev.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/livekit.matrixdev.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
server_name livekit.matrixdev.example.com;
# This is lk-jwt-service
location ~ ^(/sfu/get|/healthz) {
proxy_pass http://[::1]:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /var/log/nginx/livekit.matrixdev-access.log;
error_log /var/log/nginx/livekit.matrixdev-error.log;
}
```
# Firewall
For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).

View file

@ -13,7 +13,7 @@ documentation](https://element-hq.github.io/synapse/latest/setup/installation.ht
```
apt install -y lsb-release wget apt-transport-https build-essential python3-dev libffi-dev \
python3-pip python3-setuptools sqlite3 \
libssl-dev virtualenv libjpeg-dev libxslt1-dev libicu-dev
libssl-dev virtualenv libjpeg-dev libxslt1-dev libicu-dev git
wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg