romm-sfu-server/docker-compose.example.yml at main · TechnicallyComputers/romm-sfu-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
version: "3.8"

services:
  emulatorjs-sfu:
    build:
      context: .
    container_name: emulatorjs-sfu
    restart: unless-stopped
    environment:
      # --- Minimal required config ---
      # RomM internal API (reachable from this container, e.g. when both are in the same Docker network)
      - ROMM_API_BASE_URL=${ROMM_API_BASE_URL:?set ROMM_API_BASE_URL}
      # Shared secret header for SFU -> RomM internal endpoints.
      # SECURITY: must NOT be ROMM_AUTH_SECRET_KEY.
      - ROMM_SFU_INTERNAL_SECRET=${ROMM_SFU_INTERNAL_SECRET:?set ROMM_SFU_INTERNAL_SECRET}

      # --- Common optional overrides (safe defaults in code) ---
      # Signaling port (default 3001). Keep the published ports in sync below.
      - PORT=${PORT:-3001}
      # WebRTC media port (default 20000). Keep the published ports in sync below.
      - WEBRTC_PORT=${WEBRTC_PORT:-20000}

      # ANNOUNCED_IP guidance:
      # - Public internet / behind NAT: set this to the public IP/hostname clients use.
      # - LAN-only: usually safe to omit.
      # - ANNOUNCED_IP=${ANNOUNCED_IP}

      # STUN servers for clients (comma/space separated; you can omit the "stun:" prefix)
      # - SFU_STUN_SERVERS=${SFU_STUN_SERVERS}

      # TURN servers (optional)
      # Recommended (arbitrary count): JSON array of RTCIceServer objects.
      # - SFU_TURN_SERVERS=[{"urls":["turn:turn.example.com:3478?transport=udp"],"username":"user","credential":"pass"}]
      # Simple fallback (up to 4):
      # - SFU_TURN_SERVER1=turn:turn.example.com:3478?transport=udp
      # - SFU_TURN_USER1=user
      # - SFU_TURN_PASS1=pass

      # Optional hardening: disable to enforce strict single connection per userid.
      # - SFU_ALLOW_AUTH_TAKEOVER=0
      # Optional: takeover grace window (seconds). Default is 30.
      # - SFU_AUTH_TAKEOVER_GRACE_SECONDS=30

      # --- Optional policy guards (opt-in) ---
      # The SFU is client-driven; these exist to help detect/deny unexpected client behavior.
      # If set, compare VP9 SVC scalabilityMode against this value.
      # - SFU_EXPECT_VP9_SVC_MODE=L2T3
      # Strict mode: reject VP9 producers if mode mismatches (requires SFU_EXPECT_VP9_SVC_MODE).
      # - SFU_ENFORCE_VP9_SVC_MODE=1
      # Strict mode: reject simulcast producers that publish anything other than 2 encodings.
      # - SFU_ENFORCE_2_LAYER_SIMULCAST=1

      # --- Data channel payloads ---
      # RomM netplay data channels are expected to be binary only.
      # Set to 0 to allow text messages over data channels.
      # - SFU_REQUIRE_BINARY_DATA_CHANNEL=1

      # Advanced: override defaults (only if you know why)
      # - USE_WEBRTC_SERVER=1
      # - LISTEN_IP=0.0.0.0
      # - ENABLE_WEBRTC_TCP=1
      # - WEBRTC_UDP_PORT=${WEBRTC_UDP_PORT}
      # - WEBRTC_TCP_PORT=${WEBRTC_TCP_PORT}
      # Alternative (URL form): requires percent-encoding of special chars
      # - SFU_AUTH_REDIS_URL=${SFU_AUTH_REDIS_URL}

    ports:
      - "${PORT:-3001}:${PORT:-3001}/tcp"
      - "${WEBRTC_PORT:-20000}:${WEBRTC_PORT:-20000}/udp"
      - "${WEBRTC_PORT:-20000}:${WEBRTC_PORT:-20000}/tcp"

    # If Valkey is in the same compose project/network, use the service name above.
    # Otherwise, change SFU_AUTH_REDIS_HOST to the correct hostname/IP.