Crude token support.

.env.development

@@ -1,3 +1,3 @@
 PUBLIC_RELAY_SCHEME="http"
 PUBLIC_RELAY_HOST="localhost:4443"
-PUBLIC_RELAY_REGIONS=""
+PUBLIC_DEMO_TOKEN=""

.env.production

@@ -1,3 +1,3 @@
 PUBLIC_RELAY_SCHEME="https"
 PUBLIC_RELAY_HOST="relay.quic.video"
-PUBLIC_RELAY_REGIONS="us-central,europe-west,asia-southeast"
+PUBLIC_DEMO_TOKEN=""

.gitignore

@@ -24,3 +24,6 @@ bun.lockb
 
 # Mac shit
 .DS_Store
+
+# Don't leak me secrets
+.env.production

env.d.ts

@@ -3,7 +3,7 @@
 interface ImportMetaEnv {
 	readonly PUBLIC_RELAY_SCHEME: "http" | "https";
 	readonly PUBLIC_RELAY_HOST: string;
-	readonly PUBLIC_RELAY_REGIONS: string;
+	readonly PUBLIC_DEMO_TOKEN: string;
 }
 
 interface ImportMeta {

infra/.gitignore

@@ -13,8 +13,8 @@ crash.*.log
 # password, private keys, and other secrets. These should not be part of version
 # control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
-#*.tfvars
-#*.tfvars.json
+*.tfvars
+*.tfvars.json
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in

infra/input.tf

@@ -18,9 +18,37 @@ variable "domain" {
   description = "domain name"
 }
 
-variable "docker" {
-  description = "Docker repository prefix"
-  default     = "docker.io/kixelated"
+variable "docker_relay" {
+  description = "Docker image for moq-relay"
+  default     = "docker.io/kixelated/moq-relay:0.7.1"
+}
+
+variable "docker_hang" {
+  description = "Docker image for hang"
+  default     = "docker.io/kixelated/hang:0.3.0"
+}
+
+# A key generated using moq-token generate
+variable "demo_key" {
+  description = "demo key"
+  sensitive   = true
+}
+
+# A token used to publish demo/bbb.hang
+# This is very manual/crude, but I don't want someone to hijack the broadcast.
+variable "demo_token" {
+  description = "demo token"
+  sensitive   = true
+}
+
+variable "root_key" {
+  description = "root key"
+  sensitive   = true
+}
+
+variable "root_token" {
+  description = "root token"
+  sensitive   = true
 }
 
 # Too complicated to specify via flags, so do it here.

infra/pub.tf

@@ -27,9 +27,12 @@ resource "google_compute_instance" "pub" {
   metadata = {
     # cloud-init template
     user-data = templatefile("${path.module}/pub.yml.tpl", {
-      addr   = "relay.${var.domain}"
-      docker = var.docker
-      region = local.pub.region
+      addr         = "relay.${var.domain}"
+      docker_image = var.docker_hang
+      region       = local.pub.region
+
+      # A token used to publish demo/bbb.hang
+      demo_token = var.demo_token
     })
   }
 

infra/pub.yml.tpl

@@ -19,40 +19,15 @@ write_files:
         -e RUST_LOG=debug -e RUST_BACKTRACE=1 \
         -e REGION=${region} \
         --entrypoint hang-bbb \
-        ${docker}/hang \
-        publish "https://relay.quic.video/demo/bbb.hang"
+        ${docker_image} \
+        publish "https://relay.quic.video/demo/${demo_token}"
 
