datarhei-dragonfork-core/deploy/truenas/core/README.md

# TrueNAS deploy — datarhei Core (M2, WebRTC-in-Core)

Host-networked Docker stack that runs the real root Core binary with
the M2 WebRTC egress subsystem wired in. This replaces the M1
`webrtc-poc` stack — WebRTC is now a first-class output alongside
RTMP/SRT/HLS.

## What changed from M1

| M1 (webrtc-poc)                        | M2 (this stack)                              |
| -------------------------------------- | -------------------------------------------- |
| Standalone `cmd/webrtc-poc` binary     | Full Core with restream, HTTP API, storage   |
| One hard-coded stream id               | Every restream process can opt into WebRTC   |
| Single UDP ingest, PT-split forwarding | Two UDP ports per process, per-track         |
| Plain `/whep/:id` on a side port       | `/api/v3/whep/:id` on the JWT-protected API  |
| No auth                                | JWT (same creds as the rest of Core)         |

## Prereqs

- Docker on the TrueNAS host (TrueNAS SCALE includes it)
- LAN or public IP that clients can reach (set in `.env` as `PUBLIC_IP`)
- Admin credentials for Core's API
- FFmpeg is bundled in the image — no host install required

## One-time setup

```
sudo mkdir -p /mnt/NVME/Docker/dragonfork-core
cd /mnt/NVME/Docker/dragonfork-core

# Pull the repo (or sync deploy files) onto the host. The compose
# build `context:` points at the repo root.
git clone https://forgejo.wilddragon.net/zgaetano/datarhei-dragonfork-core.git
cd datarhei-dragonfork-core/deploy/truenas/core

cat > .env <<EOF
PUBLIC_IP=10.0.0.25
CORE_HTTP_PORT=8080
API_AUTH_USERNAME=admin
API_AUTH_PASSWORD=$(openssl rand -base64 24)
API_AUTH_JWT_SECRET=$(openssl rand -base64 48)
LOG_LEVEL=info
EOF

mkdir -p config data
```

## Run

```
docker compose up -d --build
docker compose logs -f
```

You should see Core come up logging all configured listeners, including
a line from the WebRTC component confirming the subsystem is enabled.

## Smoke-test via API

```
# Issue a JWT against the admin creds from .env:
TOKEN=$(curl -s -X POST -H 'Content-Type: application/json' \
  -d '{"username":"admin","password":"<from .env>"}' \
  http://10.0.0.25:8080/api/login | jq -r '.access_token')

# Probe the WHEP endpoint — should 404 for an unknown id.
curl -i -H "Authorization: Bearer $TOKEN" \
  -X POST http://10.0.0.25:8080/api/v3/whep/nope
# → HTTP/1.1 404 Not Found

# Create a process with WebRTC enabled, send RTMP to its input, then
# subscribe the Pion whep-client to /api/v3/whep/<process-id>.
```

## Cutting over from the M1 PoC

The M1 `webrtc-poc` stack is independent; it binds its own ports. You
can run both side-by-side during the cutover:

```
# Stop the M1 stack when you're ready to retire it:
cd /mnt/NVME/Docker/dragonfork-webrtc-poc
docker compose down
```

## Teardown

```
docker compose down
```

## Security notes

- The WHEP endpoint is mounted under `/api/v3`, which is JWT-protected.
  That's the M2 posture — WHEP clients (browsers) need a token. M3
  adds per-process signed-URL tokens so embeds don't require admin
  credentials.
- The binary runs as root inside the container; if you need an unpriv
  user, mount volumes owned by a fixed UID and add a `user:` directive.
  This matches how the upstream datarhei/core image ships.
- Put Caddy or nginx in front for TLS. The media itself is
  DTLS-SRTP-encrypted regardless.
deploy(truenas): Core image + compose for M2 WebRTC rollout Adds a dedicated deploy bundle under deploy/truenas/core/ so the real root Core binary — with the M2 WebRTC subsystem wired in — can replace the M1 webrtc-poc stack on the TrueNAS host. - Dockerfile: two-stage build on golang:1.24-alpine3.20 + alpine:3.20 runtime. FFmpeg is bundled so restream processes have their subprocess path ready. Copies the core binary from core/core (Go places the output file inside the core/ package directory because it can't overwrite a directory with a file) plus import and ffmigrate from the repo root. - docker-compose.yml: host-networked Core service, env-driven config (CORE_ADDRESS, CORE_API_AUTH_*, CORE_WEBRTC_ENABLE, CORE_WEBRTC_PUBLIC_IP), with config/ and data/ bind mounts. - README.md: M1→M2 cutover notes, one-time setup, JWT smoke test against /api/v3/whep/:id, and teardown. Verified: make release + make import + make ffmigrate all cross-compile cleanly for linux/amd64; go build ./... and go test ./... pass on the branch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-17 14:59:49 -04:00			`# TrueNAS deploy — datarhei Core (M2, WebRTC-in-Core)`

