[Nexus] Add docker image and set up CD

.github/workflows/__CD__deploy-image.yml

@@ -17,6 +17,10 @@ on:
         required: true
       ice-port-range:
         required: true
+      admin-username:
+        required: true
+      admin-password:
+        required: true
 
 jobs:
   deploy-image:
@@ -34,5 +38,14 @@ jobs:
             export TAG=${TAG#*-v}
             docker stop ${{ inputs.app-name }}
             docker rm ${{ inputs.app-name }}
-            docker run -d --restart unless-stopped --name ${{ inputs.app-name }} -e SECRET_KEY_BASE=${{ secrets.secret-key-base }} -e PHX_HOST=${{ secrets.phx-host }} -e ICE_PORT_RANGE=${{ secrets.ice-port-range }} --network host ghcr.io/elixir-webrtc/apps/${{ inputs.app-name }}:${TAG}
+            docker run -d \
+              --restart unless-stopped \
+              --name ${{ inputs.app-name }} \
+              -e SECRET_KEY_BASE=${{ secrets.secret-key-base }} \
+              -e PHX_HOST=${{ secrets.phx-host }} \
+              -e ICE_PORT_RANGE=${{ secrets.ice-port-range }} \
+              -e ADMIN_USERNAME=${{ secrets.admin-username }} \
+              -e ADMIN_PASSWORD=${{ secrets.admin-password }} \
+              --network host \
+              ghcr.io/elixir-webrtc/apps/${{ inputs.app-name }}:${TAG}
             docker image prune --all --force

.github/workflows/__CD__nexus.yml

@@ -0,0 +1,32 @@
+name: Nexus CD 
+
+on:
+  push:
+    tags:
+      - "nexus-v*.*.*"
+
+permissions:
+  contents: read
+  packages: write
+
+jobs: 
+  build-publish-nexus-image:
+    name: "Build and publish Nexus image"
+    uses: ./.github/workflows/__CD__build-publish-image.yml
+    with:
+      app-name: nexus
+  deploy-nexus:
+    name: "Deploy Nexus image"
+    needs: build-publish-nexus-image
+    uses: ./.github/workflows/__CD__deploy-image.yml
+    with:
+      app-name: nexus
+    secrets:
+      ssh-host: ${{ secrets.NEXUS_SSH_HOST }}
+      ssh-username: ${{ secrets.NEXUS_SSH_USERNAME }}
+      ssh-priv-key: ${{ secrets.NEXUS_SSH_PRIV_KEY }}
+      secret-key-base: ${{ secrets.NEXUS_SECRET_KEY_BASE }}
+      phx-host: ${{ secrets.NEXUS_PHX_HOST }}
+      ice-port-range: ${{ secrets.NEXUS_ICE_PORT_RANGE }}
+      admin-username: ${{ secrets.NEXUS_ADMIN_USERNAME }}
+      admin-password: ${{ secrets.NEXUS_ADMIN_PASSWORD }}

.github/workflows/__CD__recognizer.yml

@@ -28,3 +28,5 @@ jobs:
       secret-key-base: ${{ secrets.RECOGNIZER_SECRET_KEY_BASE }}
       phx-host: ${{ secrets.RECOGNIZER_PHX_HOST }}
       ice-port-range: ${{ secrets.RECOGNIZER_ICE_PORT_RANGE }}
+      admin-username: ${{ secrets.RECOGNIZER_ADMIN_USERNAME }}
+      admin-password: ${{ secrets.RECOGNIZER_ADMIN_PASSWORD }}

broadcaster/config/dev.exs

@@ -51,9 +51,6 @@ config :broadcaster, BroadcasterWeb.Endpoint,
     ]
   ]
 
-# Enable dev routes for dashboard and mailbox
-config :broadcaster, dev_routes: true
-
 # Do not include metadata nor timestamps in development logs
 config :logger, :console, format: "[$level] $message\n"
 

nexus/.dockerignore

@@ -0,0 +1,45 @@
+# This file excludes paths from the Docker build context.
+#
+# By default, Docker's build context includes all files (and folders) in the
+# current directory. Even if a file isn't copied into the container it is still sent to
+# the Docker daemon.
+#
+# There are multiple reasons to exclude files from the build context:
+#
+# 1. Prevent nested folders from being copied into the container (ex: exclude
+#    /assets/node_modules when copying /assets)
+# 2. Reduce the size of the build context and improve build time (ex. /build, /deps, /doc)
+# 3. Avoid sending files containing sensitive information
+#
+# More information on using .dockerignore is available here:
+# https://docs.docker.com/engine/reference/builder/#dockerignore-file
+
+.dockerignore
+
+# Ignore git, but keep git HEAD and refs to access current commit hash if needed:
+#
+# $ cat .git/HEAD | awk '{print ".git/"$2}' | xargs cat
+# d0b8727759e1e0e7aa3d41707d12376e373d5ecc
+.git
+!.git/HEAD
+!.git/refs
+
+# Common development/test artifacts
+/cover/
+/doc/
+/test/
+/tmp/
+.elixir_ls
+
+# Mix artifacts
+/_build/
+/deps/
+*.ez
+
+# Generated on crash by the VM
+erl_crash.dump
+
+# Static artifacts - These should be fetched and built inside the Docker image
+/assets/node_modules/
+/priv/static/assets/
+/priv/static/cache_manifest.json

nexus/Dockerfile

@@ -0,0 +1,97 @@
+# Find eligible builder and runner images on Docker Hub. We use Ubuntu/Debian
+# instead of Alpine to avoid DNS resolution issues in production.
+#
+# https://hub.docker.com/r/hexpm/elixir/tags?page=1&name=ubuntu
+# https://hub.docker.com/_/ubuntu?tab=tags
+#
+# This file is based on these images:
+#
+#   - https://hub.docker.com/r/hexpm/elixir/tags - for the build image
+#   - https://hub.docker.com/_/debian?tab=tags&page=1&name=bullseye-20231009-slim - for the release image
+#   - https://pkgs.org/ - resource for finding needed packages
+#   - Ex: hexpm/elixir:1.16.0-erlang-26.2.1-debian-bullseye-20231009-slim
+#
+ARG ELIXIR_VERSION=1.17.2
+ARG OTP_VERSION=27.0.1
+ARG DEBIAN_VERSION=bookworm-20240701-slim
+
+ARG BUILDER_IMAGE="hexpm/elixir:${ELIXIR_VERSION}-erlang-${OTP_VERSION}-debian-${DEBIAN_VERSION}"
+ARG RUNNER_IMAGE="debian:${DEBIAN_VERSION}"
+
+FROM ${BUILDER_IMAGE} as builder
+
+# install build dependencies
+RUN apt-get update -y && apt-get install -y build-essential git pkg-config libssl-dev \
+    && apt-get clean && rm -f /var/lib/apt/lists/*_*
+
+# prepare build dir
+WORKDIR /app
+
+# install hex + rebar
+RUN mix local.hex --force && \
+    mix local.rebar --force
+
+# set build ENV
+ENV MIX_ENV="prod"
+
+# install mix dependencies
+COPY mix.exs mix.lock ./
+RUN mix deps.get --only $MIX_ENV
+RUN mkdir config
+
+# copy compile-time config files before we compile dependencies
+# to ensure any relevant config change will trigger the dependencies
+# to be re-compiled.
+COPY config/config.exs config/${MIX_ENV}.exs config/
+RUN mix deps.compile
+
+COPY priv priv
+
+COPY lib lib
+
+COPY assets assets
+
+# compile assets
+RUN mix assets.deploy
+
+# Compile the release
+RUN mix compile
+
+# Changes to config/runtime.exs don't require recompiling the code
+COPY config/runtime.exs config/
+
+COPY rel rel
+RUN mix release
+
+# start a new build stage so that the final image will only contain
+# the compiled release and other runtime necessities
+FROM ${RUNNER_IMAGE}
+
+RUN apt-get update -y && \
+  apt-get install -y libstdc++6 openssl libncurses5 locales ca-certificates \
+  && apt-get clean && rm -f /var/lib/apt/lists/*_*
+
+# Set the locale
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
+
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+WORKDIR "/app"
+RUN chown nobody /app
+
+# set runner ENV
+ENV MIX_ENV="prod"
+
+# Only copy the final release from the build stage
+COPY --from=builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/nexus ./
+
+USER nobody
+
+# If using an environment that doesn't automatically reap zombie processes, it is
+# advised to add an init process such as tini via `apt-get install`
+# above and adding an entrypoint. See https://github.com/krallin/tini for details
+# ENTRYPOINT ["/tini", "--"]
+
+CMD ["/app/bin/server"]

nexus/README.md

@@ -16,7 +16,45 @@ mix phx.server
 Now you can visit [`localhost:4000`](http://localhost:4000) from your browser.
 If you join from another tab/browser on the same device, you should see two streams.
 
-### Caveats
+## Running with Docker
+
+You can also run Nexus using Docker.
+
+Build an image (or use `ghcr.io/elixir-webrtc/apps/nexus:latest`):
+
+```
+docker build -t nexus .
+```
+
+and run:
+
+```
+docker run \
+    -e SECRET_KEY_BASE="secert" \
+    -e PHX_HOST=localhost \
+    -e ADMIN_USERNAME=admin \
+    -e ADMIN_PASSWORD=admin \
+    --network host \
+    nexus
+```
+
+Note that secret has to be at least 64 bytes long.
+You can generate one with `mix phx.gen.secret`.
+
+If you are running on MacOS, instead of using `--network host` option, you have to explicitly publish ports:
+
+```
+docker run \
+    -e SECRET_KEY_BASE="secert" \
+    -e PHX_HOST=localhost \
+    -e ADMIN_USERNAME=admin \
+    -e ADMIN_PASSWORD=admin \
+    -p 4000:4000 \
+    -p 50000-50010/udp \
+    nexus
+```
+
+## Caveats
 
 Seeing as access to video and audio devices requires the browser to be
 in a [secure context](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts),

nexus/config/dev.exs

@@ -51,9 +51,6 @@ config :nexus, NexusWeb.Endpoint,
     ]
   ]
 
-# Enable dev routes for dashboard and mailbox
-config :nexus, dev_routes: true
-
 # Do not include metadata nor timestamps in development logs
 config :logger, :console, format: "[$level] $message\n"
 

nexus/config/runtime.exs

@@ -16,10 +16,25 @@ import Config
 #
 # Alternatively, you can use `mix phx.gen.release` to generate a `bin/server`
 # script that automatically sets the env var above.
+read_ice_port_range! = fn ->
+  case System.get_env("ICE_PORT_RANGE") do
+    nil ->
+      [0]
+
+    raw_port_range ->
+      case String.split(raw_port_range, "-", parts: 2) do
+        [from, to] -> String.to_integer(from)..String.to_integer(to)
+        _other -> raise "ICE_PORT_RANGE has to be in form of FROM-TO, passed: #{raw_port_range}"
+      end
+  end
+end
+
 if System.get_env("PHX_SERVER") do
   config :nexus, NexusWeb.Endpoint, server: true
 end
 
+config :nexus, ice_port_range: read_ice_port_range!.()
+
 if config_env() == :prod do
   # The secret key base is used to sign/encrypt cookies and other secrets.
   # A default value is used in config/dev.exs and config/test.exs but you

nexus/lib/nexus/application.ex

@@ -8,16 +8,7 @@ defmodule Nexus.Application do
   @version Mix.Project.config()[:version]
 
   @spec version() :: String.t()
-  def version() do
-    "v#{@version} #{commit()}"
-  end
-
-  defp commit() do
-    case System.cmd("git", ["rev-parse", "--short", "HEAD"]) do
-      {hash, 0} -> "(#{String.trim(hash)})"
-      _ -> ""
-    end
-  end
+  def version(), do: @version
 
   @impl true
   def start(_type, _args) do

nexus/lib/nexus/peer.ex

@@ -100,7 +100,9 @@ defmodule Nexus.Peer do
   @impl true
   def init([id, channel, peer_ids]) do
     Logger.debug("Starting new peer #{id}")
-    {:ok, pc} = PeerConnection.start_link(@opts)
+    ice_port_range = Application.fetch_env!(:nexus, :ice_port_range)
+    pc_opts = @opts ++ [ice_port_range: ice_port_range]
+    {:ok, pc} = PeerConnection.start_link(pc_opts)
     Process.monitor(pc)
     Logger.debug("Starting peer connection #{inspect(pc)}")
 

