zgaetano/datarhei-dragonfork-core
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases 4 Packages Wiki Activity Actions
datarhei-dragonfork-core/deploy/truenas/core/README.md
Zac Gaetano d96aa70c27
Some checks failed
tests / build (push) Failing after 3s
Details
deploy(truenas): Core image + compose for M2 WebRTC rollout 
Adds a dedicated deploy bundle under deploy/truenas/core/ so the
real root Core binary — with the M2 WebRTC subsystem wired in —
can replace the M1 webrtc-poc stack on the TrueNAS host.

- Dockerfile: two-stage build on golang:1.24-alpine3.20 + alpine:3.20
  runtime. FFmpeg is bundled so restream processes have their
  subprocess path ready. Copies the core binary from core/core
  (Go places the output file inside the core/ package directory
  because it can't overwrite a directory with a file) plus import
  and ffmigrate from the repo root.
- docker-compose.yml: host-networked Core service, env-driven
  config (CORE_ADDRESS, CORE_API_AUTH_*, CORE_WEBRTC_ENABLE,
  CORE_WEBRTC_PUBLIC_IP), with config/ and data/ bind mounts.
- README.md: M1→M2 cutover notes, one-time setup, JWT smoke test
  against /api/v3/whep/:id, and teardown.

Verified: make release + make import + make ffmigrate all
cross-compile cleanly for linux/amd64; go build ./... and
go test ./... pass on the branch.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 14:59:49 -04:00

3.3 KiB
Raw Blame History

TrueNAS deploy — datarhei Core (M2, WebRTC-in-Core)

Host-networked Docker stack that runs the real root Core binary with the M2 WebRTC egress subsystem wired in. This replaces the M1 webrtc-poc stack — WebRTC is now a first-class output alongside RTMP/SRT/HLS.

What changed from M1

M1 (webrtc-poc) M2 (this stack)
Standalone cmd/webrtc-poc binary Full Core with restream, HTTP API, storage
One hard-coded stream id Every restream process can opt into WebRTC
Single UDP ingest, PT-split forwarding Two UDP ports per process, per-track
Plain /whep/:id on a side port /api/v3/whep/:id on the JWT-protected API
No auth JWT (same creds as the rest of Core)

Prereqs

  • Docker on the TrueNAS host (TrueNAS SCALE includes it)
  • LAN or public IP that clients can reach (set in .env as PUBLIC_IP)
  • Admin credentials for Core's API
  • FFmpeg is bundled in the image — no host install required

One-time setup

sudo mkdir -p /mnt/NVME/Docker/dragonfork-core
cd /mnt/NVME/Docker/dragonfork-core

# Pull the repo (or sync deploy files) onto the host. The compose
# build `context:` points at the repo root.
git clone https://forgejo.wilddragon.net/zgaetano/datarhei-dragonfork-core.git
cd datarhei-dragonfork-core/deploy/truenas/core

cat > .env <<EOF
PUBLIC_IP=10.0.0.25
CORE_HTTP_PORT=8080
API_AUTH_USERNAME=admin
API_AUTH_PASSWORD=$(openssl rand -base64 24)
API_AUTH_JWT_SECRET=$(openssl rand -base64 48)
LOG_LEVEL=info
EOF

mkdir -p config data

Run

docker compose up -d --build
docker compose logs -f

You should see Core come up logging all configured listeners, including a line from the WebRTC component confirming the subsystem is enabled.

Smoke-test via API

# Issue a JWT against the admin creds from .env:
TOKEN=$(curl -s -X POST -H 'Content-Type: application/json' \
  -d '{"username":"admin","password":"<from .env>"}' \
  http://10.0.0.25:8080/api/login | jq -r '.access_token')

# Probe the WHEP endpoint — should 404 for an unknown id.
curl -i -H "Authorization: Bearer $TOKEN" \
  -X POST http://10.0.0.25:8080/api/v3/whep/nope
# → HTTP/1.1 404 Not Found

# Create a process with WebRTC enabled, send RTMP to its input, then
# subscribe the Pion whep-client to /api/v3/whep/<process-id>.

Cutting over from the M1 PoC

The M1 webrtc-poc stack is independent; it binds its own ports. You can run both side-by-side during the cutover:

# Stop the M1 stack when you're ready to retire it:
cd /mnt/NVME/Docker/dragonfork-webrtc-poc
docker compose down

Teardown

docker compose down

Security notes

  • The WHEP endpoint is mounted under /api/v3, which is JWT-protected. That's the M2 posture — WHEP clients (browsers) need a token. M3 adds per-process signed-URL tokens so embeds don't require admin credentials.
  • The binary runs as root inside the container; if you need an unpriv user, mount volumes owned by a fixed UID and add a user: directive. This matches how the upstream datarhei/core image ships.
  • Put Caddy or nginx in front for TLS. The media itself is DTLS-SRTP-encrypted regardless.