       ExecStop=docker stop hang-bbb
 
       # Take longer and longer to restart the process.
       Restart=always
       RestartSec=10s
 
-  - path: /etc/systemd/system/moq-clock.service
-    permissions: 0644
-    owner: root
-    content: |
-      [Unit]
-      Description=Run moq-clock via docker
-      Requires=docker.service
-      After=docker.service
-
-      [Service]
-      ExecStart=docker run --rm \
-        --name moq-clock \
-        --network="host" \
-        --pull=always \
-        --cap-add=SYS_PTRACE \
-        -e RUST_LOG=info -e RUST_BACKTRACE=1 \
-        ${docker}/moq-clock --publish "https://relay.quic.video/clock"
-      ExecStop=docker stop moq-clock
-
-      # Take longer and longer to restart the process.
-      Restart=always
-      RestartSec=10s
-      RestartSteps=6
-      RestartMaxDelaySec=1m
-
   - path: /etc/docker/daemon.json
     content: |
       { "mtu": 1460 }
@@ -73,29 +48,7 @@ write_files:
       #!/bin/sh
       docker system prune -af
 
-  # Add Watchtower systemd service to restart containers on update
-  - path: /etc/systemd/system/watchtower.service
-    permissions: "0644"
-    owner: root
-    content: |
-      [Unit]
-      Description=Watchtower to auto-update containers
-      After=docker.service
-      Wants=docker.service
-
-      [Service]
-      Restart=on-failure
-      RestartSec=10s
-      ExecStart=docker run --rm \
-        --name watchtower \
-        --volume /var/run/docker.sock:/var/run/docker.sock \
-        containrrr/watchtower \
-        --cleanup \
-        --interval 300
-      ExecStop=docker stop watchtower
-
 runcmd:
   - systemctl daemon-reload
   - systemctl restart docker
   - systemctl start hang-bbb moq-clock
-  - systemctl start watchtower

infra/relay.tf

@@ -29,7 +29,7 @@ resource "google_compute_instance" "relay" {
   metadata = {
     # cloud-init template
     user-data = templatefile("${path.module}/relay.yml.tpl", {
-      docker = var.docker
+      docker_image = var.docker_relay
 
       # The external address and certs
       public_host = var.domain
@@ -46,6 +46,13 @@ resource "google_compute_instance" "relay" {
       # See: https://cloud.google.com/compute/docs/internal-dns
       cluster_node = "relay-${each.key}.${each.value.zone}.c.${var.project}.internal"
       cluster_root = "${local.root}.c.${var.project}.internal"
+
+      # The demo key, used to authenticate the demo broadcast
+      demo_key = var.demo_key
+
+      # The root key and token, used to authenticate nodes
+      root_key   = var.root_key
+      root_token = var.root_token
     })
   }
 
@@ -58,7 +65,7 @@ resource "google_compute_instance" "relay" {
 
   lifecycle {
     # There seems to be a terraform bug causing this to be recreated on every apply
-    # ignore_changes = [boot_disk]
+    ignore_changes = [boot_disk]
   }
 
