From 377ccf8f45e3ef8691b7a47767364bd6f6b62058 Mon Sep 17 00:00:00 2001 From: fkwp Date: Tue, 5 Nov 2024 00:05:02 +0100 Subject: [PATCH 01/22] add localhost tls certificates for dev environment --- backend/tls_localhost_cert.pem | 22 ++++++++++++++++++++++ backend/tls_localhost_key.pem | 28 ++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 backend/tls_localhost_cert.pem create mode 100644 backend/tls_localhost_key.pem diff --git a/backend/tls_localhost_cert.pem b/backend/tls_localhost_cert.pem new file mode 100644 index 00000000..267ce0d5 --- /dev/null +++ b/backend/tls_localhost_cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtzCCAp+gAwIBAgIUCmJjl3HAeLmrPwRg+/OzikW6peQwDQYJKoZIhvcNAQEL +BQAwazELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9u +ZG9uMQ4wDAYDVQQKDAVBbHJvczEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDESMBAG +A1UEAwwJbG9jYWxob3N0MB4XDTI0MTEwNDIxNDcwMFoXDTM0MTEwMjIxNDcwMFow +azELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9u +MQ4wDAYDVQQKDAVBbHJvczEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDESMBAGA1UE +AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs368 +ExLSudP8luNoY5UfaPqBSVJUPYBi+JGyd36tyN75p5OI7xSfHTttQxuD4KrExBFP +C8mAhE1eoZPBVBOZJ4FYWBJfMaQnCjeqU+laP36td65kSJYbUYlKYH1WpxEpCdgx +wWOKkP/kPX5YXbYqODx9aBJXgoT3yAJW7AniIoL+eLFnS9Xo86TPqCDBTJU9ocwK +gPIDLhDv60724rhZT1kbGp7ECqRovndoDTQjuws2D3yNMfQ+4rrQGPXHGmP5PcaR +0R7uueB+6APyC7MJbuhbxxg/+DFHrRi3lJsgwxuh2hi/+vWw8zgKlgYIwHFA9X0l +cX0UlQdENMH3bgcGIwIDAQABo1MwUTAdBgNVHQ4EFgQUUFGxw7zoiHXGwRqtagjZ +RPYc85cwHwYDVR0jBBgwFoAUUFGxw7zoiHXGwRqtagjZRPYc85cwDwYDVR0TAQH/ +BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEALokb1z2lu3qW141b2wm14ilZQKCZ +reNNuUR95Uom96FXPH4QVEH+mYTXXJ5UrfNhQYKQFpdE+5S4HL/UqEOxtWvbAHpK +nsLQ62J8m+0+uwiJGqeQpWr03KJgXDAVE9X3XwMlp/+buxSLhc+GIHWuXW56itV2 +jiZJYjhO5SnhhgTWNoVZk93qXuuWEN0yacw7c3Fr1IvFYYYWufbXTk70dbZihPDK +VD141o8tpp6FerSKHNYDqkVFDyTz3DVOhQQJ59zfMre7bFr+PpTTl4vIuGzXEY+E +HPjUSlOzwkCoh5fu7Fs3qG55rJt8akhTEoKpiBTaLucgAjVWNHeci1+Yxg== +-----END CERTIFICATE----- diff --git a/backend/tls_localhost_key.pem b/backend/tls_localhost_key.pem new file mode 100644 index 00000000..32801b3c --- /dev/null +++ b/backend/tls_localhost_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCzfrwTEtK50/yW +42hjlR9o+oFJUlQ9gGL4kbJ3fq3I3vmnk4jvFJ8dO21DG4PgqsTEEU8LyYCETV6h +k8FUE5kngVhYEl8xpCcKN6pT6Vo/fq13rmRIlhtRiUpgfVanESkJ2DHBY4qQ/+Q9 +flhdtio4PH1oEleChPfIAlbsCeIigv54sWdL1ejzpM+oIMFMlT2hzAqA8gMuEO/r +TvbiuFlPWRsansQKpGi+d2gNNCO7CzYPfI0x9D7iutAY9ccaY/k9xpHRHu654H7o +A/ILswlu6FvHGD/4MUetGLeUmyDDG6HaGL/69bDzOAqWBgjAcUD1fSVxfRSVB0Q0 +wfduBwYjAgMBAAECggEACTqdSExxzJ+LX5ARFaWyOBSWly2GKqSyR14+aInOklhx +9QgkmfOxJrCf3TvJ8RWhXloW0Aqr8qGDxG0Ixgjn7rG7gskXCey1xn8MNppLS0kj +ztaG+NB3AR89ABm8XdoHsSY45geh3/Ni9I0i1VardGQafUJhgNLTZqjwIodzkBtJ +S/bi4uFk1lGNfuvWQvWqzGXUvd1l1YupV6iA4GfhXlUvrSBZwftLBD6xEvQaSqsA +pHvBxTfMXG4RMAkNPDIElkuQ8++CGi1gIRkJfmrv4OgbbitteMnxqqqGYV0zSNCg +R/5FG6umIV7lDLBHZCSCk7wmfmq2UUvzhHThHy4yMQKBgQDu4TwFJCIcVIj7Wj4r +DUBFvz6Lgbltqb+YAMUBtpiDcAQxDJWmedh6dK04ts5CFAFRlRjjuz2uFn7qlVBm +uye9R7tL+tOv5viqDXU78a4snFywoXub6yzpbxrW8B4W1pdIUvQmhwCcDwvO1V24 +7Vj2vxcM5I9dsk1aCQSi3VY5yQKBgQDAW/VoTRwhU6OUc6sji5Z5dnkMjkP6NZK9 +CSrTWLAMGaLPY+g6fFS7JMNSvfWm/okypD6rcN7p0cxMK3mfFKmMiyPRde0wdrci +sGFjGxM/2d2D7KTMC9iMYwA0K17UIna+UiYPfhR/muIg/dCyjlkKDFs9Z4jk//r1 +91bmznt2iwKBgFdiYXhn/Wprqih4nKFXGZnqGdEixVhObl4GegrkZuo+AeqHdf8O +N5ikMfG7PbyCYPEdH5u/FRMn+4mI0X6jHChroyJqQSHp1jEu9yHUiSicknOyvusM +nsNN932FHRyxp2m3nsSxQhHUlzc0ajKJ8K9iu+XlfmSCIzW6cs25Nh+xAoGBAJro +M0wIdPPdsCj3sUVRvx8XqknTM6kGhaIYBNXoYPWNm5BaC4U15OJEq8sxUOdnqcMP +g6x6m/k+S8C3bh0O/a9Bydl/l0BlCfw0gGjYP/s2ju4Tn272xy/e9iYNGzPIgUmp +TB9D0GwmpZ4d6HgyrD+sTbm4bATGpCp6QhBjDggbAoGBAJVMMtZ4pF8D6mLMRZGR +pQjNPy+MH13XYmDRc/BSF8KJ4yKk3tohr9LSXzxR0SEB43NoL1bHkucZrNjGyL8x +jktnwkoIs96kO2mPrl1TqWkXs5RjGkkSTbAJovIcvkRU31SWap/WzN2kHpmRVcQc +KEFKXT5fUYZCLLWxhgZFlGPp +-----END PRIVATE KEY----- From 275e0bdb002bfd5df3e5cda2ba6fe7cdc37eea87 Mon Sep 17 00:00:00 2001 From: fkwp Date: Tue, 5 Nov 2024 00:14:02 +0100 Subject: [PATCH 02/22] minimum nginx tls reverse proxy configuration for synapse homeserver --- backend/tls_localhost_nginx.conf | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 backend/tls_localhost_nginx.conf diff --git a/backend/tls_localhost_nginx.conf b/backend/tls_localhost_nginx.conf new file mode 100644 index 00000000..2e2b8655 --- /dev/null +++ b/backend/tls_localhost_nginx.conf @@ -0,0 +1,28 @@ +server { + listen 80; + listen [::]:80; + listen 443 ssl; + listen 8448 ssl; + listen [::]:443 ssl; + listen [::]:8448 ssl; + server_name synapse.localhost; + ssl_certificate /root/ssl/cert.pem; + ssl_certificate_key /root/ssl/key.pem; + + # Reverse proxy for Matrix Synapse Homeserver + # This is also required for development environment. + # Reason: the lk-jwt-service uses the federation API for the openid token + # verification, which requires TLS + location / { + proxy_pass "http://homeserver:8008"; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } + + error_page 500 502 503 504 /50x.html; + +} From 2de105c9fd3d2b740361383afb467bd47cf32612 Mon Sep 17 00:00:00 2001 From: fkwp Date: Tue, 5 Nov 2024 00:15:26 +0100 Subject: [PATCH 03/22] minimum homeserver configuration for development environment --- backend/dev_homeserver.yaml | 49 +++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 backend/dev_homeserver.yaml diff --git a/backend/dev_homeserver.yaml b/backend/dev_homeserver.yaml new file mode 100644 index 00000000..e51bc7e4 --- /dev/null +++ b/backend/dev_homeserver.yaml @@ -0,0 +1,49 @@ +server_name: "synapse.localhost" +pid_file: /data/homeserver.pid + +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + resources: + - names: [client, federation, openid] + compress: false + +database: + name: sqlite3 + args: + database: /data/homeserver.db + +media_store_path: /data/media_store +signing_key_path: "/data/SERVERNAME.signing.key" +trusted_key_servers: + - server_name: "matrix.org" + +experimental_features: + # MSC3266: Room summary API. Used for knocking over federation + msc3266_enabled: true + +# The maximum allowed duration by which sent events can be delayed, as +# per MSC4140. Must be a positive value if set. Defaults to no +# duration (null), which disallows sending delayed events. +max_event_delay_duration: 24h + +# Ratelimiting settings for client actions (registration, login, messaging). +# +# Each ratelimiting configuration is made of two parameters: +# - per_second: number of requests a client can send per second. +# - burst_count: number of requests a client can send before being throttled. + +rc_message: + # This needs to match at least the heart-beat frequency plus a bit of headroom + # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s + per_second: 0.5 + burst_count: 30 + +# Required for Element Call in Single Page Mode due to on-the-fly user registration +enable_registration: true +enable_registration_without_verification: true + +report_stats: false +serve_server_wellknown: true From c5bd68f7dba698d64ec831f9e529fdfcfb9eecb6 Mon Sep 17 00:00:00 2001 From: fkwp Date: Tue, 5 Nov 2024 00:18:33 +0100 Subject: [PATCH 04/22] update gitignore to irgnore temp synapse state --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 6ad79d79..8d306b2c 100644 --- a/.gitignore +++ b/.gitignore @@ -6,5 +6,6 @@ dist-ssr *.local .idea/ public/config.json +backend/synapse_tmp/* /coverage yarn-error.log From a672224324f4e2a62d03dd6b95cd643a7af5dd1a Mon Sep 17 00:00:00 2001 From: fkwp Date: Tue, 5 Nov 2024 00:23:02 +0100 Subject: [PATCH 05/22] rename livekit.conf to dev_livekit.conf to make clear that its for the development environment --- backend/{livekit.yaml => dev_livekit.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename backend/{livekit.yaml => dev_livekit.yaml} (100%) diff --git a/backend/livekit.yaml b/backend/dev_livekit.yaml similarity index 100% rename from backend/livekit.yaml rename to backend/dev_livekit.yaml From 44cb16d0b886c91f12ef88ab2b5ff406b65fc758 Mon Sep 17 00:00:00 2001 From: fkwp Date: Tue, 5 Nov 2024 00:25:41 +0100 Subject: [PATCH 06/22] prefix docker-compose with dev to make clear its only for development purposes. In addition added minimum synapse config to it in order to have a fully selfcontained dev setup --- backend-docker-compose.yml | 52 ---------------------- dev-backend-docker-compose.yml | 80 ++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 52 deletions(-) delete mode 100644 backend-docker-compose.yml create mode 100644 dev-backend-docker-compose.yml diff --git a/backend-docker-compose.yml b/backend-docker-compose.yml deleted file mode 100644 index b0dbe822..00000000 --- a/backend-docker-compose.yml +++ /dev/null @@ -1,52 +0,0 @@ -version: "3.9" - -networks: - lkbackend: - -services: - auth-service: - image: ghcr.io/element-hq/lk-jwt-service:latest-ci - hostname: auth-server - # Use host network in case the configured homeserver runs on localhost - network_mode: host - environment: - - LK_JWT_PORT=8881 - - LIVEKIT_URL=ws://localhost:7880 - - LIVEKIT_KEY=devkey - - LIVEKIT_SECRET=secret - # If the configured homeserver runs on localhost, it'll probably be using - # a self-signed certificate - - LIVEKIT_INSECURE_SKIP_VERIFY_TLS=YES_I_KNOW_WHAT_I_AM_DOING - deploy: - restart_policy: - condition: on-failure - networks: - - lkbackend - - livekit: - image: livekit/livekit-server:latest - command: --dev --config /etc/livekit.yaml - restart: unless-stopped - # The SFU seems to work far more reliably when we let it share the host - # network rather than opening specific ports (but why?? we're not missing - # any…) - network_mode: host - # ports: - # - "7880:7880/tcp" - # - "7881:7881/tcp" - # - "7882:7882/tcp" - # - "50100-50200:50100-50200/udp" - volumes: - - ./backend/livekit.yaml:/etc/livekit.yaml - networks: - - lkbackend - - redis: - image: redis:6-alpine - command: redis-server /etc/redis.conf - ports: - - 6379:6379 - volumes: - - ./backend/redis.conf:/etc/redis.conf - networks: - - lkbackend diff --git a/dev-backend-docker-compose.yml b/dev-backend-docker-compose.yml