[Nexus] Add docker image and set up CD (#32)

Author: mickel8

.github/workflows/__CD__deploy-image.yml

@@ -17,6 +17,10 @@ on:
         required: true
       ice-port-range:
         required: true
+      admin-username:
+        required: true
+      admin-password:
+        required: true
 
 jobs:
   deploy-image:
@@ -34,5 +38,14 @@ jobs:
             export TAG=${TAG#*-v}
             docker stop ${{ inputs.app-name }}
             docker rm ${{ inputs.app-name }}
-            docker run -d --restart unless-stopped --name ${{ inputs.app-name }} -e SECRET_KEY_BASE=${{ secrets.secret-key-base }} -e PHX_HOST=${{ secrets.phx-host }} -e ICE_PORT_RANGE=${{ secrets.ice-port-range }} --network host ghcr.io/elixir-webrtc/apps/${{ inputs.app-name }}:${TAG}
+            docker run -d \
+              --restart unless-stopped \
+              --name ${{ inputs.app-name }} \
+              -e SECRET_KEY_BASE=${{ secrets.secret-key-base }} \
+              -e PHX_HOST=${{ secrets.phx-host }} \
+              -e ICE_PORT_RANGE=${{ secrets.ice-port-range }} \
+              -e ADMIN_USERNAME=${{ secrets.admin-username }} \
+              -e ADMIN_PASSWORD=${{ secrets.admin-password }} \
+              --network host \
+              ghcr.io/elixir-webrtc/apps/${{ inputs.app-name }}:${TAG}
             docker image prune --all --force

.github/workflows/__CD__nexus.yml

@@ -0,0 +1,32 @@
+name: Nexus CD 
+
+on:
+  push:
+    tags:
+      - "nexus-v*.*.*"
+
+permissions:
+  contents: read
+  packages: write
+
+jobs: 
+  build-publish-nexus-image:
+    name: "Build and publish Nexus image"
+    uses: ./.github/workflows/__CD__build-publish-image.yml
+    with:
+      app-name: nexus
+  deploy-nexus:
+    name: "Deploy Nexus image"
+    needs: build-publish-nexus-image
+    uses: ./.github/workflows/__CD__deploy-image.yml
+    with:
+      app-name: nexus
+    secrets:
+      ssh-host: ${{ secrets.NEXUS_SSH_HOST }}
+      ssh-username: ${{ secrets.NEXUS_SSH_USERNAME }}
+      ssh-priv-key: ${{ secrets.NEXUS_SSH_PRIV_KEY }}
+      secret-key-base: ${{ secrets.NEXUS_SECRET_KEY_BASE }}
+      phx-host: ${{ secrets.NEXUS_PHX_HOST }}
+      ice-port-range: ${{ secrets.NEXUS_ICE_PORT_RANGE }}
+      admin-username: ${{ secrets.NEXUS_ADMIN_USERNAME }}
+      admin-password: ${{ secrets.NEXUS_ADMIN_PASSWORD }}

.github/workflows/__CD__recognizer.yml

@@ -28,3 +28,5 @@ jobs:
       secret-key-base: ${{ secrets.RECOGNIZER_SECRET_KEY_BASE }}
       phx-host: ${{ secrets.RECOGNIZER_PHX_HOST }}
       ice-port-range: ${{ secrets.RECOGNIZER_ICE_PORT_RANGE }}
+      admin-username: ${{ secrets.RECOGNIZER_ADMIN_USERNAME }}
+      admin-password: ${{ secrets.RECOGNIZER_ADMIN_PASSWORD }}

broadcaster/config/dev.exs

@@ -51,9 +51,6 @@ config :broadcaster, BroadcasterWeb.Endpoint,
     ]
   ]
 
-# Enable dev routes for dashboard and mailbox
-config :broadcaster, dev_routes: true
-
 # Do not include metadata nor timestamps in development logs
 config :logger, :console, format: "[$level] $message\n"
 

nexus/.dockerignore

@@ -0,0 +1,45 @@
+# This file excludes paths from the Docker build context.
+#
+# By default, Docker's build context includes all files (and folders) in the
+# current directory. Even if a file isn't copied into the container it is still sent to
+# the Docker daemon.
+#
+# There are multiple reasons to exclude files from the build context:
+#
+# 1. Prevent nested folders from being copied into the container (ex: exclude
+#    /assets/node_modules when copying /assets)
+# 2. Reduce the size of the build context and improve build time (ex. /build, /deps, /doc)
+# 3. Avoid sending files containing sensitive information
+#
+# More information on using .dockerignore is available here:
+# https://docs.docker.com/engine/reference/builder/#dockerignore-file
+
+.dockerignore
+
+# Ignore git, but keep git HEAD and refs to access current commit hash if needed:
+#
+# $ cat .git/HEAD | awk '{print ".git/"$2}' | xargs cat
+# d0b8727759e1e0e7aa3d41707d12376e373d5ecc
+.git
+!.git/HEAD
+!.git/refs
+
+# Common development/test artifacts
+/cover/
+/doc/
+/test/
+/tmp/
+.elixir_ls
+
+# Mix artifacts
+/_build/
+/deps/
+*.ez
+
+# Generated on crash by the VM
+erl_crash.dump
+
+# Static artifacts - These should be fetched and built inside the Docker image
+/assets/node_modules/
+/priv/static/assets/
+/priv/static/cache_manifest.json

nexus/Dockerfile

@@ -0,0 +1,97 @@
+# Find eligible builder and runner images on Docker Hub. We use Ubuntu/Debian
+# instead of Alpine to avoid DNS resolution issues in production.
+#
+# https://hub.docker.com/r/hexpm/elixir/tags?page=1&name=ubuntu
+# https://hub.docker.com/_/ubuntu?tab=tags
+#
+# This file is based on these images:
+#
+#   - https://hub.docker.com/r/hexpm/elixir/tags - for the build image
+#   - https://hub.docker.com/_/debian?tab=tags&page=1&name=bullseye-20231009-slim - for the release image
+#   - https://pkgs.org/ - resource for finding needed packages
+#   - Ex: hexpm/elixir:1.16.0-erlang-26.2.1-debian-bullseye-20231009-slim
+#
+ARG ELIXIR_VERSION=1.17.2
+ARG OTP_VERSION=27.0.1
+ARG DEBIAN_VERSION=bookworm-20240701-slim
+
+ARG BUILDER_IMAGE="hexpm/elixir:${ELIXIR_VERSION}-erlang-${OTP_VERSION}-debian-${DEBIAN_VERSION}"
+ARG RUNNER_IMAGE="debian:${DEBIAN_VERSION}"
+
+FROM ${BUILDER_IMAGE} as builder
+
+# install build dependencies
+RUN apt-get update -y && apt-get install -y build-essential git pkg-config libssl-dev \
+    && apt-get clean && rm -f /var/lib/apt/lists/*_*
+
+# prepare build dir
+WORKDIR /app
+
+# install hex + rebar
+RUN mix local.hex --force && \
+    mix local.rebar --force
+
+# set build ENV
+ENV MIX_ENV="prod"
+
+# install mix dependencies
+COPY mix.exs mix.lock ./
+RUN mix deps.get --only $MIX_ENV
+RUN mkdir config
+
+# copy compile-time config files before we compile dependencies
+# to ensure any relevant config change will trigger the dependencies
+# to be re-compiled.
+COPY config/config.exs config/${MIX_ENV}.exs config/
+RUN mix deps.compile
+
+COPY priv priv
+
+COPY lib lib
+
+COPY assets assets
+
+# compile assets
+RUN mix assets.deploy
+
+# Compile the release
+RUN mix compile
+
+# Changes to config/runtime.exs don't require recompiling the code
+COPY config/runtime.exs config/
+
+COPY rel rel
+RUN mix release
+
+# start a new build stage so that the final image will only contain
+# the compiled release and other runtime necessities
+FROM ${RUNNER_IMAGE}
+
+RUN apt-get update -y && \
+  apt-get install -y libstdc++6 openssl libncurses5 locales ca-certificates \
+  && apt-get clean && rm -f /var/lib/apt/lists/*_*
+
+# Set the locale
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
+
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+WORKDIR "/app"
+RUN chown nobody /app
+
+# set runner ENV
+ENV MIX_ENV="prod"
+
+# Only copy the final release from the build stage
+COPY --from=builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/nexus ./
+
+USER nobody
+
+# If using an environment that doesn't automatically reap zombie processes, it is
+# advised to add an init process such as tini via `apt-get install`
+# above and adding an entrypoint. See https://github.com/krallin/tini for details
+# ENTRYPOINT ["/tini", "--"]
+
+CMD ["/app/bin/server"]

