forked from fediversity/fediversity
Installation for lk-jwt-service added.
This commit is contained in:
Hans van Zijst
parent
a62adaf873
commit
eed77ceb64
3 changed files with 123 additions and 4 deletions
|
|
@ -47,9 +47,7 @@ Make sure it is served as `application/json`, just like the other .well-known
|
|||
files.
|
||||
|
||||
|
||||
# Livekit
|
||||
|
||||
Livekit is a small Go program that handles authorization tokens. You'll need a
|
||||
lk-jwt-service is a small Go program that handles authorization tokens. You'll need a
|
||||
Go compiler, so install that:
|
||||
|
||||
```
|
||||
|
|
@ -57,3 +55,89 @@ apt install golang
|
|||
```
|
||||
|
||||
|
||||
# lk-jwt-service {#livekit}
|
||||
|
||||
Get the latest source code and comile it (preferably *NOT* as root):
|
||||
|
||||
```
|
||||
git clone https://github.com/element-hq/lk-jwt-service.git
|
||||
cd lk-jwt-service
|
||||
go build -o lk-jwt-service
|
||||
```
|
||||
|
||||
You'll then notice that you need a newer compiler, so we'll download that and add it to
|
||||
our PATH (again not as root):
|
||||
|
||||
```
|
||||
wget https://go.dev/dl/go1.23.3.linux-amd64.tar.gz
|
||||
tar xvfz go1.23.3.linux-amd64.tar.gz
|
||||
cd go/bin
|
||||
export PATH=`pwd`:$PATH
|
||||
cd
|
||||
```
|
||||
|
||||
Now, compile:
|
||||
|
||||
```
|
||||
cd lk-jwt-service
|
||||
go build -o lk-jwt-service
|
||||
```
|
||||
|
||||
Copy and chown the binary to `/usr/local/sbin` (yes: as root):
|
||||
|
||||
```
|
||||
cp ~user/lk-jwt-service/lk-jwt-service /usr/local/sbin
|
||||
chown root:root /usr/local/sbin/lk-jwt-service
|
||||
```
|
||||
|
||||
Create a service file for systemd, something like this:
|
||||
|
||||
```
|
||||
# This thing does authorization for Element Call
|
||||
|
||||
[Unit]
|
||||
Description=LiveKit JWT Service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
User=www-data
|
||||
Group=www-data
|
||||
#WorkingDirectory=/opt/lk-jwt-service
|
||||
EnvironmentFile=/etc/lk-jwt-service/config
|
||||
ExecStart=/usr/local/sbin/lk-jwt-service
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
```
|
||||
|
||||
Not sure about the `WorkingDirectory`, so it's commented out until it turns
|
||||
out to be necessary. We read the options from `/etc/lk-jwt-service/config`,
|
||||
which we make read-only for group `www-data` and non-accessible by anyone
|
||||
else.
|
||||
|
||||
```
|
||||
mkdir /etc/lk-jwt-service
|
||||
vi /etc/lk-jwt-service/config
|
||||
chgrp -R www-data /etc/lk-jwt-service
|
||||
chmod -R o-rwx /etc/lk-jwt-service
|
||||
```
|
||||
|
||||
The contents of `/etc/lk-jwt-service/config` are not fully known yet (see
|
||||
further, installation of the actual LiveKit, the SFU), but for now it's enough
|
||||
to fill it with this:
|
||||
|
||||
```
|
||||
LIVEKIT_URL=wss://livekit.matrixdev.example.com
|
||||
LIVEKIT_SECRET=xxx
|
||||
LIVEKIT_KEY=xxx
|
||||
LK_JWT_PORT=8080
|
||||
```
|
||||
|
||||
Now enable and start this thing:
|
||||
|
||||
```
|
||||
systemctl enable --now lk-jwt-service
|
||||
```
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -192,6 +192,41 @@ mentioned, but will be forwarded to Synapse in exactly the same way as
|
|||
"normal" requests.
|
||||
|
||||
|
||||
# LiveKit {#livekit}
|
||||
|
||||
If you run an SFU for Element Call, you need a virtual host for LiveKit. Make
|
||||
sure you install, configure and run [Element Call LiveKit](../element-call#livekit).
|
||||
Then create a virtual host much like this:
|
||||
|
||||
```
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/livekit.matrixdev.example.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/livekit.matrixdev.example.com/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/ssl/dhparams.pem;
|
||||
|
||||
server_name livekit.matrixdev.example.com;
|
||||
|
||||
# This is lk-jwt-service
|
||||
location ~ ^(/sfu/get|/healthz) {
|
||||
proxy_pass http://[::1]:8080;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
access_log /var/log/nginx/livekit.matrixdev-access.log;
|
||||
error_log /var/log/nginx/livekit.matrixdev-error.log;
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
|
||||
# Firewall
|
||||
|
||||
For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ documentation](https://element-hq.github.io/synapse/latest/setup/installation.ht
|
|||
```
|
||||
apt install -y lsb-release wget apt-transport-https build-essential python3-dev libffi-dev \
|
||||
python3-pip python3-setuptools sqlite3 \
|
||||
libssl-dev virtualenv libjpeg-dev libxslt1-dev libicu-dev
|
||||
libssl-dev virtualenv libjpeg-dev libxslt1-dev libicu-dev git
|
||||
|
||||
wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue