Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
697a7e614d | ||
|
|
d07342e97e | ||
|
|
f425e0bb8e |
@@ -151,9 +151,13 @@ entries from all applicable share roots, with relative `path` fields
|
|||||||
**Status:** implemented (browser mode + daemon mode)
|
**Status:** implemented (browser mode + daemon mode)
|
||||||
**Affects:** ICE server configuration only, no wire changes
|
**Affects:** ICE server configuration only, no wire changes
|
||||||
|
|
||||||
The browser adapter reads `WASTE_CONFIG.turnURL` and `WASTE_CONFIG.turnSecret`
|
The browser adapter reads `WASTE_CONFIG.turnURL` and fetches short-lived
|
||||||
and adds a TURN server to the WebRTC `ICEServers` list. Credentials are
|
credentials from the anchor's `GET /turn-credentials` endpoint (derived from
|
||||||
generated using HMAC-SHA1 of the username (coturn `use-auth-secret` scheme).
|
`WASTE_CONFIG.signalURL`, or overridden via `WASTE_CONFIG.turnCredentialsURL`).
|
||||||
|
The anchor computes the credential using HMAC-SHA1 of the username (coturn
|
||||||
|
`use-auth-secret` scheme) — the shared secret itself is never sent to the
|
||||||
|
browser. Daemon mode does the equivalent computation locally, since the
|
||||||
|
daemon already holds `-turn-secret` server-side.
|
||||||
|
|
||||||
YAW/2 §0 explicitly declines TURN ("No relay (TURN)"). This extension is
|
YAW/2 §0 explicitly declines TURN ("No relay (TURN)"). This extension is
|
||||||
opt-in via server configuration and does not affect peers that omit it.
|
opt-in via server configuration and does not affect peers that omit it.
|
||||||
|
|||||||
@@ -41,7 +41,9 @@ Solved by using WebRTC DataChannels via pion. ICE gathers host + server-reflexiv
|
|||||||
### TURN relay ✅ (shipped)
|
### TURN relay ✅ (shipped)
|
||||||
Both browser and daemon modes support TURN relay.
|
Both browser and daemon modes support TURN relay.
|
||||||
|
|
||||||
**Browser mode:** `iceServers()` in `browser.ts` reads `WASTE_CONFIG.turnURL` and `WASTE_CONFIG.turnSecret`, generates time-limited HMAC-SHA1 credentials (compatible with coturn `use-auth-secret`), and adds the TURN server to the ICE candidate list. The peer dot turns yellow for relayed connections (`candidate_type: relay`).
|
**Browser mode:** `iceServers()` in `browser.ts` reads `WASTE_CONFIG.turnURL` and fetches a time-limited credential from the anchor's `GET /turn-credentials` endpoint (HMAC-SHA1, compatible with coturn `use-auth-secret`) rather than holding the shared secret client-side. The peer dot turns yellow for relayed connections (`candidate_type: relay`).
|
||||||
|
|
||||||
|
> **Security fix:** earlier this previously embedded `turnSecret` directly in `WASTE_CONFIG`, which let anyone reading the PWA's JS mint unlimited long-lived TURN credentials. The secret now lives only on the anchor (`-turn-secret` flag); the anchor mints short-lived credentials per-request instead.
|
||||||
|
|
||||||
**Daemon mode:** `-turn-url` and `-turn-secret` flags on `cmd/daemon`. `turnICEServers()` in `internal/netmgr/manager.go` generates HMAC-SHA1 credentials and injects them into the ICE server list for every new peer connection.
|
**Daemon mode:** `-turn-url` and `-turn-secret` flags on `cmd/daemon`. `turnICEServers()` in `internal/netmgr/manager.go` generates HMAC-SHA1 credentials and injects them into the ICE server list for every new peer connection.
|
||||||
|
|
||||||
|
|||||||
@@ -41,13 +41,33 @@ On Linux and Windows a tray icon appears — closing the window hides to tray ra
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Option 3 — Run the daemon manually (headless / power users)
|
## Option 3 — Run the daemon + TUI or web UI locally (power users / dev)
|
||||||
|
|
||||||
|
Example scripts are provided for the common local workflows. Copy them and fill in your anchor URL:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# TUI (terminal UI):
|
||||||
|
cp launch-tui.sh.example launch-tui.sh
|
||||||
|
$EDITOR launch-tui.sh # set ANCHOR=wss://your-anchor/ws
|
||||||
|
./launch-tui.sh
|
||||||
|
|
||||||
|
# Web UI in daemon mode (Vite dev server + daemon):
|
||||||
|
cp launch-web.sh.example launch-web.sh
|
||||||
|
$EDITOR launch-web.sh # set ANCHOR=wss://your-anchor/ws
|
||||||
|
./launch-web.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
The real script files are gitignored so your local edits (anchor URL, alias, network) are never accidentally committed.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Option 4 — Run the daemon manually (headless)
|
||||||
|
|
||||||
If you want the daemon running in the background without the desktop UI — on a server, over SSH, or with the web UI in a browser pointed at your local machine:
|
If you want the daemon running in the background without the desktop UI — on a server, over SSH, or with the web UI in a browser pointed at your local machine:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Download waste-daemon from the releases page, then:
|
# Download waste-daemon from the releases page, then:
|
||||||
./waste-daemon -alias yourname -anchor wss://your-anchor-server/ws
|
./waste-daemon -alias yourname -anchor wss://YOUR_ANCHOR_DOMAIN/ws
|
||||||
```
|
```
|
||||||
|
|
||||||
Then open the web UI in a browser at the anchor URL, or point the web UI's daemon mode at `ws://127.0.0.1:17338`.
|
Then open the web UI in a browser at the anchor URL, or point the web UI's daemon mode at `ws://127.0.0.1:17338`.
|
||||||
@@ -83,7 +103,7 @@ The anchor is a tiny signaling server that helps peers find each other — it ne
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
# On your VPS:
|
# On your VPS:
|
||||||
./waste-anchor -bind 127.0.0.1:8080
|
./waste-anchor -bind 127.0.0.1:8080 -turn-secret YOUR_COTURN_SECRET
|
||||||
```
|
```
|
||||||
|
|
||||||
Put it behind nginx with a `/ws` WebSocket proxy and serve the web UI static files at `/`. See [README.md](README.md#hosting-on-a-vps) for the full nginx setup.
|
Put it behind nginx with `/ws` and `/turn-credentials` proxied to the anchor, and the web UI static files at `/`. See [README.md](README.md#hosting-on-a-vps) for the full nginx setup.
|
||||||
|
|||||||
30
README.md
30
README.md
@@ -134,7 +134,7 @@ This tells the browser where to connect for signaling. Without it the join form
|
|||||||
|
|
||||||
### 3. Nginx Proxy Manager setup
|
### 3. Nginx Proxy Manager setup
|
||||||
|
|
||||||
Create one **Proxy Host** for your domain (e.g. `waste.example.com`) with TLS enabled. You need two locations:
|
Create one **Proxy Host** for your domain (e.g. `waste.example.com`) with TLS enabled. You need these locations:
|
||||||
|
|
||||||
**Location 1 — WebSocket signaling (`/ws`)**
|
**Location 1 — WebSocket signaling (`/ws`)**
|
||||||
- Location: `/ws`
|
- Location: `/ws`
|
||||||
@@ -142,6 +142,12 @@ Create one **Proxy Host** for your domain (e.g. `waste.example.com`) with TLS en
|
|||||||
- Forward port: `8080`
|
- Forward port: `8080`
|
||||||
- Enable: WebSockets Support
|
- Enable: WebSockets Support
|
||||||
|
|
||||||
|
**Location 1b — TURN credentials (`/turn-credentials`, only if using TURN — see [step 4](#4-turn-relay-optional-fixes-mobile--cgnat))**
|
||||||
|
- Location: `/turn-credentials`
|
||||||
|
- Forward hostname/IP: `127.0.0.1`
|
||||||
|
- Forward port: `8080`
|
||||||
|
- Plain HTTP, no WebSockets toggle needed
|
||||||
|
|
||||||
**Location 2 — Web UI (catch-all)**
|
**Location 2 — Web UI (catch-all)**
|
||||||
- Location: `/`
|
- Location: `/`
|
||||||
- Choose "Serve Static Files" (or point to a local HTTP server serving `/var/www/waste-web`)
|
- Choose "Serve Static Files" (or point to a local HTTP server serving `/var/www/waste-web`)
|
||||||
@@ -162,6 +168,7 @@ Or use `serve-web.sh` which handles PID tracking and restart:
|
|||||||
The key requirements:
|
The key requirements:
|
||||||
|
|
||||||
- `/ws` → anchor process (WebSocket, keep-alive)
|
- `/ws` → anchor process (WebSocket, keep-alive)
|
||||||
|
- `/turn-credentials` → anchor process (plain HTTP; only needed if using TURN)
|
||||||
- `/*` → static file server (SPA fallback: return `index.html` for unknown paths)
|
- `/*` → static file server (SPA fallback: return `index.html` for unknown paths)
|
||||||
|
|
||||||
### 4. TURN relay (optional, fixes mobile / CGNAT)
|
### 4. TURN relay (optional, fixes mobile / CGNAT)
|
||||||
@@ -200,21 +207,32 @@ systemctl enable coturn
|
|||||||
systemctl start coturn
|
systemctl start coturn
|
||||||
```
|
```
|
||||||
|
|
||||||
**Update `config.js`** to tell browsers about the TURN server:
|
**Start the anchor with the same secret**, so it can mint short-lived credentials on your behalf:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./waste-anchor -bind 0.0.0.0:8080 -turn-secret YOUR_SECRET_HERE
|
||||||
|
```
|
||||||
|
|
||||||
|
This enables `GET /turn-credentials` on the anchor, which returns a fresh `{username, credential}` pair (1-hour TTL) computed from the shared secret — the secret itself never leaves the server.
|
||||||
|
|
||||||
|
**Update `config.js`** to tell browsers about the TURN server (no secret here — only the public relay address):
|
||||||
|
|
||||||
```js
|
```js
|
||||||
window.WASTE_CONFIG = {
|
window.WASTE_CONFIG = {
|
||||||
signalURL: 'wss://your-domain.com/ws',
|
signalURL: 'wss://your-domain.com/ws',
|
||||||
turnURL: 'turn:your-domain.com:3478',
|
turnURL: 'turn:your-domain.com:3478',
|
||||||
turnSecret: 'YOUR_SECRET_HERE',
|
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
The `use-auth-secret` mode generates short-lived TURN credentials from the shared secret — no user database required. The relay only sees opaque DTLS-encrypted blobs.
|
> **Security note:** earlier versions of this doc had you put `turnSecret` directly in `config.js`. Don't — anyone reading the PWA's JS bundle could read it and mint unlimited, long-lived TURN credentials, turning your relay into an open proxy for anyone. The browser now calls the anchor's `/turn-credentials` endpoint instead and only ever sees a credential that expires in an hour. If you have an old `config.js` with `turnSecret` set, remove it and rotate the coturn secret (`static-auth-secret` in `turnserver.conf` and the anchor's `-turn-secret` flag) since the old one was exposed.
|
||||||
|
|
||||||
> The browser adapter reads `turnURL` and `turnSecret` from `WASTE_CONFIG` and adds the TURN server to the WebRTC `ICEServers` list automatically. If not configured, STUN-only is used (works for most desktop/home NAT situations).
|
The browser adapter calls `signalURL` with `/ws` swapped for `/turn-credentials` to find the anchor's endpoint by default; set `turnCredentialsURL` explicitly in `WASTE_CONFIG` if the anchor is reachable at a different path. If `turnURL` is set but the credentials endpoint is unreachable, the browser falls back to STUN-only.
|
||||||
|
|
||||||
**Daemon mode TURN:** pass `-turn-url turn:your-domain.com:3478 -turn-secret YOUR_SECRET_HERE` when starting the daemon. The same coturn `use-auth-secret` HMAC-SHA1 scheme is used — no extra config required beyond what you set up for browser mode.
|
You'll also need nginx to route the new path to the anchor, alongside `/ws` (see [step 3](#3-nginx-proxy-manager-setup)):
|
||||||
|
|
||||||
|
- `/turn-credentials` → anchor process (plain HTTP, no WebSocket upgrade needed)
|
||||||
|
|
||||||
|
**Daemon mode TURN:** pass `-turn-url turn:your-domain.com:3478 -turn-secret YOUR_SECRET_HERE` when starting the daemon. This is unaffected by the above — the daemon computes credentials itself server-side and never exposes the secret, same as the anchor now does for browser mode.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@@ -6,12 +6,17 @@ package main
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"crypto/ed25519"
|
"crypto/ed25519"
|
||||||
|
"crypto/hmac"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
|
"crypto/sha1"
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
|
"encoding/base64"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
|
"encoding/json"
|
||||||
"flag"
|
"flag"
|
||||||
"log"
|
"log"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"strconv"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
@@ -23,16 +28,40 @@ import (
|
|||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
bind := flag.String("bind", "0.0.0.0:17339", "address to listen on")
|
bind := flag.String("bind", "0.0.0.0:17339", "address to listen on")
|
||||||
|
turnSecret := flag.String("turn-secret", "", "coturn use-auth-secret shared secret; enables GET /turn-credentials")
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
a := newAnchor()
|
a := newAnchor()
|
||||||
http.HandleFunc("/ws", a.handleWS)
|
http.HandleFunc("/ws", a.handleWS)
|
||||||
|
if *turnSecret != "" {
|
||||||
|
http.HandleFunc("/turn-credentials", turnCredentialsHandler(*turnSecret))
|
||||||
|
log.Printf("anchor: /turn-credentials enabled")
|
||||||
|
}
|
||||||
log.Printf("anchor: listening on %s", *bind)
|
log.Printf("anchor: listening on %s", *bind)
|
||||||
if err := http.ListenAndServe(*bind, nil); err != nil {
|
if err := http.ListenAndServe(*bind, nil); err != nil {
|
||||||
log.Fatalf("anchor: %v", err)
|
log.Fatalf("anchor: %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// turnCredentialsHandler mints short-lived coturn use-auth-secret credentials
|
||||||
|
// server-side, so the shared secret never reaches the browser. Mirrors the
|
||||||
|
// scheme in internal/netmgr.Manager.turnICEServers (daemon mode).
|
||||||
|
func turnCredentialsHandler(secret string) http.HandlerFunc {
|
||||||
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
w.Header().Set("Access-Control-Allow-Origin", "*")
|
||||||
|
w.Header().Set("Content-Type", "application/json")
|
||||||
|
expiry := strconv.FormatInt(time.Now().Add(time.Hour).Unix(), 10)
|
||||||
|
mac := hmac.New(sha1.New, []byte(secret))
|
||||||
|
mac.Write([]byte(expiry))
|
||||||
|
credential := base64.StdEncoding.EncodeToString(mac.Sum(nil))
|
||||||
|
json.NewEncoder(w).Encode(struct {
|
||||||
|
Username string `json:"username"`
|
||||||
|
Credential string `json:"credential"`
|
||||||
|
TTL int `json:"ttl"`
|
||||||
|
}{Username: expiry, Credential: credential, TTL: 3600})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// ── Anchor ────────────────────────────────────────────────────────────────────
|
// ── Anchor ────────────────────────────────────────────────────────────────────
|
||||||
|
|
||||||
type client struct {
|
type client struct {
|
||||||
@@ -126,8 +155,8 @@ func (a *anchor) handleWS(w http.ResponseWriter, r *http.Request) {
|
|||||||
ctx, cancel := context.WithCancel(r.Context())
|
ctx, cancel := context.WithCancel(r.Context())
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
// Send a challenge nonce immediately.
|
// Send a challenge nonce immediately. §5.1 requires 32 bytes.
|
||||||
nonce := make([]byte, 16)
|
nonce := make([]byte, 32)
|
||||||
rand.Read(nonce)
|
rand.Read(nonce)
|
||||||
nonceHex := hex.EncodeToString(nonce)
|
nonceHex := hex.EncodeToString(nonce)
|
||||||
if err := wsjson.Write(ctx, conn, proto.AnchorMessage{
|
if err := wsjson.Write(ctx, conn, proto.AnchorMessage{
|
||||||
|
|||||||
32
deploy-web.sh.example
Normal file
32
deploy-web.sh.example
Normal file
@@ -0,0 +1,32 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
# deploy-web.sh — build and push the web UI to the VPS.
|
||||||
|
# Assumes SSH agent forwarding is set up.
|
||||||
|
#
|
||||||
|
# SETUP: copy this file to deploy-web.sh (gitignored) and set HOST below.
|
||||||
|
#
|
||||||
|
# Usage:
|
||||||
|
# ./deploy-web.sh
|
||||||
|
#
|
||||||
|
# Optional env vars:
|
||||||
|
# HOST SSH target (user@host) (required — edit below)
|
||||||
|
# REMOTE_DIR path on VPS (default: ~/waste-www)
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
HOST="${HOST:-user@YOUR_VPS_IP}" # ← edit this
|
||||||
|
REMOTE_DIR="${REMOTE_DIR:-~/waste-www}"
|
||||||
|
|
||||||
|
if [[ "$HOST" == *YOUR_VPS_IP* ]]; then
|
||||||
|
echo "error: edit HOST in this script (or export HOST=user@your-vps before running)" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "→ building web UI…"
|
||||||
|
"$(dirname "$0")/build-web.sh"
|
||||||
|
|
||||||
|
echo "→ syncing to $HOST:$REMOTE_DIR"
|
||||||
|
rsync -azv --delete \
|
||||||
|
--exclude='config.js' \
|
||||||
|
web/dist/ "$HOST:$REMOTE_DIR/"
|
||||||
|
|
||||||
|
echo "✓ done"