   allow_stopping_for_update = true

infra/relay.yml.tpl

@@ -37,6 +37,58 @@ write_files:
     permissions: "0644"
     owner: root
 
+  # Write the demo key to disk
+  - path: /etc/moq/demo.jwk
+    content: |
+      ${indent(6, demo_key)}
+    permissions: "0644"
+    owner: root
+
+  # Write the root key to disk
+  - path: /etc/moq/root.jwk
+    content: |
+      ${indent(6, root_key)}
+    permissions: "0644"
+    owner: root
+
+  # Write the root token to disk
+  - path: /etc/moq/root.jwt
+    content: |
+      ${indent(6, root_token)}
+    permissions: "0644"
+    owner: root
+
+  - path: /etc/moq/relay.toml
+    content: |
+      [server]
+      listen = "0.0.0.0:443"
+
+      [[server.tls.cert]]
+      chain = "/etc/cert/${cluster_node}.crt"
+      key = "/etc/cert/${cluster_node}.key"
+
+      [[server.tls.cert]]
+      chain = "/etc/cert/${public_host}.crt"
+      key = "/etc/cert/${public_host}.key"
+
+      [client]
+      tls.root = [ "/etc/cert/internal.ca" ]
+
+      [cluster]
+      connect = "${cluster_root}"
+      advertise = "${cluster_node}"
+      token = "/etc/moq/root.jwk"
+
+      [auth]
+      root = "/etc/moq/root.jwk"
+
+      [auth.paths]
+      demo = "/etc/moq/demo.jwk"
+      anon = ""
+
+    permissions: "0644"
+    owner: root
+
   # Create a systemd service to run the docker image
   - path: /etc/systemd/system/moq-relay.service
     permissions: "0644"
@@ -56,13 +108,9 @@ write_files:
         --pull=always \
         --cap-add=SYS_PTRACE \
         -v "/etc/cert:/etc/cert:ro" \
+        -v "/etc/moq:/etc/moq:ro" \
         -e RUST_LOG=debug -e RUST_BACKTRACE=1 \
-        ${docker}/moq-relay --bind 0.0.0.0:443 \
-        --tls-cert "/etc/cert/${cluster_node}.crt" --tls-key "/etc/cert/${cluster_node}.key" \
-        --tls-cert "/etc/cert/${public_host}.crt" --tls-key "/etc/cert/${public_host}.key" \
-        --tls-root "/etc/cert/internal.ca" \
-        --cluster-root "${cluster_root}" \
-        --cluster-node "${cluster_node}"
+        ${docker_image} /etc/moq/relay.toml
       ExecStop=docker stop moq-relay
 
   # GCP configures a firewall by default that blocks all UDP traffic
@@ -100,29 +148,7 @@ write_files:
       #!/bin/sh
       docker system prune -af
 
-  # Add Watchtower systemd service to restart the container on update
-  - path: /etc/systemd/system/watchtower.service
-    permissions: "0644"
-    owner: root
-    content: |
-      [Unit]
-      Description=Watchtower to auto-update containers
-      After=docker.service
-      Wants=docker.service
-
-      [Service]
-      Restart=on-failure
-      RestartSec=10s
-      ExecStart=docker run --rm \
-        --name watchtower \
-        --volume /var/run/docker.sock:/var/run/docker.sock \
-        containrrr/watchtower \
-        --cleanup \
-        --interval 300
-      ExecStop=docker stop watchtower
-
 runcmd:
   - systemctl daemon-reload
   - systemctl restart docker
   - systemctl start moq-relay
-  - systemctl start watchtower

package.json

@@ -15,19 +15,19 @@
 		"@astrojs/node": "8.3.4",
 		"@astrojs/solid-js": "4.4.4",
 		"@astrojs/tailwind": "5.1.2",
-		"@kixelated/hang": "^0.1.1",
-		"@tailwindcss/forms": "^0.5.9",
-		"@tailwindcss/typography": "^0.5.15",
+		"@kixelated/hang": "^0.2.1",
+		"@tailwindcss/forms": "^0.5.10",
+		"@tailwindcss/typography": "^0.5.16",
 		"astro": "^4.16.18",
-		"solid-js": "^1.9.3",
-		"tailwindcss": "^3.4.15",
+		"solid-js": "^1.9.7",
+		"tailwindcss": "^3.4.17",
 		"unique-names-generator": "^4.7.1",
-		"vite-plugin-mkcert": "^1.17.6",
-		"vite-plugin-static-copy": "^2.2.0",
-		"vite-plugin-wasm": "^3.3.0"
+		"vite-plugin-mkcert": "^1.17.8",
+		"vite-plugin-static-copy": "^2.3.1",
+		"vite-plugin-wasm": "^3.4.1"
 	},
 	"devDependencies": {
-		"@types/node": "^22.10.1"
+		"@types/node": "^22.15.29"
 	},
 	"packageManager": "pnpm@10.11.0+sha512.6540583f41cc5f628eb3d9773ecee802f4f9ef9923cc45b69890fb47991d4b092964694ec3a4f738a420c918a333062c8b925d312f42e4f0c263eb603551f977"
 }