datarhei-dragonfork-core/deploy/truenas/core/docker-compose.yml

# Dragon Fork datarhei Core — v0.2 deployment with WebRTC egress and observability.
#
# This replaces the M2 stack. Adds Prometheus and Grafana containers so the
# operator can answer "is WebRTC healthy right now?" from a single dashboard
# without tailing logs or hitting the API.
#
# Host networking is required for WebRTC ICE (see deploy/truenas/docker-compose.yml).
# Prometheus and Grafana sit on a bridge network (dragonfork-mon) and reach
# Core via host.docker.internal:CORE_HTTP_PORT.
#
# Copy this file to /mnt/NVME/Docker/dragonfork-core/ alongside a .env:
#
#   PUBLIC_IP=10.0.0.25
#   API_AUTH_USERNAME=admin
#   API_AUTH_PASSWORD=change-me-please
#   API_AUTH_JWT_SECRET=<32+ random bytes, base64>
#   GRAFANA_ADMIN_PASSWORD=$(openssl rand -base64 24)
#
# Then:
#   docker compose up -d --build
#   docker compose logs -f

services:
  core:
    build:
      context: ../../..                  # repo root (where go.mod lives)
      dockerfile: deploy/truenas/core/Dockerfile
    container_name: dragonfork-core
    restart: unless-stopped
    network_mode: host
    environment:
      # --- API ---
      CORE_ADDRESS: ":${CORE_HTTP_PORT:-8080}"
      CORE_API_AUTH_ENABLE: "true"
      CORE_API_AUTH_USERNAME: "${API_AUTH_USERNAME:?set in .env}"
      CORE_API_AUTH_PASSWORD: "${API_AUTH_PASSWORD:?set in .env}"
      CORE_API_AUTH_JWT_SECRET: "${API_AUTH_JWT_SECRET:?set in .env}"

      # --- WebRTC egress ---
      CORE_WEBRTC_ENABLE: "true"
      CORE_WEBRTC_PUBLIC_IP: "${PUBLIC_IP:?set in .env}"

      # --- Port overrides ---
      CORE_RTMP_ADDRESS: "${CORE_RTMP_ADDRESS:-:1935}"
      CORE_RTMP_ADDRESS_TLS: "${CORE_RTMP_ADDRESS_TLS:-:1936}"
      CORE_SRT_ADDRESS: "${CORE_SRT_ADDRESS:-:6000}"
      CORE_TLS_ADDRESS: "${CORE_TLS_ADDRESS:-:8181}"

      # --- Logging ---
      CORE_LOG_LEVEL: "${LOG_LEVEL:-info}"

    volumes:
      - ./config:/core/config
      - ./data:/core/data

  prom:
    image: prom/prometheus:v2.55.0
    container_name: dragonfork-prom
    restart: unless-stopped
    networks: [dragonfork-mon]
    extra_hosts:
      - "host.docker.internal:host-gateway"
    volumes:
      - ./prom/prometheus.yml:/etc/prometheus/prometheus.yml:ro
      - ./prom/rules:/etc/prometheus/rules:ro
      - prom-data:/prometheus
    command:
      - --config.file=/etc/prometheus/prometheus.yml
      - --storage.tsdb.retention.time=${PROM_RETENTION:-15d}
      - --storage.tsdb.path=/prometheus
      - --web.console.libraries=/usr/share/prometheus/console_libraries
      - --web.console.templates=/usr/share/prometheus/consoles
    ports:
      - "${PROM_PORT:-9090}:9090"

  grafana:
    image: grafana/grafana-oss:11.3.0
    container_name: dragonfork-grafana
    restart: unless-stopped
    networks: [dragonfork-mon]
    depends_on: [prom]
    environment:
      GF_SECURITY_ADMIN_PASSWORD: "${GRAFANA_ADMIN_PASSWORD:?set in .env}"
      GF_USERS_ALLOW_SIGN_UP: "false"
      GF_AUTH_ANONYMOUS_ENABLED: "false"
    volumes:
      - ./grafana/provisioning:/etc/grafana/provisioning:ro
      - ./grafana/dashboards:/var/lib/grafana/dashboards:ro
      - grafana-data:/var/lib/grafana
    ports:
      - "${GRAFANA_PORT:-3000}:3000"

networks:
  dragonfork-mon:
    driver: bridge

volumes:
  prom-data:
  grafana-data:
feat(deploy): add Prometheus + Grafana observability stack (closes #11) 2026-05-06 16:00:15 -04:00			`# Dragon Fork datarhei Core — v0.2 deployment with WebRTC egress and observability.`
deploy(truenas): Core image + compose for M2 WebRTC rollout Adds a dedicated deploy bundle under deploy/truenas/core/ so the real root Core binary — with the M2 WebRTC subsystem wired in — can replace the M1 webrtc-poc stack on the TrueNAS host. - Dockerfile: two-stage build on golang:1.24-alpine3.20 + alpine:3.20 runtime. FFmpeg is bundled so restream processes have their subprocess path ready. Copies the core binary from core/core (Go places the output file inside the core/ package directory because it can't overwrite a directory with a file) plus import and ffmigrate from the repo root. - docker-compose.yml: host-networked Core service, env-driven config (CORE_ADDRESS, CORE_API_AUTH_*, CORE_WEBRTC_ENABLE, CORE_WEBRTC_PUBLIC_IP), with config/ and data/ bind mounts. - README.md: M1→M2 cutover notes, one-time setup, JWT smoke test against /api/v3/whep/:id, and teardown. Verified: make release + make import + make ffmigrate all cross-compile cleanly for linux/amd64; go build ./... and go test ./... pass on the branch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-17 14:59:49 -04:00			`#`
feat(deploy): add Prometheus + Grafana observability stack (closes #11) 2026-05-06 16:00:15 -04:00			`# This replaces the M2 stack. Adds Prometheus and Grafana containers so the`
			`# operator can answer "is WebRTC healthy right now?" from a single dashboard`
			`# without tailing logs or hitting the API.`
deploy(truenas): Core image + compose for M2 WebRTC rollout Adds a dedicated deploy bundle under deploy/truenas/core/ so the real root Core binary — with the M2 WebRTC subsystem wired in — can replace the M1 webrtc-poc stack on the TrueNAS host. - Dockerfile: two-stage build on golang:1.24-alpine3.20 + alpine:3.20 runtime. FFmpeg is bundled so restream processes have their subprocess path ready. Copies the core binary from core/core (Go places the output file inside the core/ package directory because it can't overwrite a directory with a file) plus import and ffmigrate from the repo root. - docker-compose.yml: host-networked Core service, env-driven config (CORE_ADDRESS, CORE_API_AUTH_*, CORE_WEBRTC_ENABLE, CORE_WEBRTC_PUBLIC_IP), with config/ and data/ bind mounts. - README.md: M1→M2 cutover notes, one-time setup, JWT smoke test against /api/v3/whep/:id, and teardown. Verified: make release + make import + make ffmigrate all cross-compile cleanly for linux/amd64; go build ./... and go test ./... pass on the branch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-17 14:59:49 -04:00			`#`
feat(deploy): add Prometheus + Grafana observability stack (closes #11) 2026-05-06 16:00:15 -04:00			`# Host networking is required for WebRTC ICE (see deploy/truenas/docker-compose.yml).`
			`# Prometheus and Grafana sit on a bridge network (dragonfork-mon) and reach`
			`# Core via host.docker.internal:CORE_HTTP_PORT.`
deploy(truenas): Core image + compose for M2 WebRTC rollout Adds a dedicated deploy bundle under deploy/truenas/core/ so the real root Core binary — with the M2 WebRTC subsystem wired in — can replace the M1 webrtc-poc stack on the TrueNAS host. - Dockerfile: two-stage build on golang:1.24-alpine3.20 + alpine:3.20 runtime. FFmpeg is bundled so restream processes have their subprocess path ready. Copies the core binary from core/core (Go places the output file inside the core/ package directory because it can't overwrite a directory with a file) plus import and ffmigrate from the repo root. - docker-compose.yml: host-networked Core service, env-driven config (CORE_ADDRESS, CORE_API_AUTH_*, CORE_WEBRTC_ENABLE, CORE_WEBRTC_PUBLIC_IP), with config/ and data/ bind mounts. - README.md: M1→M2 cutover notes, one-time setup, JWT smoke test against /api/v3/whep/:id, and teardown. Verified: make release + make import + make ffmigrate all cross-compile cleanly for linux/amd64; go build ./... and go test ./... pass on the branch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-17 14:59:49 -04:00			`#`
			`# Copy this file to /mnt/NVME/Docker/dragonfork-core/ alongside a .env:`
			`#`
			`# PUBLIC_IP=10.0.0.25`
			`# API_AUTH_USERNAME=admin`
			`# API_AUTH_PASSWORD=change-me-please`
			`# API_AUTH_JWT_SECRET=<32+ random bytes, base64>`
feat(deploy): add Prometheus + Grafana observability stack (closes #11) 2026-05-06 16:00:15 -04:00			`# GRAFANA_ADMIN_PASSWORD=$(openssl rand -base64 24)`
deploy(truenas): Core image + compose for M2 WebRTC rollout Adds a dedicated deploy bundle under deploy/truenas/core/ so the real root Core binary — with the M2 WebRTC subsystem wired in — can replace the M1 webrtc-poc stack on the TrueNAS host. - Dockerfile: two-stage build on golang:1.24-alpine3.20 + alpine:3.20 runtime. FFmpeg is bundled so restream processes have their subprocess path ready. Copies the core binary from core/core (Go places the output file inside the core/ package directory because it can't overwrite a directory with a file) plus import and ffmigrate from the repo root. - docker-compose.yml: host-networked Core service, env-driven config (CORE_ADDRESS, CORE_API_AUTH_*, CORE_WEBRTC_ENABLE, CORE_WEBRTC_PUBLIC_IP), with config/ and data/ bind mounts. - README.md: M1→M2 cutover notes, one-time setup, JWT smoke test against /api/v3/whep/:id, and teardown. Verified: make release + make import + make ffmigrate all cross-compile cleanly for linux/amd64; go build ./... and go test ./... pass on the branch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-17 14:59:49 -04:00			`#`
			`# Then:`
			`# docker compose up -d --build`
			`# docker compose logs -f`

			`services:`
			`core:`
			`build:`
			`context: ../../.. # repo root (where go.mod lives)`
			`dockerfile: deploy/truenas/core/Dockerfile`
			`container_name: dragonfork-core`
			`restart: unless-stopped`
			`network_mode: host`
			`environment:`
			`# --- API ---`
			`CORE_ADDRESS: ":${CORE_HTTP_PORT:-8080}"`
			`CORE_API_AUTH_ENABLE: "true"`
			`CORE_API_AUTH_USERNAME: "${API_AUTH_USERNAME:?set in .env}"`
			`CORE_API_AUTH_PASSWORD: "${API_AUTH_PASSWORD:?set in .env}"`
			`CORE_API_AUTH_JWT_SECRET: "${API_AUTH_JWT_SECRET:?set in .env}"`

			`# --- WebRTC egress ---`
			`CORE_WEBRTC_ENABLE: "true"`
			`CORE_WEBRTC_PUBLIC_IP: "${PUBLIC_IP:?set in .env}"`

feat(deploy): add Prometheus + Grafana observability stack (closes #11) 2026-05-06 16:00:15 -04:00			`# --- Port overrides ---`
deploy(compose): pass RTMP/SRT/TLS port overrides through from .env The compose file's environment: block only forwarded the variables it explicitly referenced — CORE_ADDRESS, CORE_API_AUTH_, CORE_WEBRTC_, CORE_LOG_LEVEL. Everything else got the upstream Core defaults regardless of what was in .env. So 'CORE_RTMP_ADDRESS=:1937' in .env was silently ignored and Core kept binding 1935. Hit on the live TrueNAS host where another datarhei/restreamer container was already on 1935 with active stream state — couldn't just stop it. Adding explicit env passthrough for the four common collision points (RTMP, RTMPS, SRT, TLS) so an operator can remap each individually without editing this file: CORE_RTMP_ADDRESS=:1937 CORE_RTMP_ADDRESS_TLS=:1938 CORE_SRT_ADDRESS=:6002 CORE_TLS_ADDRESS=:8183 Defaults are unchanged — empty .env keeps :1935/:1936/:6000/:8181. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-03 09:30:02 -04:00			`CORE_RTMP_ADDRESS: "${CORE_RTMP_ADDRESS:-:1935}"`
			`CORE_RTMP_ADDRESS_TLS: "${CORE_RTMP_ADDRESS_TLS:-:1936}"`
			`CORE_SRT_ADDRESS: "${CORE_SRT_ADDRESS:-:6000}"`
			`CORE_TLS_ADDRESS: "${CORE_TLS_ADDRESS:-:8181}"`

deploy(truenas): Core image + compose for M2 WebRTC rollout Adds a dedicated deploy bundle under deploy/truenas/core/ so the real root Core binary — with the M2 WebRTC subsystem wired in — can replace the M1 webrtc-poc stack on the TrueNAS host. - Dockerfile: two-stage build on golang:1.24-alpine3.20 + alpine:3.20 runtime. FFmpeg is bundled so restream processes have their subprocess path ready. Copies the core binary from core/core (Go places the output file inside the core/ package directory because it can't overwrite a directory with a file) plus import and ffmigrate from the repo root. - docker-compose.yml: host-networked Core service, env-driven config (CORE_ADDRESS, CORE_API_AUTH_*, CORE_WEBRTC_ENABLE, CORE_WEBRTC_PUBLIC_IP), with config/ and data/ bind mounts. - README.md: M1→M2 cutover notes, one-time setup, JWT smoke test against /api/v3/whep/:id, and teardown. Verified: make release + make import + make ffmigrate all cross-compile cleanly for linux/amd64; go build ./... and go test ./... pass on the branch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-17 14:59:49 -04:00			`# --- Logging ---`
			`CORE_LOG_LEVEL: "${LOG_LEVEL:-info}"`

			`volumes:`
			`- ./config:/core/config`
			`- ./data:/core/data`

feat(deploy): add Prometheus + Grafana observability stack (closes #11) 2026-05-06 16:00:15 -04:00			`prom:`
			`image: prom/prometheus:v2.55.0`
			`container_name: dragonfork-prom`
			`restart: unless-stopped`
			`networks: [dragonfork-mon]`
			`extra_hosts:`
			`- "host.docker.internal:host-gateway"`
			`volumes:`
			`- ./prom/prometheus.yml:/etc/prometheus/prometheus.yml:ro`
			`- ./prom/rules:/etc/prometheus/rules:ro`
			`- prom-data:/prometheus`
			`command:`
			`- --config.file=/etc/prometheus/prometheus.yml`
			`- --storage.tsdb.retention.time=${PROM_RETENTION:-15d}`
			`- --storage.tsdb.path=/prometheus`
			`- --web.console.libraries=/usr/share/prometheus/console_libraries`
			`- --web.console.templates=/usr/share/prometheus/consoles`
			`ports:`
			`- "${PROM_PORT:-9090}:9090"`

			`grafana:`
			`image: grafana/grafana-oss:11.3.0`
			`container_name: dragonfork-grafana`
			`restart: unless-stopped`
			`networks: [dragonfork-mon]`
			`depends_on: [prom]`
			`environment:`
			`GF_SECURITY_ADMIN_PASSWORD: "${GRAFANA_ADMIN_PASSWORD:?set in .env}"`
			`GF_USERS_ALLOW_SIGN_UP: "false"`
			`GF_AUTH_ANONYMOUS_ENABLED: "false"`
			`volumes:`
			`- ./grafana/provisioning:/etc/grafana/provisioning:ro`
			`- ./grafana/dashboards:/var/lib/grafana/dashboards:ro`
			`- grafana-data:/var/lib/grafana`
			`ports:`
			`- "${GRAFANA_PORT:-3000}:3000"`

			`networks:`
			`dragonfork-mon:`
			`driver: bridge`

			`volumes:`
			`prom-data:`
			`grafana-data:`