new file mode 100644 index 00000000..fcdadffe --- /dev/null +++ b/dev-backend-docker-compose.yml @@ -0,0 +1,80 @@ +networks: + ecbackend: + +services: + auth-service: + image: ghcr.io/element-hq/lk-jwt-service:latest-ci + hostname: auth-server + environment: + - LK_JWT_PORT=8080 + - LIVEKIT_URL=ws://localhost:7880 + - LIVEKIT_KEY=devkey + - LIVEKIT_SECRET=secret + # If the configured homeserver runs on localhost, it'll probably be using + # a self-signed certificate + - LIVEKIT_INSECURE_SKIP_VERIFY_TLS=YES_I_KNOW_WHAT_I_AM_DOING + deploy: + restart_policy: + condition: on-failure + ports: + # HOST_PORT:CONTAINER_PORT + - 8080:8080 + networks: + - ecbackend + + livekit: + image: livekit/livekit-server:latest + command: --dev --config /etc/livekit.yaml + restart: unless-stopped + # The SFU seems to work far more reliably when we let it share the host + # network rather than opening specific ports (but why?? we're not missing + # any…) + ports: + # HOST_PORT:CONTAINER_PORT + - 7880:7880/tcp + - 7881:7881/tcp + - 7882:7882/tcp + - 50100-50200:50100-50200/udp + volumes: + - ./backend/dev_livekit.yaml:/etc/livekit.yaml + networks: + - ecbackend + + redis: + image: redis:6-alpine + command: redis-server /etc/redis.conf + ports: + # HOST_PORT:CONTAINER_PORT + - 6379:6379 + volumes: + - ./backend/redis.conf:/etc/redis.conf + networks: + - ecbackend + + synapse: + hostname: homeserver + image: docker.io/matrixdotorg/synapse:latest + environment: + - SYNAPSE_CONFIG_PATH=/data/cfg/homeserver.yaml + volumes: + - ./backend/synapse_tmp:/data + - ./backend/dev_homeserver.yaml:/data/cfg/homeserver.yaml + networks: + - ecbackend + + nginx: + # openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls_localhost_key.pem -out tls_localhost_cert.pem -subj "/C=GB/ST=London/L=London/O=Alros/OU=IT Department/CN=localhost" + hostname: synapse.localhost + image: nginx:latest + volumes: + - ./backend/tls_localhost_nginx.conf:/etc/nginx/conf.d/default.conf + - ./backend/tls_localhost_key.pem:/root/ssl/key.pem + - ./backend/tls_localhost_cert.pem:/root/ssl/cert.pem + ports: + # HOST_PORT:CONTAINER_PORT + - "8008:80" + - "4443:443" + depends_on: + - synapse + networks: + - ecbackend From 82c6db1f942a73f50b3cecdd3933a0c40aa51340 Mon Sep 17 00:00:00 2001 From: fkwp Date: Tue, 5 Nov 2024 00:35:40 +0100 Subject: [PATCH 07/22] linting --- backend/dev_homeserver.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/dev_homeserver.yaml b/backend/dev_homeserver.yaml index e51bc7e4..965940b6 100644 --- a/backend/dev_homeserver.yaml +++ b/backend/dev_homeserver.yaml @@ -21,8 +21,8 @@ trusted_key_servers: - server_name: "matrix.org" experimental_features: - # MSC3266: Room summary API. Used for knocking over federation - msc3266_enabled: true + # MSC3266: Room summary API. Used for knocking over federation + msc3266_enabled: true # The maximum allowed duration by which sent events can be delayed, as # per MSC4140. Must be a positive value if set. Defaults to no From c33c703570d79787d283098d6325e9fbdce1251c Mon Sep 17 00:00:00 2001 From: fkwp Date: Tue, 5 Nov 2024 00:36:18 +0100 Subject: [PATCH 08/22] adapt config.sample.json to development environment settings --- config/config.sample.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/config.sample.json b/config/config.sample.json index 12381a66..76f42050 100644 --- a/config/config.sample.json +++ b/config/config.sample.json @@ -1,12 +1,12 @@ { "default_server_config": { "m.homeserver": { - "base_url": "https://call.ems.host", - "server_name": "call.ems.host" + "base_url": "http://synapse.localhost:8008", + "server_name": "synapse.localhost" } }, "livekit": { - "livekit_service_url": "http://localhost:7881" + "livekit_service_url": "http://localhost:8080" }, "features": { "feature_use_device_session_member_events": true From d1774d63ab19044b6526c06c49614414616951c1 Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 6 Nov 2024 10:55:13 +0100 Subject: [PATCH 09/22] make dev-backend-docker-compose.yaml work wiht podman compose --- dev-backend-docker-compose.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dev-backend-docker-compose.yml b/dev-backend-docker-compose.yml index fcdadffe..afe1e724 100644 --- a/dev-backend-docker-compose.yml +++ b/dev-backend-docker-compose.yml @@ -56,6 +56,12 @@ services: image: docker.io/matrixdotorg/synapse:latest environment: - SYNAPSE_CONFIG_PATH=/data/cfg/homeserver.yaml + # Needed for rootless podman-compose such that the uid/gid mapping does + # fit local user uid. If the container runs as root (uid 0) it is fine as + # it actually maps to your non-root user on the host (e.g. 1000). + # Otherwise uid mapping will not match your non-root user. + - UID=0 + - GID=0 volumes: - ./backend/synapse_tmp:/data - ./backend/dev_homeserver.yaml:/data/cfg/homeserver.yaml From 4705ab4218ae1ff32ba6912bd85bd9dd961403a1 Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 6 Nov 2024 19:46:59 +0100 Subject: [PATCH 10/22] Update dev-backend-docker-compose.yml Co-authored-by: Andrew Ferrazzutti --- dev-backend-docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-backend-docker-compose.yml b/dev-backend-docker-compose.yml index afe1e724..d9a50685 100644 --- a/dev-backend-docker-compose.yml +++ b/dev-backend-docker-compose.yml @@ -36,7 +36,7 @@ services: - 7882:7882/tcp - 50100-50200:50100-50200/udp volumes: - - ./backend/dev_livekit.yaml:/etc/livekit.yaml + - ./backend/dev_livekit.yaml:/etc/livekit.yaml:Z networks: - ecbackend From 4877474b7d7fdb75d92e713f266ab7076ffbfb54 Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 6 Nov 2024 19:53:12 +0100 Subject: [PATCH 11/22] remove livekit.livekit_service_url from sample config since SFU foci should be announced by homeserver's well-known --- config/config.sample.