Zac Gaetano
10f3e20a6a
The Restreamer UI bundle includes subdirectories (_player, _playersite, static, locales) and the Dockerfile copies the whole tree into /core/static. seed-data.sh on first boot was using flat 'cp -p' which errors on directories with 'omitting directory ...'; set -e then exits, the container restarts forever in a crash loop, and Core never starts. Fix: 'cp -Rp' so directories are copied as trees. The no-clobber check on the top-level name still keeps operator-edited content safe — if /core/data/_player exists we don't replace it, even if its internals diverge from the bundled version. Also defends against dotfiles via the second glob. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| static | ||
| docker-compose.yml | ||
| Dockerfile | ||
| README.md | ||
| seed-data.sh | ||
TrueNAS deploy — datarhei Core (M2, WebRTC-in-Core)
Host-networked Docker stack that runs the real root Core binary with
the M2 WebRTC egress subsystem wired in. This replaces the M1
webrtc-poc stack — WebRTC is now a first-class output alongside
RTMP/SRT/HLS.
What changed from M1
| M1 (webrtc-poc) | M2 (this stack) |
|---|---|
Standalone cmd/webrtc-poc binary |
Full Core with restream, HTTP API, storage |
| One hard-coded stream id | Every restream process can opt into WebRTC |
| Single UDP ingest, PT-split forwarding | Two UDP ports per process, per-track |
Plain /whep/:id on a side port |
/api/v3/whep/:id on the JWT-protected API |
| No auth | JWT (same creds as the rest of Core) |
Prereqs
- Docker on the TrueNAS host (TrueNAS SCALE includes it)
- LAN or public IP that clients can reach (set in
.envasPUBLIC_IP) - Admin credentials for Core's API
- FFmpeg is bundled in the image — no host install required
One-time setup
sudo mkdir -p /mnt/NVME/Docker/dragonfork-core
cd /mnt/NVME/Docker/dragonfork-core
# Pull the repo (or sync deploy files) onto the host. The compose
# build `context:` points at the repo root.
git clone https://forgejo.wilddragon.net/zgaetano/datarhei-dragonfork-core.git
cd datarhei-dragonfork-core/deploy/truenas/core
cat > .env <<EOF
PUBLIC_IP=10.0.0.25
CORE_HTTP_PORT=8080
API_AUTH_USERNAME=admin
API_AUTH_PASSWORD=$(openssl rand -base64 24)
API_AUTH_JWT_SECRET=$(openssl rand -base64 48)
LOG_LEVEL=info
EOF
mkdir -p config data
Run
docker compose up -d --build
docker compose logs -f
You should see Core come up logging all configured listeners, including a line from the WebRTC component confirming the subsystem is enabled.
Smoke-test via API
# Issue a JWT against the admin creds from .env:
TOKEN=$(curl -s -X POST -H 'Content-Type: application/json' \
-d '{"username":"admin","password":"<from .env>"}' \
http://10.0.0.25:8080/api/login | jq -r '.access_token')
# Probe the WHEP endpoint — should 404 for an unknown id.
curl -i -H "Authorization: Bearer $TOKEN" \
-X POST http://10.0.0.25:8080/api/v3/whep/nope
# → HTTP/1.1 404 Not Found
# Create a process with WebRTC enabled, send RTMP to its input, then
# subscribe the Pion whep-client to /api/v3/whep/<process-id>.
Cutting over from the M1 PoC
The M1 webrtc-poc stack is independent; it binds its own ports. You
can run both side-by-side during the cutover:
# Stop the M1 stack when you're ready to retire it:
cd /mnt/NVME/Docker/dragonfork-webrtc-poc
docker compose down
Teardown
docker compose down
Security notes
- The WHEP endpoint is mounted under
/api/v3, which is JWT-protected. That's the M2 posture — WHEP clients (browsers) need a token. M3 adds per-process signed-URL tokens so embeds don't require admin credentials. - The binary runs as root inside the container; if you need an unpriv
user, mount volumes owned by a fixed UID and add a
user:directive. This matches how the upstream datarhei/core image ships. - Put Caddy or nginx in front for TLS. The media itself is DTLS-SRTP-encrypted regardless.