feat: add HaRP support (#247)

resolves #230

todo: adjust NC admin docs

---------

Signed-off-by: Anupam Kumar <kyteinsky@gmail.com>

Author: kyteinsky

Dockerfile

@@ -25,6 +25,8 @@ ADD dockerfile_scripts/install_py11.sh dockerfile_scripts/install_py11.sh
 RUN ./dockerfile_scripts/install_py11.sh
 ADD dockerfile_scripts/pgsql dockerfile_scripts/pgsql
 RUN ./dockerfile_scripts/pgsql/install.sh
+ADD dockerfile_scripts/install_frpc.sh dockerfile_scripts/install_frpc.sh
+RUN ./dockerfile_scripts/install_frpc.sh
 RUN apt-get autoclean
 ADD dockerfile_scripts/entrypoint.sh dockerfile_scripts/entrypoint.sh
 
@@ -48,6 +50,7 @@ COPY config.?pu.yaml .
 COPY logger_config.yaml .
 COPY logger_config_em.yaml .
 COPY hwdetect.sh .
+COPY harp_connect.sh .
 COPY supervisord.conf /etc/supervisor/supervisord.conf
 
 ENTRYPOINT ["supervisord", "-c", "/etc/supervisor/supervisord.conf"]

README.md

@@ -14,8 +14,6 @@
 > An end-to-end example for dev setups on how to build and register the backend manually (with CUDA) is at the end of this readme
 >
 > See the [NC Admin docs](https://docs.nextcloud.com/server/latest/admin_manual/ai/app_context_chat.html) for requirements and known limitations.
->
-> HaRP is not supported in this app yet, please use Docker Socket Proxy (DSP) as the Deploy Daemon in AppAPI.
 
 ## Install
 

appinfo/info.xml

@@ -19,8 +19,6 @@ Install the given apps for Context Chat to work as desired **in the given order*
 - Text2Text Task Processing Provider like [llm2 from the External Apps page](https://apps.nextcloud.com/apps/llm2) or [integration_openai from the Apps page](https://apps.nextcloud.com/apps/integration_openai)
 
 Setup background job workers as described here: https://docs.nextcloud.com/server/latest/admin_manual/ai/overview.html#improve-ai-task-pickup-speed
-
-HaRP is not supported in this app yet, please use Docker Socket Proxy (DSP) as the Deploy Daemon in AppAPI.
 ]]></description>
 	<version>5.1.0</version>
 	<licence>agpl</licence>

dockerfile_scripts/install_frpc.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+
+# Download and install FRP client
+set -ex; \
+	ARCH=$(uname -m); \
+	if [ "$ARCH" = "aarch64" ]; then \
+		FRP_URL="https://raw.githubusercontent.com/nextcloud/HaRP/dadcb7cfeb7a6d058ca2acb5622807269239f369/exapps_dev/frp_0.61.1_linux_arm64.tar.gz"; \
+	else \
+		FRP_URL="https://raw.githubusercontent.com/nextcloud/HaRP/dadcb7cfeb7a6d058ca2acb5622807269239f369/exapps_dev/frp_0.61.1_linux_amd64.tar.gz"; \
+	fi; \
+	echo "Downloading FRP client from $FRP_URL"; \
+	curl -L "$FRP_URL" -o /tmp/frp.tar.gz; \
+	tar -C /tmp -xzf /tmp/frp.tar.gz; \
+	mv /tmp/frp_0.61.1_linux_* /tmp/frp; \
+	cp /tmp/frp/frpc /usr/local/bin/frpc; \
+	chmod +x /usr/local/bin/frpc; \
+	rm -rf /tmp/frp /tmp/frp.tar.gz

harp_connect.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -e
+
+# Only create a config file if HP_SHARED_KEY is set.
+if [ -n "$HP_SHARED_KEY" ]; then
+    echo "HP_SHARED_KEY is set, creating /frpc.toml configuration file..."
+    if [ -d "/certs/frp" ]; then
+        echo "Found /certs/frp directory. Creating configuration with TLS certificates."
+        cat <<EOF > /frpc.toml
+serverAddr = "$HP_FRP_ADDRESS"
+serverPort = $HP_FRP_PORT
+loginFailExit = false
+
+transport.tls.enable = true
+transport.tls.certFile = "/certs/frp/client.crt"
+transport.tls.keyFile = "/certs/frp/client.key"
+transport.tls.trustedCaFile = "/certs/frp/ca.crt"
+transport.tls.serverName = "harp.nc"
+
+metadatas.token = "$HP_SHARED_KEY"
+
+[[proxies]]
+remotePort = $APP_PORT
+type = "tcp"
+name = "$APP_ID"
+[proxies.plugin]
+type = "unix_domain_socket"
+unixPath = "/tmp/exapp.sock"
+EOF
+    else
+        echo "Directory /certs/frp not found. Creating configuration without TLS certificates."
+        cat <<EOF > /frpc.toml
+serverAddr = "$HP_FRP_ADDRESS"
+serverPort = $HP_FRP_PORT
+loginFailExit = false
+
+transport.tls.enable = false
+
+metadatas.token = "$HP_SHARED_KEY"
+
+[[proxies]]
+remotePort = $APP_PORT
+type = "tcp"
+name = "$APP_ID"
+[proxies.plugin]
+type = "unix_domain_socket"
+unixPath = "/tmp/exapp.sock"
+EOF
+    fi
+else
+    echo "Skipping HaRP configuration as HP_SHARED_KEY is not set."
+fi
+
+# If we have a configuration file and the shared key is present, start the FRP client
+if [ -f /frpc.toml ] && [ -n "$HP_SHARED_KEY" ]; then
+    echo "Starting frpc..."
+    /usr/local/bin/frpc -c /frpc.toml
+fi