nexus/mix.exs

@@ -4,7 +4,7 @@ defmodule Nexus.MixProject do
   def project do
     [
       app: :nexus,
-      version: "0.1.0",
+      version: "0.1.0-dev",
       elixir: "~> 1.14",
       elixirc_paths: elixirc_paths(Mix.env()),
       start_permanent: Mix.env() == :prod,

nexus/mix.lock

@@ -21,7 +21,7 @@
   "ex_sdp": {:hex, :ex_sdp, "0.17.0", "4c50e7814f01f149c0ccf258fba8428f8567dffecf1c416ec3f6aaaac607a161", [:mix], [{:bunch, "~> 1.3", [hex: :bunch, repo: "hexpm", optional: false]}, {:elixir_uuid, "~> 1.2", [hex: :elixir_uuid, repo: "hexpm", optional: false]}], "hexpm", "c7fe0625902be2a835b5fe6834a189f7db7639d2625c8e9d8b3564e6d704145f"},
   "ex_stun": {:hex, :ex_stun, "0.2.0", "feb1fc7db0356406655b2a617805e6c712b93308c8ea2bf0ba1197b1f0866deb", [:mix], [], "hexpm", "1e01ba8290082ccbf37acaa5190d1f69b51edd6de2026a8d6d51368b29d115d0"},
   "ex_turn": {:hex, :ex_turn, "0.1.0", "177405aadf3d754567d0d37cf881a83f9cacf8f45314d188633b04c4a9e7c1ec", [:mix], [{:ex_stun, "~> 0.2.0", [hex: :ex_stun, repo: "hexpm", optional: false]}], "hexpm", "d677737fb7d45274d5dac19fe3c26b9038b6effbc0a6b3e7417bccc76b6d1cd3"},
-  "ex_webrtc": {:git, "https://github.com/elixir-webrtc/ex_webrtc.git", "3afedc65ed457e9f362b274dc19f53916d0bd38a", []},
+  "ex_webrtc": {:git, "https://github.com/elixir-webrtc/ex_webrtc.git", "ef355c055574f498afd448783d7fd510da7b4d20", []},
   "ex_webrtc_dashboard": {:git, "https://github.com/elixir-webrtc/ex_webrtc_dashboard.git", "40b67a6399dab5eebaa0434edad74fbc747187bd", []},
   "file_system": {:hex, :file_system, "1.0.0", "b689cc7dcee665f774de94b5a832e578bd7963c8e637ef940cd44327db7de2cd", [:mix], [], "hexpm", "6752092d66aec5a10e662aefeed8ddb9531d79db0bc145bb8c40325ca1d8536d"},
   "finch": {:hex, :finch, "0.18.0", "944ac7d34d0bd2ac8998f79f7a811b21d87d911e77a786bc5810adb75632ada4", [:mix], [{:castore, "~> 0.1 or ~> 1.0", [hex: :castore, repo: "hexpm", optional: false]}, {:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:mint, "~> 1.3", [hex: :mint, repo: "hexpm", optional: false]}, {:nimble_options, "~> 0.4 or ~> 1.0", [hex: :nimble_options, repo: "hexpm", optional: false]}, {:nimble_pool, "~> 0.2.6 or ~> 1.0", [hex: :nimble_pool, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "69f5045b042e531e53edc2574f15e25e735b522c37e2ddb766e15b979e03aa65"},
@@ -45,7 +45,7 @@
   "plug": {:hex, :plug, "1.16.1", "40c74619c12f82736d2214557dedec2e9762029b2438d6d175c5074c933edc9d", [:mix], [{:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.1.1 or ~> 1.2 or ~> 2.0", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4.3 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "a13ff6b9006b03d7e33874945b2755253841b238c34071ed85b0e86057f8cddc"},
   "plug_crypto": {:hex, :plug_crypto, "2.1.0", "f44309c2b06d249c27c8d3f65cfe08158ade08418cf540fd4f72d4d6863abb7b", [:mix], [], "hexpm", "131216a4b030b8f8ce0f26038bc4421ae60e4bb95c5cf5395e1421437824c4fa"},
   "qex": {:hex, :qex, "0.5.1", "0d82c0f008551d24fffb99d97f8299afcb8ea9cf99582b770bd004ed5af63fd6", [:mix], [], "hexpm", "935a39fdaf2445834b95951456559e9dc2063d0a055742c558a99987b38d6bab"},
-  "req": {:hex, :req, "0.5.2", "70b4976e5fbefe84e5a57fd3eea49d4e9aa0ac015301275490eafeaec380f97f", [:mix], [{:brotli, "~> 0.3.1", [hex: :brotli, repo: "hexpm", optional: true]}, {:ezstd, "~> 1.0", [hex: :ezstd, repo: "hexpm", optional: true]}, {:finch, "~> 0.17", [hex: :finch, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:mime, "~> 2.0.6 or ~> 2.1", [hex: :mime, repo: "hexpm", optional: false]}, {:nimble_csv, "~> 1.0", [hex: :nimble_csv, repo: "hexpm", optional: true]}, {:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: true]}], "hexpm", "0c63539ab4c2d6ced6114d2684276cef18ac185ee00674ee9af4b1febba1f986"},
+  "req": {:hex, :req, "0.5.4", "e375e4812adf83ffcf787871d7a124d873e983e3b77466e6608b973582f7f837", [:mix], [{:brotli, "~> 0.3.1", [hex: :brotli, repo: "hexpm", optional: true]}, {:ezstd, "~> 1.0", [hex: :ezstd, repo: "hexpm", optional: true]}, {:finch, "~> 0.17", [hex: :finch, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:mime, "~> 2.0.6 or ~> 2.1", [hex: :mime, repo: "hexpm", optional: false]}, {:nimble_csv, "~> 1.0", [hex: :nimble_csv, repo: "hexpm", optional: true]}, {:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: true]}], "hexpm", "a17998ffe2ef54f79bfdd782ef9f4cbf987d93851e89444cbc466a6a25eee494"},
   "shmex": {:hex, :shmex, "0.5.1", "81dd209093416bf6608e66882cb7e676089307448a1afd4fc906c1f7e5b94cf4", [:mix], [{:bunch_native, "~> 0.5.0", [hex: :bunch_native, repo: "hexpm", optional: false]}, {:bundlex, "~> 1.0", [hex: :bundlex, repo: "hexpm", optional: false]}], "hexpm", "c29f8286891252f64c4e1dac40b217d960f7d58def597c4e606ff8fbe71ceb80"},
   "tailwind": {:hex, :tailwind, "0.2.3", "277f08145d407de49650d0a4685dc062174bdd1ae7731c5f1da86163a24dfcdb", [:mix], [{:castore, ">= 0.0.0", [hex: :castore, repo: "hexpm", optional: false]}], "hexpm", "8e45e7a34a676a7747d04f7913a96c770c85e6be810a1d7f91e713d3a3655b5d"},
   "telemetry": {:hex, :telemetry, "1.2.1", "68fdfe8d8f05a8428483a97d7aab2f268aaff24b49e0f599faa091f1d4e7f61c", [:rebar3], [], "hexpm", "dad9ce9d8effc621708f99eac538ef1cbe05d6a874dd741de2e689c47feafed5"},