nexus/README.md

@@ -16,7 +16,45 @@ mix phx.server
 Now you can visit [`localhost:4000`](http://localhost:4000) from your browser.
 If you join from another tab/browser on the same device, you should see two streams.
 
-### Caveats
+## Running with Docker
+
+You can also run Nexus using Docker.
+
+Build an image (or use `ghcr.io/elixir-webrtc/apps/nexus:latest`):
+
+```
+docker build -t nexus .
+```
+
+and run:
+
+```
+docker run \
+    -e SECRET_KEY_BASE="secert" \
+    -e PHX_HOST=localhost \
+    -e ADMIN_USERNAME=admin \
+    -e ADMIN_PASSWORD=admin \
+    --network host \
+    nexus
+```
+
+Note that secret has to be at least 64 bytes long.
+You can generate one with `mix phx.gen.secret`.
+
+If you are running on MacOS, instead of using `--network host` option, you have to explicitly publish ports:
+
+```
+docker run \
+    -e SECRET_KEY_BASE="secert" \
+    -e PHX_HOST=localhost \
+    -e ADMIN_USERNAME=admin \
+    -e ADMIN_PASSWORD=admin \
+    -p 4000:4000 \
+    -p 50000-50010/udp \
+    nexus
+```
+
+## Caveats
 
 Seeing as access to video and audio devices requires the browser to be
 in a [secure context](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts),

nexus/config/dev.exs

@@ -51,9 +51,6 @@ config :nexus, NexusWeb.Endpoint,
     ]
   ]
 
-# Enable dev routes for dashboard and mailbox
-config :nexus, dev_routes: true
-
 # Do not include metadata nor timestamps in development logs
 config :logger, :console, format: "[$level] $message\n"
 

nexus/config/runtime.exs

@@ -16,10 +16,25 @@ import Config
 #
 # Alternatively, you can use `mix phx.gen.release` to generate a `bin/server`
 # script that automatically sets the env var above.
+read_ice_port_range! = fn ->
+  case System.get_env("ICE_PORT_RANGE") do
+    nil ->
+      [0]
+
+    raw_port_range ->
+      case String.split(raw_port_range, "-", parts: 2) do
+        [from, to] -> String.to_integer(from)..String.to_integer(to)
+        _other -> raise "ICE_PORT_RANGE has to be in form of FROM-TO, passed: #{raw_port_range}"
+      end
+  end
+end
+
 if System.get_env("PHX_SERVER") do
   config :nexus, NexusWeb.Endpoint, server: true
 end
 
+config :nexus, ice_port_range: read_ice_port_range!.()
+
 if config_env() == :prod do
   # The secret key base is used to sign/encrypt cookies and other secrets.
   # A default value is used in config/dev.exs and config/test.exs but you

nexus/lib/nexus/application.ex

@@ -8,16 +8,7 @@ defmodule Nexus.Application do
   @version Mix.Project.config()[:version]
 
   @spec version() :: String.t()
-  def version() do
-    "v#{@version} #{commit()}"
-  end
-
-  defp commit() do
-    case System.cmd("git", ["rev-parse", "--short", "HEAD"]) do
-      {hash, 0} -> "(#{String.trim(hash)})"
-      _ -> ""
-    end
-  end
+  def version(), do: @version
 
   @impl true
   def start(_type, _args) do