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/config.sample.json b/config/config.sample.json index 76f42050..80d774c8 100644 --- a/config/config.sample.json +++ b/config/config.sample.json @@ -5,9 +5,6 @@ "server_name": "synapse.localhost" } }, - "livekit": { - "livekit_service_url": "http://localhost:8080" - }, "features": { "feature_use_device_session_member_events": true }, From bf4596dfc5b8816b20c82a60bd202d271cf19041 Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 6 Nov 2024 19:53:42 +0100 Subject: [PATCH 12/22] add dedicated config for local development environment --- config/config.devenv.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 config/config.devenv.json diff --git a/config/config.devenv.json b/config/config.devenv.json new file mode 100644 index 00000000..76f42050 --- /dev/null +++ b/config/config.devenv.json @@ -0,0 +1,15 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "http://synapse.localhost:8008", + "server_name": "synapse.localhost" + } + }, + "livekit": { + "livekit_service_url": "http://localhost:8080" + }, + "features": { + "feature_use_device_session_member_events": true + }, + "eula": "https://static.element.io/legal/online-EULA.pdf" +} From 69776ba08e14b264cff7c02d8abd465591bd091d Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 6 Nov 2024 19:58:48 +0100 Subject: [PATCH 13/22] add .well-known section including a note that this is not effective for the local dev environment --- backend/tls_localhost_nginx.conf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/backend/tls_localhost_nginx.conf b/backend/tls_localhost_nginx.conf index 2e2b8655..19efa5ba 100644 --- a/backend/tls_localhost_nginx.conf +++ b/backend/tls_localhost_nginx.conf @@ -9,6 +9,18 @@ server { ssl_certificate /root/ssl/cert.pem; ssl_certificate_key /root/ssl/key.pem; + # well-known config adding rtc_foci backend + # Note well-known is currently not effective due to: + # https://spec.matrix.org/v1.12/client-server-api/#well-known-uri the spec + # says it must be at https://$server_name/... (implied port 443) Hence, we + # currently rely for local development environment on depricated config.json + # setting for livekit_service_url + location /.well-known/matrix/client { + return 200 '{"m.homeserver": {"base_url": "http://synapse.localhost:8008"}, "org.matrix.msc4143.rtc_foci": [{"type": "livekit", "livekit_service_url": "http://localhost:8080"}]}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + # Reverse proxy for Matrix Synapse Homeserver # This is also required for development environment. # Reason: the lk-jwt-service uses the federation API for the openid token From 7440f39fefca757b2d0303d6e8414106efe94087 Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 6 Nov 2024 19:59:11 +0100 Subject: [PATCH 14/22] add base_url --- backend/dev_homeserver.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/backend/dev_homeserver.yaml b/backend/dev_homeserver.yaml index 965940b6..b41de45b 100644 --- a/backend/dev_homeserver.yaml +++ b/backend/dev_homeserver.yaml @@ -1,4 +1,6 @@ server_name: "synapse.localhost" +public_baseurl: http://synapse.localhost:8008/ + pid_file: /data/homeserver.pid listeners: From 4a712838262e8403fc7674c672bb9e5c9ffe8624 Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 6 Nov 2024 19:59:37 +0100 Subject: [PATCH 15/22] update docker-compose cmd line --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 860d64a6..758dee06 100644 --- a/package.json +++ b/package.json @@ -17,7 +17,7 @@ "i18n:check": "i18next --fail-on-warnings --fail-on-update", "test": "vitest", "test:coverage": "vitest --coverage", - "backend": "docker-compose -f backend-docker-compose.yml up" + "backend": "docker-compose -f dev-backend-docker-compose.yml up" }, "devDependencies": { "@babel/core": "^7.16.5", From 430337e72578ccfb9d2cde5d79fa354323c849da Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 6 Nov 2024 20:00:05 +0100 Subject: [PATCH 16/22] update dev env setup --- README.md | 49 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 33 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 9ff4e156..a395729f 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ You may also wish to add a configuration file (Element Call uses the domain it's but you can change this in the config file). This goes in `public/config.json` - you can use the sample as a starting point: ``` -cp config/config.sample.json public/config.json +cp config/config.devenv.json public/config.json # edit public/config.json ``` @@ -58,14 +58,24 @@ If you're using [Synapse](https://github.com/element-hq/synapse/), you'll need t ``` experimental_features: + # MSC3266: Room summary API. Used for knocking over federation msc3266_enabled: true + +# The maximum allowed duration by which sent events can be delayed, as +# per MSC4140. +max_event_delay_duration: 24h + +rc_message: + # This needs to match at least the heart-beat frequency plus a bit of headroom + # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s + per_second: 0.5 + burst_count: 30 ``` MSC3266 allows to request a room summary of rooms you are not joined. The summary contains the room join rules. We need that to decide if the user gets prompted with the option to knock ("ask to join"), a cannot join error or the join view. -Element Call requires a Livekit SFU behind a Livekit jwt service to work. The url to the Livekit jwt service can either be configured in the config of Element Call (fallback/legacy configuration) or be configured by your homeserver via the `.well-known`. -This is the recommended method. +Element Call requires a Livekit SFU behind a [Livekit JWT service](https://github.com/element-hq/lk-jwt-service) to work. The url to the Livekit JWT service can either be configured in the config of Element Call (fallback/legacy configuration) or be configured by your homeserver via the `.well-known/matrix/client`. This is the recommended method. The configuration is a list of Foci configs: @@ -112,6 +122,14 @@ yarn yarn link matrix-js-sdk ``` +To use it, create a local config by, e.g., `cp ./config/config.sample.json +./public/config.json` and adapt it if necessary. The sample config should work +with the backend development environment as outlined in the next section out of +box. + +(Be aware, that this is only the fallback Livekit SFU. If the homeserver +advertises one in the client well-known, this will not be used.) + You're now ready to launch the development server: ``` @@ -120,25 +138,24 @@ yarn dev ### Backend -A docker compose file is provided to start a LiveKit server and auth -service for development. These use a test 'secret' published in this -repository, so this must be used only for local development and -**_never be exposed to the public Internet._** +A docker compose file `dev-backend-docker-compose.yml` is provided to start the +whole stack of components which is required for a local development environment: +- Minimum Synapse Setup (servername: synapse.localhost) +- LiveKit JWT Service (Note requires Federation API and hence a TLS reverse proxy) +- Minimum TLS reverse proxy (servername: synapse.localhost) Note certificates + are valid for at least 10 years from now +- Minimum LiveKit SFU Setup using dev defaults for config +- Redis db for completness -To use it, add a SFU parameter in your local config `./public/config.json`: -(Be aware, that this is only the fallback Livekit SFU. If the homeserver -advertises one in the client well-known, this will not be used.) - -```json -"livekit": { - "livekit_service_url": "http://localhost:7881" -}, -``` +These use a test 'secret' published in this repository, so this must be used +only for local development and **_never be exposed to the public Internet._** Run backend components: ``` yarn backend +# or for podman-compose +# podman-compose -f dev-backend-docker-compose.yml up ``` ### Test Coverage From 65742db4f22f8a0cb5e07d53d3bac9498028b34a Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 6 Nov 2024 20:07:52 +0100 Subject: [PATCH 17/22] use less common port for JWT service --- config/config.devenv.json | 2 +- dev-backend-docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/config.devenv.json b/config/config.devenv.json index 76f42050..b39cc628 100644 --- a/config/config.devenv.json +++ b/config/config.devenv.json @@ -6,7 +6,7 @@ } }, "livekit": { - "livekit_service_url": "http://localhost:8080" + "livekit_service_url": "http://localhost:8009" }, "features": { "feature_use_device_session_member_events": true diff --git a/dev-backend-docker-compose.yml b/dev-backend-docker-compose.yml index d9a50685..95531a19 100644 --- a/dev-backend-docker-compose.yml +++ b/dev-backend-docker-compose.yml @@ -18,7 +18,7 @@ services: condition: on-failure ports: # HOST_PORT:CONTAINER_PORT - - 8080:8080 + - 8009:8080 networks: - ecbackend From 2961cfa52c093f55cfb895bd90b52c6ac408b0fa Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 6 Nov 2024 20:20:29 +0100 Subject: [PATCH 18/22] update README.md --- README.md | 102 ++++++++++++++++++++++--------- backend/tls_localhost_nginx.conf | 2 +- 2 files changed, 75 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index a395729f..ee4d93a4 100644 --- a/README.md +++ b/README.md @@ -3,17 +3,24 @@ [![Chat](https://img.shields.io/matrix/webrtc:matrix.org)](https://matrix.to/#/#webrtc:matrix.org) [![Localazy](https://img.shields.io/endpoint?url=https%3A%2F%2Fconnect.localazy.com%2Fstatus%2Felement-call%2Fdata%3Fcontent%3Dall%26title%3Dlocalazy%26logo%3Dtrue)](https://localazy.com/p/element-call) -Group calls with WebRTC that leverage [Matrix](https://matrix.org) and an open-source WebRTC toolkit from [LiveKit](https://livekit.io/). +Group calls with WebRTC that leverage [Matrix](https://matrix.org) and an +open-source WebRTC toolkit from [LiveKit](https://livekit.io/). -For prior version of the Element Call that relied solely on full-mesh logic, check [`full-mesh`](https://github.com/element-hq/element-call/tree/full-mesh) branch. +For prior version of the Element Call that relied solely on full-mesh logic, +check [`full-mesh`](https://github.com/element-hq/element-call/tree/full-mesh) +branch. ![A demo of Element Call with six people](demo.jpg) -To try it out, visit our hosted version at [call.element.io](https://call.element.io). You can also find the latest development version continuously deployed to [call.element.dev](https://call.element.dev/). +To try it out, visit our hosted version at +[call.element.io](https://call.element.io). You can also find the latest +development version continuously deployed to +[call.element.dev](https://call.element.dev/). ## Host it yourself -Until prebuilt tarballs are available, you'll need to build Element Call from source. First, clone and install the package: +Until prebuilt tarballs are available, you'll need to build Element Call from +source. First, clone and install the package: ``` git clone https://github.com/element-hq/element-call.git @@ -22,17 +29,23 @@ yarn yarn build ``` -If all went well, you can now find the build output under `dist` as a series of static files. These can be hosted using any web server that can be configured with custom routes (see below). +If all went well, you can now find the build output under `dist` as a series of +static files. These can be hosted using any web server that can be configured +with custom routes (see below). -You may also wish to add a configuration file (Element Call uses the domain it's hosted on as a Homeserver URL by default, -but you can change this in the config file). This goes in `public/config.json` - you can use the sample as a starting point: +You may also wish to add a configuration file (Element Call uses the domain it's +hosted on as a Homeserver URL by default, but you can change this in the config +file). This goes in `public/config.json` - you can use the sample as a starting +point: ``` -cp config/config.devenv.json public/config.json +cp config/config.sample.json public/config.json # edit public/config.json ``` -Because Element Call uses client-side routing, your server must be able to route any requests to non-existing paths back to `/index.html`. For example, in Nginx you can achieve this with the `try_files` directive: +Because Element Call uses client-side routing, your server must be able to route +any requests to non-existing paths back to `/index.html`. For example, in Nginx +you can achieve this with the `try_files` directive: ``` server { @@ -44,17 +57,36 @@ server { } ``` -By default, the app expects you to have a Matrix homeserver (such as [Synapse](https://element-hq.github.io/synapse/latest/setup/installation.html)) installed locally and running on port 8008. If you wish to use a homeserver on a different URL or one that is hosted on a different server, you can add a config file as above, and include the homeserver URL that you'd like to use. +By default, the app expects you to have a Matrix homeserver (such as +[Synapse](https://element-hq.github.io/synapse/latest/setup/installation.html)) +installed locally and running on port 8008. If you wish to use a homeserver on a +different URL or one that is hosted on a different server, you can add a config +file as above, and include the homeserver URL that you'd like to use. -Element Call requires a homeserver with registration enabled without any 3pid or token requirements, if you want it to be used by unregistered users. Furthermore, it is not recommended to use it with an existing homeserver where user accounts have joined normal rooms, as it may not be able to handle those yet and it may behave unreliably. +Element Call requires a homeserver with registration enabled without any 3pid or +token requirements, if you want it to be used by unregistered users. +Furthermore, it is not recommended to use it with an existing homeserver where +user accounts have joined normal rooms, as it may not be able to handle those +yet and it may behave unreliably. -Therefore, to use a self-hosted homeserver, this is recommended to be a new server where any user account created has not joined any normal rooms anywhere in the Matrix federated network. The homeserver used can be setup to disable federation, so as to prevent spam registrations (if you keep registrations open) and to ensure Element Call continues to work in case any user decides to log in to their Element Call account using the standard Element app and joins normal rooms that Element Call cannot handle. +Therefore, to use a self-hosted homeserver, this is recommended to be a new +server where any user account created has not joined any normal rooms anywhere +in the Matrix federated network. The homeserver used can be setup to disable +federation, so as to prevent spam registrations (if you keep registrations open) +and to ensure Element Call continues to work in case any user decides to log in +to their Element Call account using the standard Element app and joins normal +rooms that Element Call cannot handle. ## Configuration -There are currently two different config files. `.env` holds variables that are used at build time, while `public/config.json` holds variables that are used at runtime. Documentation and default values for `public/config.json` can be found in [ConfigOptions.ts](src/config/ConfigOptions.ts). +There are currently two different config files. `.env` holds variables that are +used at build time, while `public/config.json` holds variables that are used at +runtime. Documentation and default values for `public/config.json` can be found +in [ConfigOptions.ts](src/config/ConfigOptions.ts). -If you're using [Synapse](https://github.com/element-hq/synapse/), you'll need to additionally add the following to `homeserver.yaml` or Element Call won't work: +If you're using [Synapse](https://github.com/element-hq/synapse/), you'll need +to additionally add the following to `homeserver.yaml` or Element Call won't +work: ``` experimental_features: @@ -72,10 +104,16 @@ rc_message: burst_count: 30 ``` -MSC3266 allows to request a room summary of rooms you are not joined. -The summary contains the room join rules. We need that to decide if the user gets prompted with the option to knock ("ask to join"), a cannot join error or the join view. +MSC3266 allows to request a room summary of rooms you are not joined. The +summary contains the room join rules. We need that to decide if the user gets +prompted with the option to knock ("ask to join"), a cannot join error or the +join view. -Element Call requires a Livekit SFU behind a [Livekit JWT service](https://github.com/element-hq/lk-jwt-service) to work. The url to the Livekit JWT service can either be configured in the config of Element Call (fallback/legacy configuration) or be configured by your homeserver via the `.well-known/matrix/client`. This is the recommended method. +Element Call requires a Livekit SFU alongside a [Livekit JWT +service](https://github.com/element-hq/lk-jwt-service) to work. The url to the +Livekit JWT service can either be configured in the config of Element Call +(fallback/legacy configuration) or be configured by your homeserver via the +`.well-known/matrix/client`. This is the recommended method. The configuration is a list of Foci configs: @@ -98,13 +136,18 @@ The configuration is a list of Foci configs: ## Translation -If you'd like to help translate Element Call, head over to [Localazy](https://localazy.com/p/element-call). You're also encouraged to join the [Element Translators](https://matrix.to/#/#translators:element.io) space to discuss and coordinate translation efforts. +If you'd like to help translate Element Call, head over to +[Localazy](https://localazy.com/p/element-call). You're also encouraged to join +the [Element Translators](https://matrix.to/#/#translators:element.io) space to +discuss and coordinate translation efforts. ## Development ### Frontend -Element Call is built against [matrix-js-sdk](https://github.com/matrix-org/matrix-js-sdk/pull/2553). To get started, clone, install, and link the package: +Element Call is built against +[matrix-js-sdk](https://github.com/matrix-org/matrix-js-sdk/pull/2553). To get +started, clone, install, and link the package: ``` git clone https://github.com/matrix-org/matrix-js-sdk.git @@ -122,13 +165,14 @@ yarn yarn link matrix-js-sdk ``` -To use it, create a local config by, e.g., `cp ./config/config.sample.json -./public/config.json` and adapt it if necessary. The sample config should work -with the backend development environment as outlined in the next section out of -box. +To use it, create a local config by, e.g., `cp ./config/config.devenv.json +./public/config.json` and adapt it if necessary. The `config.devenv.json` config +should work with the backend development environment as outlined in the next +section out of box. -(Be aware, that this is only the fallback Livekit SFU. If the homeserver -advertises one in the client well-known, this will not be used.) +(Be aware, that this `config.devenv.json` is exposing a deprecated fallback +LiveKit config key. If the homeserver advertises SFU backend via +`.well-known/matrix/client` this has precedence.) You're now ready to launch the development server: @@ -167,7 +211,8 @@ yarn backend To add a new translation key you can do these steps: 1. Add the new key entry to the code where the new key is used: `t("some_new_key")` -1. Run `yarn i18n` to extract the new key and update the translation files. This will add a skeleton entry to the `public/locales/en-GB/app.json` file: +1. Run `yarn i18n` to extract the new key and update the translation files. This + will add a skeleton entry to the `public/locales/en-GB/app.json` file: ```jsonc { ... @@ -175,8 +220,9 @@ To add a new translation key you can do these steps: ... } ``` -1. Update the skeleton entry in the `public/locales/en-GB/app.json` file with the English translation: - ```jsonc +1. Update the skeleton entry in the `public/locales/en-GB/app.json` file with + the English translation: +```jsonc { ... "some_new_key": "Some new key", diff --git a/backend/tls_localhost_nginx.conf b/backend/tls_localhost_nginx.conf index 19efa5ba..2a593210 100644 --- a/backend/tls_localhost_nginx.conf +++ b/backend/tls_localhost_nginx.conf @@ -13,7 +13,7 @@ server { # Note well-known is currently not effective due to: # https://spec.matrix.org/v1.12/client-server-api/#well-known-uri the spec # says it must be at https://$server_name/... (implied port 443) Hence, we - # currently rely for local development environment on depricated config.json + # currently rely for local development environment on deprecated config.json # setting for livekit_service_url location /.well-known/matrix/client { return 200 '{"m.homeserver": {"base_url": "http://synapse.localhost:8008"}, "org.matrix.msc4143.rtc_foci": [{"type": "livekit", "livekit_service_url": "http://localhost:8080"}]}'; From 05eb2a06f459be9ea4e6369372920cf74e4e54d4 Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 6 Nov 2024 21:18:24 +0100 Subject: [PATCH 19/22] prettier --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ee4d93a4..f05c2d2d 100644 --- a/README.md +++ b/README.md @@ -184,12 +184,13 @@ yarn dev A docker compose file `dev-backend-docker-compose.yml` is provided to start the whole stack of components which is required for a local development environment: + - Minimum Synapse Setup (servername: synapse.localhost) - LiveKit JWT Service (Note requires Federation API and hence a TLS reverse proxy) - Minimum TLS reverse proxy (servername: synapse.localhost) Note certificates are valid for at least 10 years from now - Minimum LiveKit SFU Setup using dev defaults for config -- Redis db for completness +- Redis db for completness These use a test 'secret' published in this repository, so this must be used only for local development and **_never be exposed to the public Internet._** @@ -222,13 +223,14 @@ To add a new translation key you can do these steps: ``` 1. Update the skeleton entry in the `public/locales/en-GB/app.json` file with the English translation: + ```jsonc { ... "some_new_key": "Some new key", ... } - ``` +``` ## Documentation From fd383328e252778c221cdd0aa4e537e8a37a651e Mon Sep 17 00:00:00 2001 From: fkwp Date: Thu, 7 Nov 2024 19:16:40 +0100 Subject: [PATCH 20/22] Update dev-backend-docker-compose.yml Co-authored-by: Andrew Ferrazzutti --- dev-backend-docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-backend-docker-compose.yml b/dev-backend-docker-compose.yml index 95531a19..f970aa92 100644 --- a/dev-backend-docker-compose.yml +++ b/dev-backend-docker-compose.yml @@ -47,7 +47,7 @@ services: # HOST_PORT:CONTAINER_PORT - 6379:6379 volumes: - - ./backend/redis.conf:/etc/redis.conf + - ./backend/redis.conf:/etc/redis.conf:Z networks: - ecbackend From bea9a24b147009318476bf5fc6963d6c047ee201 Mon Sep 17 00:00:00 2001 From: fkwp Date: Thu, 7 Nov 2024 19:16:48 +0100 Subject: [PATCH 21/22] Update dev-backend-docker-compose.yml Co-authored-by: Andrew Ferrazzutti --- dev-backend-docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dev-backend-docker-compose.yml b/dev-backend-docker-compose.yml index f970aa92..f1b34b9b 100644 --- a/dev-backend-docker-compose.yml +++ b/dev-backend-docker-compose.yml @@ -63,8 +63,8 @@ services: - UID=0 - GID=0 volumes: - - ./backend/synapse_tmp:/data - - ./backend/dev_homeserver.yaml:/data/cfg/homeserver.yaml + - ./backend/synapse_tmp:/data:Z + - ./backend/dev_homeserver.yaml:/data/cfg/homeserver.yaml:Z networks: - ecbackend From 34abca0c0b8c3ff8dea3d6efb146257b44863d67 Mon Sep 17 00:00:00 2001 From: fkwp Date: Thu, 7 Nov 2024 19:16:55 +0100 Subject: [PATCH 22/22] Update dev-backend-docker-compose.yml Co-authored-by: Andrew Ferrazzutti --- dev-backend-docker-compose.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dev-backend-docker-compose.yml b/dev-backend-docker-compose.yml index f1b34b9b..dcfb8d66 100644 --- a/dev-backend-docker-compose.yml +++ b/dev-backend-docker-compose.yml @@ -73,9 +73,9 @@ services: hostname: synapse.localhost image: nginx:latest volumes: - - ./backend/tls_localhost_nginx.conf:/etc/nginx/conf.d/default.conf - - ./backend/tls_localhost_key.pem:/root/ssl/key.pem - - ./backend/tls_localhost_cert.pem:/root/ssl/cert.pem + - ./backend/tls_localhost_nginx.conf:/etc/nginx/conf.d/default.conf:Z + - ./backend/tls_localhost_key.pem:/root/ssl/key.pem:Z + - ./backend/tls_localhost_cert.pem:/root/ssl/cert.pem:Z ports: # HOST_PORT:CONTAINER_PORT - "8008:80"