datarhei-dragonfork-core/deploy/truenas/README.md

# TrueNAS deploy — WebRTC PoC (M1)

Host-networked Docker stack that runs `cmd/webrtc-poc` on TrueNAS for
manual end-to-end testing. Not wired into the Core binary.

## Prereqs

- Docker on the TrueNAS host (TrueNAS SCALE includes it)
- LAN or public IP that clients can reach
- One free TCP port (WHEP) and one free UDP port (RTP ingest)

## One-time setup

```
# On TrueNAS:
sudo mkdir -p /mnt/NVME/Docker/dragonfork-webrtc-poc
cd /mnt/NVME/Docker/dragonfork-webrtc-poc

# Copy the repo's deploy/truenas/docker-compose.yml in here, and the
# whole repo (or just cmd/ + core/ + go.mod + vendor/) somewhere the
# Dockerfile build context can see. Simplest: clone the repo adjacent
# and symlink docker-compose.yml, or point `context:` at the clone.

cat > .env <<EOF
WHEP_PORT=45121
RTP_PORT=49248
STREAM_ID=test
PUBLIC_IP=10.0.0.25
EOF
```

## Run

```
docker compose up -d --build
docker compose logs -f
```

You should see:

```
listening for RTP on 127.0.0.1:49248   # or 0.0.0.0:49248 on real deploy
WHEP listening on :45121 — POST /whep/test to subscribe
```

## Verify from another host on the LAN

```
curl -i -X GET http://10.0.0.25:45121/whep/test   # → 405 (POST only)
curl -i -X POST http://10.0.0.25:45121/whep/nope  # → 404 (stream not found)
```

For a real end-to-end check, point the repo's `test/publish.sh` at
`10.0.0.25 49248` and the `whep-client` at `http://10.0.0.25:45121/whep/test`.

## Teardown

```
docker compose down
```

## Security notes

- WHEP is served plain HTTP. Put nginx-proxy-manager or Caddy in front
  for TLS — but note that WHEP itself is fine over HTTPS; the real
  media is DTLS-SRTP-encrypted regardless.
- No auth in M1. Anyone who can reach the port can subscribe.
  M3 adds a token check.
- The binary runs as PID 1 in `scratch` — no shell, no package
  manager, no privilege escalation path. Exit codes only.
feat(webrtc): add -rtp-host flag + TrueNAS Docker deploy - core/webrtc: NewSourceOn(streamID, host, port) allows binding the RTP UDP socket on something other than 127.0.0.1, required when the PoC runs in a container and must accept RTP from LAN publishers. NewSource(streamID, port) stays as a convenience wrapper on 127.0.0.1 for existing tests and tight local tests. - cmd/webrtc-poc: new -rtp-host flag (default 127.0.0.1 for safety). - deploy/docker/Dockerfile: two-stage build, scratch runtime, ~14 MB. - deploy/truenas/docker-compose.yml: host-networked stack template driven by a .env file. Host networking is required for WebRTC ICE to work without NAT rewriting per-candidate. - deploy/truenas/README.md: operator runbook with port picking, bring-up, verification curls, and security notes. 2026-04-17 09:05:37 -04:00			`# TrueNAS deploy — WebRTC PoC (M1)`

			Host-networked Docker stack that runs `cmd/webrtc-poc` on TrueNAS for
			`manual end-to-end testing. Not wired into the Core binary.`

			`## Prereqs`

			`- Docker on the TrueNAS host (TrueNAS SCALE includes it)`
			`- LAN or public IP that clients can reach`
			`- One free TCP port (WHEP) and one free UDP port (RTP ingest)`

			`## One-time setup`

			```
			`# On TrueNAS:`
			`sudo mkdir -p /mnt/NVME/Docker/dragonfork-webrtc-poc`
			`cd /mnt/NVME/Docker/dragonfork-webrtc-poc`

			`# Copy the repo's deploy/truenas/docker-compose.yml in here, and the`
			`# whole repo (or just cmd/ + core/ + go.mod + vendor/) somewhere the`
			`# Dockerfile build context can see. Simplest: clone the repo adjacent`
			# and symlink docker-compose.yml, or point `context:` at the clone.

			`cat > .env <<EOF`
			`WHEP_PORT=45121`
			`RTP_PORT=49248`
			`STREAM_ID=test`
			`PUBLIC_IP=10.0.0.25`
			`EOF`
			```

			`## Run`

			```
			`docker compose up -d --build`
			`docker compose logs -f`
			```

			`You should see:`

			```
			`listening for RTP on 127.0.0.1:49248 # or 0.0.0.0:49248 on real deploy`
			`WHEP listening on :45121 — POST /whep/test to subscribe`
			```

			`## Verify from another host on the LAN`

			```
			`curl -i -X GET http://10.0.0.25:45121/whep/test # → 405 (POST only)`
			`curl -i -X POST http://10.0.0.25:45121/whep/nope # → 404 (stream not found)`
			```

			For a real end-to-end check, point the repo's `test/publish.sh` at
			`10.0.0.25 49248` and the `whep-client` at `http://10.0.0.25:45121/whep/test`.

			`## Teardown`

			```
			`docker compose down`
			```

			`## Security notes`

			`- WHEP is served plain HTTP. Put nginx-proxy-manager or Caddy in front`
			`for TLS — but note that WHEP itself is fine over HTTPS; the real`
			`media is DTLS-SRTP-encrypted regardless.`
			`- No auth in M1. Anyone who can reach the port can subscribe.`
			`M3 adds a token check.`
			- The binary runs as PID 1 in `scratch` — no shell, no package
			`manager, no privilege escalation path. Exit codes only.`