From eed77ceb6463f17d1d5f0b5c53f78980933cc4db Mon Sep 17 00:00:00 2001
From: Hans van Zijst <hans@procolix.com>
Date: Mon, 18 Nov 2024 18:36:24 +0100
Subject: [PATCH] Installation for lk-jwt-service added.

---
 matrix/element-call/README.md | 90 +++++++++++++++++++++++++++++++++--
 matrix/nginx/README.md        | 35 ++++++++++++++
 matrix/synapse/README.md      |  2 +-
 3 files changed, 123 insertions(+), 4 deletions(-)

diff --git a/matrix/element-call/README.md b/matrix/element-call/README.md
index 679838c..a7c02e7 100644
--- a/matrix/element-call/README.md
+++ b/matrix/element-call/README.md
@@ -47,9 +47,7 @@ Make sure it is served as `application/json`, just like the other .well-known
 files.
 
 
-# Livekit
-
-Livekit is a small Go program that handles authorization tokens. You'll need a
+lk-jwt-service is a small Go program that handles authorization tokens. You'll need a
 Go compiler, so install that:
 
 ```
@@ -57,3 +55,89 @@ apt install golang
 ```
 
 
+# lk-jwt-service {#livekit}
+
+Get the latest source code and comile it (preferably *NOT* as root):
+
+```
+git clone https://github.com/element-hq/lk-jwt-service.git
+cd lk-jwt-service
+go build -o lk-jwt-service
+```
+
+You'll then notice that you need a newer compiler, so we'll download that and add it to
+our PATH (again not as root):
+
+```
+wget https://go.dev/dl/go1.23.3.linux-amd64.tar.gz
+tar xvfz go1.23.3.linux-amd64.tar.gz
+cd go/bin
+export PATH=`pwd`:$PATH
+cd
+```
+
+Now, compile:
+
+```
+cd lk-jwt-service
+go build -o lk-jwt-service
+```
+
+Copy and chown the binary to `/usr/local/sbin` (yes: as root):
+
+```
+cp ~user/lk-jwt-service/lk-jwt-service /usr/local/sbin
+chown root:root /usr/local/sbin/lk-jwt-service
+```
+
+Create a service file for systemd, something like this:
+
+```
+# This thing does authorization for Element Call
+
+[Unit]
+Description=LiveKit JWT Service
+After=network.target
+
+[Service]
+Restart=always
+User=www-data
+Group=www-data
+#WorkingDirectory=/opt/lk-jwt-service
+EnvironmentFile=/etc/lk-jwt-service/config
+ExecStart=/usr/local/sbin/lk-jwt-service
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Not sure about the `WorkingDirectory`, so it's commented out until it turns
+out to be necessary. We read the options from `/etc/lk-jwt-service/config`,
+which we make read-only for group `www-data` and non-accessible by anyone
+else.
+
+```
+mkdir /etc/lk-jwt-service
+vi /etc/lk-jwt-service/config
+chgrp -R www-data /etc/lk-jwt-service
+chmod -R o-rwx /etc/lk-jwt-service
+```
+
+The contents of `/etc/lk-jwt-service/config` are not fully known yet (see
+further, installation of the actual LiveKit, the SFU), but for now it's enough
+to fill it with this:
+
+```
+LIVEKIT_URL=wss://livekit.matrixdev.example.com
+LIVEKIT_SECRET=xxx
+LIVEKIT_KEY=xxx
+LK_JWT_PORT=8080
+```
+
+Now enable and start this thing:
+
+```
+systemctl enable --now lk-jwt-service
+```
+
+
diff --git a/matrix/nginx/README.md b/matrix/nginx/README.md
index 2a7b878..41d0845 100644
--- a/matrix/nginx/README.md
+++ b/matrix/nginx/README.md
@@ -192,6 +192,41 @@ mentioned, but will be forwarded to Synapse in exactly the same way as
 "normal" requests.
 
 
+# LiveKit {#livekit}
+
+If you run an SFU for Element Call, you need a virtual host for LiveKit. Make
+sure you install, configure and run [Element Call LiveKit](../element-call#livekit).
+Then create a virtual host much like this:
+
+```
+server {
+        listen 443 ssl;
+        listen [::]:443 ssl;
+
+        ssl_certificate /etc/letsencrypt/live/livekit.matrixdev.example.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/livekit.matrixdev.example.com/privkey.pem;
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+        ssl_dhparam /etc/ssl/dhparams.pem;
+
+        server_name livekit.matrixdev.example.com;
+
+	# This is lk-jwt-service
+    	location ~ ^(/sfu/get|/healthz) {
+	        proxy_pass http://[::1]:8080;
+	        proxy_set_header Host $host;
+	        proxy_set_header X-Forwarded-Server $host;
+	        proxy_set_header X-Real-IP $remote_addr;
+	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	        proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+	access_log /var/log/nginx/livekit.matrixdev-access.log;
+        error_log /var/log/nginx/livekit.matrixdev-error.log;
+}
+
+```
+
+
 # Firewall
 
 For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).
diff --git a/matrix/synapse/README.md b/matrix/synapse/README.md
index 423a491..5d8b13b 100644
--- a/matrix/synapse/README.md
+++ b/matrix/synapse/README.md
@@ -13,7 +13,7 @@ documentation](https://element-hq.github.io/synapse/latest/setup/installation.ht
 ```
 apt install -y lsb-release wget apt-transport-https build-essential python3-dev libffi-dev \
                python3-pip python3-setuptools sqlite3 \
-               libssl-dev virtualenv libjpeg-dev libxslt1-dev libicu-dev
+               libssl-dev virtualenv libjpeg-dev libxslt1-dev libicu-dev git
 
 wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg