History

Hans van Zijst eed77ceb64 Installation for lk-jwt-service added.		2024-12-02 15:40:44 +01:00
..
README.md	Installation for lk-jwt-service added.	2024-12-02 15:40:44 +01:00

README.md

Table of Contents

Element Call
Install prerequisites
lk-jwt-service

Element Call

Element Call enables users to have audio and videocalls with groups, while maintaining full E2E encryption.

It requires several bits of software and entries in .well-known/matrix/client

This bit is for later, but here's a nice bit of documentation to start:

https://sspaeth.de/2024/11/sfu/

Install prerequisites

Define an entry in DNS for Livekit and Call, e.g. livekit.matrixdev.example.com and call.matrixdev.example.com. Get certificates for them.

Expand .well-known/matrix/client to contain the pointer to the SFU:

"org.matrix.msc4143.rtc_foci": [
      {
        "type": "livekit",
        "livekit_service_url": "https://livekit.matrixdev.example.com"
      }
  ]

Create .well-known/element/element.json, which is opened by Element-web and ElementX to find the Element Call widget. It should contain something like this:

{
    "call": {
        "widget_url": "https://call.matrixdev.example.com"
    }
}

Make sure it is served as application/json, just like the other .well-known files.

lk-jwt-service is a small Go program that handles authorization tokens. You'll need a Go compiler, so install that:

apt install golang

lk-jwt-service

Get the latest source code and comile it (preferably NOT as root):

git clone https://github.com/element-hq/lk-jwt-service.git
cd lk-jwt-service
go build -o lk-jwt-service

You'll then notice that you need a newer compiler, so we'll download that and add it to our PATH (again not as root):

wget https://go.dev/dl/go1.23.3.linux-amd64.tar.gz
tar xvfz go1.23.3.linux-amd64.tar.gz
cd go/bin
export PATH=`pwd`:$PATH
cd

Now, compile:

cd lk-jwt-service
go build -o lk-jwt-service

Copy and chown the binary to /usr/local/sbin (yes: as root):

cp ~user/lk-jwt-service/lk-jwt-service /usr/local/sbin
chown root:root /usr/local/sbin/lk-jwt-service

Create a service file for systemd, something like this:

# This thing does authorization for Element Call

[Unit]
Description=LiveKit JWT Service
After=network.target

[Service]
Restart=always
User=www-data
Group=www-data
#WorkingDirectory=/opt/lk-jwt-service
EnvironmentFile=/etc/lk-jwt-service/config
ExecStart=/usr/local/sbin/lk-jwt-service

[Install]
WantedBy=multi-user.target

Not sure about the WorkingDirectory, so it's commented out until it turns out to be necessary. We read the options from /etc/lk-jwt-service/config, which we make read-only for group www-data and non-accessible by anyone else.

mkdir /etc/lk-jwt-service
vi /etc/lk-jwt-service/config
chgrp -R www-data /etc/lk-jwt-service
chmod -R o-rwx /etc/lk-jwt-service

The contents of /etc/lk-jwt-service/config are not fully known yet (see further, installation of the actual LiveKit, the SFU), but for now it's enough to fill it with this:

LIVEKIT_URL=wss://livekit.matrixdev.example.com
LIVEKIT_SECRET=xxx
LIVEKIT_KEY=xxx
LK_JWT_PORT=8080

Now enable and start this thing:

systemctl enable --now lk-jwt-service