			`Host-networked Docker stack that runs the real root Core binary with`
			`the M2 WebRTC egress subsystem wired in. This replaces the M1`
			`webrtc-poc` stack — WebRTC is now a first-class output alongside
			`RTMP/SRT/HLS.`

			`## What changed from M1`

			`\| M1 (webrtc-poc) \| M2 (this stack) \|`
			`\| -------------------------------------- \| -------------------------------------------- \|`
			\| Standalone `cmd/webrtc-poc` binary \| Full Core with restream, HTTP API, storage \|
			`\| One hard-coded stream id \| Every restream process can opt into WebRTC \|`
			`\| Single UDP ingest, PT-split forwarding \| Two UDP ports per process, per-track \|`
			\| Plain `/whep/:id` on a side port \| `/api/v3/whep/:id` on the JWT-protected API \|
			`\| No auth \| JWT (same creds as the rest of Core) \|`

			`## Prereqs`

			`- Docker on the TrueNAS host (TrueNAS SCALE includes it)`
			- LAN or public IP that clients can reach (set in `.env` as `PUBLIC_IP`)
			`- Admin credentials for Core's API`
			`- FFmpeg is bundled in the image — no host install required`

			`## One-time setup`

			```
			`sudo mkdir -p /mnt/NVME/Docker/dragonfork-core`
			`cd /mnt/NVME/Docker/dragonfork-core`

			`# Pull the repo (or sync deploy files) onto the host. The compose`
			# build `context:` points at the repo root.
			`git clone https://forgejo.wilddragon.net/zgaetano/datarhei-dragonfork-core.git`
			`cd datarhei-dragonfork-core/deploy/truenas/core`

			`cat > .env <<EOF`
			`PUBLIC_IP=10.0.0.25`
			`CORE_HTTP_PORT=8080`
			`API_AUTH_USERNAME=admin`
			`API_AUTH_PASSWORD=$(openssl rand -base64 24)`
			`API_AUTH_JWT_SECRET=$(openssl rand -base64 48)`
			`LOG_LEVEL=info`
			`EOF`

			`mkdir -p config data`
			```

			`## Run`

			```
			`docker compose up -d --build`
			`docker compose logs -f`
			```

			`You should see Core come up logging all configured listeners, including`
			`a line from the WebRTC component confirming the subsystem is enabled.`

			`## Smoke-test via API`

			```
			`# Issue a JWT against the admin creds from .env:`
			`TOKEN=$(curl -s -X POST -H 'Content-Type: application/json' \`
			`-d '{"username":"admin","password":"<from .env>"}' \`
			`http://10.0.0.25:8080/api/login \| jq -r '.access_token')`

			`# Probe the WHEP endpoint — should 404 for an unknown id.`
			`curl -i -H "Authorization: Bearer $TOKEN" \`
			`-X POST http://10.0.0.25:8080/api/v3/whep/nope`
			`# → HTTP/1.1 404 Not Found`

			`# Create a process with WebRTC enabled, send RTMP to its input, then`
			`# subscribe the Pion whep-client to /api/v3/whep/<process-id>.`
			```

			`## Cutting over from the M1 PoC`

			The M1 `webrtc-poc` stack is independent; it binds its own ports. You
			`can run both side-by-side during the cutover:`

			```
			`# Stop the M1 stack when you're ready to retire it:`
			`cd /mnt/NVME/Docker/dragonfork-webrtc-poc`
			`docker compose down`
			```

			`## Teardown`

			```
			`docker compose down`
			```

			`## Security notes`

			- The WHEP endpoint is mounted under `/api/v3`, which is JWT-protected.
			`That's the M2 posture — WHEP clients (browsers) need a token. M3`
			`adds per-process signed-URL tokens so embeds don't require admin`
			`credentials.`
			`- The binary runs as root inside the container; if you need an unpriv`
			user, mount volumes owned by a fixed UID and add a `user:` directive.
			`This matches how the upstream datarhei/core image ships.`
			`- Put Caddy or nginx in front for TLS. The media itself is`
			`DTLS-SRTP-encrypted regardless.`