zgaetano/datarhei-dragonfork-core
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases 4 Packages Wiki Activity Actions
datarhei-dragonfork-core/deploy/truenas/README.md
Zac Gaetano 9e3f031f95
Some checks failed
tests / build (push) Failing after 3s
Details
CodeQL / Analyze (pull_request) Failing after 3s
Details
tests / build (pull_request) Failing after 3s
Details
feat(webrtc): add -rtp-host flag + TrueNAS Docker deploy 
- core/webrtc: NewSourceOn(streamID, host, port) allows binding the
  RTP UDP socket on something other than 127.0.0.1, required when the
  PoC runs in a container and must accept RTP from LAN publishers.
  NewSource(streamID, port) stays as a convenience wrapper on
  127.0.0.1 for existing tests and tight local tests.

- cmd/webrtc-poc: new -rtp-host flag (default 127.0.0.1 for safety).

- deploy/docker/Dockerfile: two-stage build, scratch runtime, ~14 MB.

- deploy/truenas/docker-compose.yml: host-networked stack template
  driven by a .env file. Host networking is required for WebRTC ICE
  to work without NAT rewriting per-candidate.

- deploy/truenas/README.md: operator runbook with port picking,
  bring-up, verification curls, and security notes.
2026-04-17 09:05:37 -04:00

70 lines
1.8 KiB
Markdown
Raw Permalink Blame History

# TrueNAS deploy — WebRTC PoC (M1)
Host-networked Docker stack that runs `cmd/webrtc-poc` on TrueNAS for
manual end-to-end testing. Not wired into the Core binary.
## Prereqs
- Docker on the TrueNAS host (TrueNAS SCALE includes it)
- LAN or public IP that clients can reach
- One free TCP port (WHEP) and one free UDP port (RTP ingest)
## One-time setup
```
# On TrueNAS:
sudo mkdir -p /mnt/NVME/Docker/dragonfork-webrtc-poc
cd /mnt/NVME/Docker/dragonfork-webrtc-poc
# Copy the repo's deploy/truenas/docker-compose.yml in here, and the
# whole repo (or just cmd/ + core/ + go.mod + vendor/) somewhere the
# Dockerfile build context can see. Simplest: clone the repo adjacent
# and symlink docker-compose.yml, or point `context:` at the clone.
cat > .env <<EOF
WHEP_PORT=45121
RTP_PORT=49248
STREAM_ID=test
PUBLIC_IP=10.0.0.25
EOF
```
## Run
```
docker compose up -d --build
docker compose logs -f
```
You should see:
```
listening for RTP on 127.0.0.1:49248 # or 0.0.0.0:49248 on real deploy
WHEP listening on :45121 — POST /whep/test to subscribe
```
## Verify from another host on the LAN
```
curl -i -X GET http://10.0.0.25:45121/whep/test # → 405 (POST only)
curl -i -X POST http://10.0.0.25:45121/whep/nope # → 404 (stream not found)
```
For a real end-to-end check, point the repo's `test/publish.sh` at
`10.0.0.25 49248` and the `whep-client` at `http://10.0.0.25:45121/whep/test`.
## Teardown
```
docker compose down
```
## Security notes
- WHEP is served plain HTTP. Put nginx-proxy-manager or Caddy in front
for TLS — but note that WHEP itself is fine over HTTPS; the real
media is DTLS-SRTP-encrypted regardless.
- No auth in M1. Anyone who can reach the port can subscribe.
M3 adds a token check.
- The binary runs as PID 1 in `scratch` — no shell, no package
manager, no privilege escalation path. Exit codes only.
Reference in a new issue View git blame Copy permalink