main.py

@@ -7,10 +7,10 @@
 from os import getenv
 
 import uvicorn
+from nc_py_api.ex_app import run_app
 
 from context_chat_backend.types import TConfig  # isort: skip
 from context_chat_backend.controller import app  # isort: skip
-from context_chat_backend.utils import to_int  # isort: skip
 from context_chat_backend.logger import get_logging_config, setup_logging  # isort: skip
 
 LOGGER_CONFIG_NAME = 'logger_config.yaml'
@@ -56,10 +56,8 @@ def _setup_log_levels(debug: bool):
 	uv_log_config['loggers']['uvicorn']['handlers'].append('file_json')
 	uv_log_config['loggers']['uvicorn.access']['handlers'].append('file_json')
 
-	uvicorn.run(
-		app=app,
-		host=getenv('APP_HOST', '127.0.0.1'),
-		port=to_int(getenv('APP_PORT'), 9000),
+	run_app(
+		uvicorn_app=app,
 		http='h11',
 		interface='asgi3',
 		log_config=uv_log_config,

main_em.py

@@ -23,6 +23,25 @@
 MAX_TRIES = 180  # 30 minutes max
 
 
+def _get_main_app_httpx_client_host() -> tuple[httpx.Client, str]:
+	"""Get an HTTPX client to connect to the main app, depending on the deployment type.
+
+	The second return value is the base URL to use for the main app.
+	Returns
+	-------
+		httpx.Client: The HTTPX client.
+		str: The base URL to use for the main app.
+	"""
+	_headers = {}
+	sign_request(_headers)
+	if os.getenv('HP_SHARED_KEY'):
+		transport = httpx.HTTPTransport(uds=os.getenv('HP_EXAPP_SOCK', '/tmp/exapp.sock'))  # noqa: S108
+		return httpx.Client(transport=transport, headers=_headers), 'main_app'
+
+	connect_host = 'localhost' if os.environ['APP_HOST'] in ('0.0.0.0', '::') else os.environ['APP_HOST']  # noqa: S104
+	return httpx.Client(headers=_headers), f'{connect_host}:{os.environ["APP_PORT"]}'
+
+
 if __name__ == '__main__':
 	# intial buffer
 	sleep(STARTUP_CHECK_SEC)
@@ -47,30 +66,28 @@
 	_max_tries = MAX_TRIES
 	_enabled = False
 	_last_err = None
-	_headers = {}
-	sign_request(_headers)
+	client, base_url = _get_main_app_httpx_client_host()
 	# wait for the main process to be ready, check the /enabled endpoint
 	while _max_tries > 0:
-		with httpx.Client() as client:
-			try:
-				ret = client.get(f'http://{os.environ["APP_HOST"]}:{os.environ["APP_PORT"]}/enabled', headers=_headers)
-				ret.raise_for_status()
-
-				if not ret.json().get('enabled', False):
-					raise RuntimeError('Main app is not enabled, sleeping for a while...')
-			except (httpx.RequestError, RuntimeError) as e:
-				print(
-					f'{MAX_TRIES-_max_tries+1}/{MAX_TRIES}:'
-					f' [Embedding server] Waiting for the main app to be enabled/ready: {e}',
-					flush=True,
-				)
-				_last_err = e
-				sleep(STARTUP_CHECK_SEC)
-				_max_tries -= 1
-				continue
-
-			_enabled = True
-			break
+		try:
+			ret = client.get(f'http://{base_url}/enabled')
+			ret.raise_for_status()
+
+			if not ret.json().get('enabled', False):
+				raise RuntimeError('Main app is not enabled, sleeping for a while...')
+		except (httpx.RequestError, RuntimeError) as e:
+			print(
+				f'{MAX_TRIES-_max_tries+1}/{MAX_TRIES}:'
+				f' [Embedding server] Waiting for the main app to be enabled/ready: {e}',
+				flush=True,
+			)
+			_last_err = e
+			sleep(STARTUP_CHECK_SEC)
+			_max_tries -= 1
+			continue
+
+		_enabled = True
+		break
 
 	if not _enabled:
 		logger.error(

supervisord.conf

@@ -35,3 +35,14 @@ autorestart=unexpected
 startsecs=120
 directory=/app
 command=python3 -u /app/main_em.py
+
+[program:frpc]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autostart=true
+autorestart=unexpected
+startsecs=0
+directory=/app
+command=/app/harp_connect.sh