feat(sfu): easy deploy

Author: BreadGenie

.github/workflows/build-sfu.yml

@@ -6,6 +6,17 @@ on:
       - develop
     paths:
       - "sfu-server/**"
+      - "types/**"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Image tag (default: latest)"
+        required: false
+        default: "latest"
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: frappe/meet/sfu-server
 
 jobs:
   build-and-push:
@@ -18,17 +29,34 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Log in to GHCR
         uses: docker/login-action@v3
         with:
-          registry: ghcr.io
+          registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=${{ github.event.inputs.tag || 'latest' }},enable=${{ github.event_name == 'workflow_dispatch' }}
+            type=sha,prefix=,format=short
+            type=ref,event=branch
+
       - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./sfu-server/Dockerfile
           push: true
-          tags: ghcr.io/frappe/meet/sfu-server:latest
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

sfu-server/README.md

@@ -1 +1,84 @@
 # Frappe Meet SFU Server
+
+Mediasoup-based Selective Forwarding Unit (SFU) for Frappe Meet.
+
+
+## Production Deployment
+
+### Prerequisites
+
+- A server with Docker and Docker Compose v2 installed
+- A domain pointing to the server (e.g., `sfu.example.com`)
+- Ports open: `80/tcp`, `443/tcp`, `40000-40200/udp`
+
+### Quick Start
+
+```bash
+# Install on the server (downloads deploy files to /opt/meet-sfu)
+curl -fsSL https://raw.githubusercontent.com/frappe/meet/develop/sfu-server/deploy/install.sh | bash
+
+# Configure
+cd /opt/meet-sfu
+nano .env
+```
+
+Set the required values in `.env`:
+
+| Variable | Description | Example |
+|---|---|---|
+| `JWT_SECRET` | Shared secret with Frappe (generate: `openssl rand -base64 32`) | `a1B2c3D4...` |
+| `WEBRTC_ANNOUNCED_IP` | Server's public IP (find: `curl -4 ifconfig.me`) | `203.0.113.10` |
+| `DOMAIN` | Domain pointing to this server | `sfu.example.com` |
+| `SSL_EMAIL` | Email for Let's Encrypt notifications | `admin@example.com` |
+
+Then run setup:
+
+```bash
+./deploy.sh setup
+```
+
+This will pull the SFU image, provision an SSL certificate, and start everything.
+
+### Frappe Configuration
+
+Add to your Frappe site's `site_config.json`:
+
+```json
+{
+  "sfu_server_url": "https://sfu.example.com",
+  "sfu_secret": "<same JWT_SECRET from .env>"
+}
+```
+
+### Management Commands
+
+```bash
+./deploy.sh start      # Start all services
+./deploy.sh stop       # Stop all services
+./deploy.sh restart    # Restart all services
+./deploy.sh update     # Pull latest image and restart SFU
+./deploy.sh logs       # Tail logs (use: ./deploy.sh logs sfu)
+./deploy.sh status     # Show health and container status
+./deploy.sh ssl-renew  # Force SSL certificate renewal
+```
+
+### Deploying Behind Cloudflare / Reverse Proxy
+
+If SSL is handled upstream, set `DISABLE_SSL=true` in `.env`. This runs nginx on port 80 only and skips certificate provisioning.
+
+### Updating
+
+When new changes are pushed to `develop`, the GitHub Actions workflow builds and pushes a new Docker image. To update the SFU on your server:
+
+```bash
+cd /opt/meet-sfu
+./deploy.sh update
+```
+
+### Firewall Rules
+
+| Port | Protocol | Purpose |
+|---|---|---|
+| 80 | TCP | HTTP / ACME challenges |
+| 443 | TCP | HTTPS |
+| 40000-40200 | UDP | WebRTC media |

sfu-server/deploy/.env.example

@@ -0,0 +1,53 @@
+# ==============================================================================
+# Frappe Meet SFU — Deployment Configuration
+# ==============================================================================
+# Copy this file to .env and fill in the values before running deploy.sh
+#
+#   cp .env.example .env
+#   nano .env
+#   ./deploy.sh setup
+# ==============================================================================
+
+# === Domain & SSL =============================================================
+# The public domain that points to this server (A/AAAA record).
+# Example: https://sfu.meet.example.com
+DOMAIN=https://sfu.example.com
+
+# Email for Let's Encrypt certificate notifications.
+SSL_EMAIL=admin@example.com
+
+# Set to "true" to skip SSL and run nginx on port 80 only.
+# Useful when deploying behind Cloudflare or another reverse proxy that
+# already terminates SSL for you.
+DISABLE_SSL=false
+
+# === SFU Image ================================================================
+# Docker image to pull. The GitHub Actions workflow pushes to this tag.
+SFU_IMAGE=ghcr.io/frappe/meet/sfu-server:latest
+
+# === SFU Server ===============================================================
+# JWT secret — MUST match the "sfu_secret" in your Frappe site_config.json.
+# Generate one with: openssl rand -base64 32
+JWT_SECRET=change-me-to-a-strong-random-string
+
+# Internal port (no need to change unless you know why).
+PORT=3000
+HOST=0.0.0.0
+
+# === WebRTC / Mediasoup =======================================================
+# Your server's PUBLIC IP address. Clients will use this IP for WebRTC media.
+WEBRTC_ANNOUNCED_IP=
+
+# UDP port range for WebRTC media. ~2 ports per participant per media track.
+# 200 ports ≈ 50 concurrent users. Increase if you need more.
+RTC_MIN_PORT=40000
+RTC_MAX_PORT=40200
+
+# Number of mediasoup workers. Leave blank to auto-detect from CPU cores.
+MEDIASOUP_NUM_WORKERS=
+
+# Worker log verbosity: debug | warn | error | none
+MEDIASOUP_WORKER_LOGLEVEL=warn
+
+# === Logging ==================================================================
+SFU_LOG_LEVEL=info

sfu-server/deploy/.gitignore

@@ -0,0 +1,8 @@
+# Active environment file (contains secrets)
+.env
+
+# Let's Encrypt data (managed by Docker volumes, not committed)
+certbot-data/
+
+# Temp files generated during SSL provisioning
+nginx/templates/_acme_temp.conf.template