nexus/rel/overlays/bin/server

@@ -0,0 +1,5 @@
+#!/bin/sh
+set -eu
+
+cd -P -- "$(dirname -- "$0")"
+PHX_SERVER=true exec ./nexus start

nexus/rel/overlays/bin/server.bat

@@ -0,0 +1,2 @@
+set PHX_SERVER=true
+call "%~dp0\nexus" start

recognizer/config/dev.exs

@@ -9,7 +9,7 @@ import Config
 config :recognizer, RecognizerWeb.Endpoint,
   # Binding to loopback ipv4 address prevents access from other machines.
   # Change to `ip: {0, 0, 0, 0}` to allow access from other machines.
-  http: [ip: {127, 0, 0, 1}, port: 5002],
+  http: [ip: {127, 0, 0, 1}, port: 4000],
   check_origin: false,
   code_reloader: true,
   debug_errors: true,
@@ -52,8 +52,9 @@ config :recognizer, RecognizerWeb.Endpoint,
     ]
   ]
 
-# Enable dev routes for dashboard and mailbox
-config :recognizer, dev_routes: true
+config :recognizer,
+  admin_username: "admin",
+  admin_password: "admin"
 
 # Do not include metadata nor timestamps in development logs
 config :logger, :console, level: :info, format: "[$level] $message\n"