zgaetano/datarhei-dragonfork-core
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases 4 Packages Wiki Activity Actions
datarhei-dragonfork-core/deploy/truenas/core
History
Zac Gaetano 7621f88fea
Some checks are pending
ci / vet + build (push) Waiting to run
Details
ci / race tests (push) Blocked by required conditions
Details
ci / WebRTC smoke (5-viewer fanout) (push) Blocked by required conditions
Details
ci / WebRTC latency p95 gate (push) Blocked by required conditions
Details
feat(ui): Wild Dragon reskin overlay on the Restreamer UI 
Layers Wild Dragon branding on top of upstream restreamer-ui v1.14.0
without forking the whole repo — keeps upstream UI updates flowing in
when we bump RESTREAMER_UI_REF.

Overlay (deploy/truenas/core/ui-overlay/):
  public/index.html       Wild Dragon title, theme color #0d0e12
  public/manifest.json    PWA name/short_name/colors
  public/favicon.ico      multi-res ICO (16/32/64) generated from
                          a 'WD' monogram in orange #ff6633 on dark
  public/logo192.png      Apple touch icon
  public/logo512.png      PWA install icon
  src/misc/Logo/images/   rs-logo.svg (square mark, used in the
                          Header) and logo.svg (wordmark, used in
                          the Footer) — both Wild-Dragon-themed
  src/misc/Logo/{index,rsLogo}.js
                          link the logos to forge.wilddragon.net
                          instead of datarhei.com

apply-overlay.sh runs in the Docker ui-builder stage just after the
upstream git clone and just before yarn install. Two phases:
  1. rsync the overlay's public/ and src/ on top of the cloned
     upstream tree
  2. Targeted in-place patches for one-line UI strings (header
     title, two welcome captions). Each patch is anchored to a
     unique surrounding context and the script fails loudly if the
     anchor isn't present — so a future upstream rename surfaces
     immediately rather than silently shipping un-rebranded UI.

Image size: ~+50KB (the overlay assets), no measurable build-time
delta. PWA installs and OS bookmarks now show Wild Dragon. The
remaining 'Restreamer'/'datarhei' references in views/Welcome.js,
views/Login.js, views/Settings.js, etc. are deeper-page strings
that aren't worth a one-off overlay; they'll go away when we fork
the UI repo properly for the WebRTC tab milestone.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-03 13:14:41 +00:00
..
static deploy: bundle the official Datarhei Restreamer UI 2026-05-03 12:58:51 +00:00
ui-overlay feat(ui): Wild Dragon reskin overlay on the Restreamer UI 2026-05-03 13:14:41 +00:00
docker-compose.yml deploy(truenas): Core image + compose for M2 WebRTC rollout 2026-04-17 14:59:49 -04:00
Dockerfile feat(ui): Wild Dragon reskin overlay on the Restreamer UI 2026-05-03 13:14:41 +00:00
README.md deploy(truenas): Core image + compose for M2 WebRTC rollout 2026-04-17 14:59:49 -04:00
seed-data.sh fix(deploy): make seed-data.sh recursive for directory entries 2026-05-03 13:01:51 +00:00

README.md

TrueNAS deploy — datarhei Core (M2, WebRTC-in-Core)

Host-networked Docker stack that runs the real root Core binary with the M2 WebRTC egress subsystem wired in. This replaces the M1 webrtc-poc stack — WebRTC is now a first-class output alongside RTMP/SRT/HLS.

What changed from M1

M1 (webrtc-poc) M2 (this stack)
Standalone cmd/webrtc-poc binary Full Core with restream, HTTP API, storage
One hard-coded stream id Every restream process can opt into WebRTC
Single UDP ingest, PT-split forwarding Two UDP ports per process, per-track
Plain /whep/:id on a side port /api/v3/whep/:id on the JWT-protected API
No auth JWT (same creds as the rest of Core)

Prereqs

  • Docker on the TrueNAS host (TrueNAS SCALE includes it)
  • LAN or public IP that clients can reach (set in .env as PUBLIC_IP)
  • Admin credentials for Core's API
  • FFmpeg is bundled in the image — no host install required

One-time setup

sudo mkdir -p /mnt/NVME/Docker/dragonfork-core
cd /mnt/NVME/Docker/dragonfork-core

# Pull the repo (or sync deploy files) onto the host. The compose
# build `context:` points at the repo root.
git clone https://forgejo.wilddragon.net/zgaetano/datarhei-dragonfork-core.git
cd datarhei-dragonfork-core/deploy/truenas/core

cat > .env <<EOF
PUBLIC_IP=10.0.0.25
CORE_HTTP_PORT=8080
API_AUTH_USERNAME=admin
API_AUTH_PASSWORD=$(openssl rand -base64 24)
API_AUTH_JWT_SECRET=$(openssl rand -base64 48)
LOG_LEVEL=info
EOF

mkdir -p config data

Run

docker compose up -d --build
docker compose logs -f

You should see Core come up logging all configured listeners, including a line from the WebRTC component confirming the subsystem is enabled.

Smoke-test via API

# Issue a JWT against the admin creds from .env:
TOKEN=$(curl -s -X POST -H 'Content-Type: application/json' \
  -d '{"username":"admin","password":"<from .env>"}' \
  http://10.0.0.25:8080/api/login | jq -r '.access_token')

# Probe the WHEP endpoint — should 404 for an unknown id.
curl -i -H "Authorization: Bearer $TOKEN" \
  -X POST http://10.0.0.25:8080/api/v3/whep/nope
# → HTTP/1.1 404 Not Found

# Create a process with WebRTC enabled, send RTMP to its input, then
# subscribe the Pion whep-client to /api/v3/whep/<process-id>.

Cutting over from the M1 PoC

The M1 webrtc-poc stack is independent; it binds its own ports. You can run both side-by-side during the cutover:

# Stop the M1 stack when you're ready to retire it:
cd /mnt/NVME/Docker/dragonfork-webrtc-poc
docker compose down

Teardown

docker compose down

Security notes

  • The WHEP endpoint is mounted under /api/v3, which is JWT-protected. That's the M2 posture — WHEP clients (browsers) need a token. M3 adds per-process signed-URL tokens so embeds don't require admin credentials.
  • The binary runs as root inside the container; if you need an unpriv user, mount volumes owned by a fixed UID and add a user: directive. This matches how the upstream datarhei/core image ships.
  • Put Caddy or nginx in front for TLS. The media itself is DTLS-SRTP-encrypted regardless.