|
||||||
96
launch-tui.sh.example
Normal file
96
launch-tui.sh.example
Normal file
@@ -0,0 +1,96 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
# launch-tui.sh — build and launch the TUI against a remote anchor.
|
||||||
|
# Starts a local daemon then opens the Bubble Tea terminal UI.
|
||||||
|
#
|
||||||
|
# SETUP: copy this file to launch-tui.sh (gitignored) and set ANCHOR below.
|
||||||
|
#
|
||||||
|
# Usage:
|
||||||
|
# ./launch-tui.sh
|
||||||
|
# ALIAS=alice NETWORK=friends ./launch-tui.sh
|
||||||
|
#
|
||||||
|
# Optional env vars (all have defaults):
|
||||||
|
# ANCHOR anchor WebSocket URL (required — edit below)
|
||||||
|
# NETWORK network name to join (default: "friends")
|
||||||
|
# ALIAS display name (default: $USER)
|
||||||
|
# DATA_DIR identity + message store dir (default: ~/.waste-$ALIAS)
|
||||||
|
# IPC_PORT local daemon IPC port (default: 17337)
|
||||||
|
# SHARE_DIR directory to share with peers (optional)
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
ANCHOR="${ANCHOR:-wss://YOUR_ANCHOR_DOMAIN/ws}" # ← edit this
|
||||||
|
|
||||||
|
NETWORK="${NETWORK:-friends}"
|
||||||
|
ALIAS="${ALIAS:-${USER:-anon}}"
|
||||||
|
DATA_DIR="${DATA_DIR:-${HOME}/.waste-${ALIAS}}"
|
||||||
|
|
||||||
|
_DEFAULT_ALIAS="${USER:-anon}"
|
||||||
|
if [ "${ALIAS}" = "${_DEFAULT_ALIAS}" ]; then
|
||||||
|
IPC_PORT="${IPC_PORT:-17337}"
|
||||||
|
else
|
||||||
|
_HASH=$(printf '%d' "0x$(printf '%s' "$ALIAS" | md5sum | cut -c1-4)")
|
||||||
|
IPC_PORT="${IPC_PORT:-$(( 17400 + _HASH % 1000 ))}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
SHARE_DIR="${SHARE_DIR:-}"
|
||||||
|
|
||||||
|
RED='\033[0;31m'; GREEN='\033[0;32m'; DIM='\033[2m'; BOLD='\033[1m'; RESET='\033[0m'
|
||||||
|
|
||||||
|
if [[ "$ANCHOR" == *YOUR_ANCHOR_DOMAIN* ]]; then
|
||||||
|
echo -e "${RED}error: edit ANCHOR in this script (or export ANCHOR=wss://... before running)${RESET}" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
mkdir -p "$DATA_DIR"
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo -e "${BOLD}waste TUI${RESET}"
|
||||||
|
echo -e "${DIM}anchor : ${BOLD}${ANCHOR}${RESET}"
|
||||||
|
echo -e "${DIM}network : ${BOLD}${NETWORK}${RESET}"
|
||||||
|
echo -e "${DIM}alias : ${BOLD}${ALIAS}${RESET}"
|
||||||
|
echo -e "${DIM}data : ${DATA_DIR}${RESET}"
|
||||||
|
[ -n "$SHARE_DIR" ] && echo -e "${DIM}share : ${SHARE_DIR}${RESET}"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
echo -e "${DIM}building binaries…${RESET}"
|
||||||
|
go build -o /tmp/waste-daemon-run ./cmd/daemon
|
||||||
|
go build -o /tmp/waste-tui-run ./cmd/tui
|
||||||
|
echo -e "${GREEN}✓ built${RESET}"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
existing=$(lsof -ti tcp:"$IPC_PORT" 2>/dev/null || true)
|
||||||
|
[ -n "$existing" ] && kill "$existing" 2>/dev/null && sleep 0.3 || true
|
||||||
|
|
||||||
|
echo -e "${DIM}starting daemon on :${IPC_PORT}…${RESET}"
|
||||||
|
WS_PORT=$(( IPC_PORT + 1 ))
|
||||||
|
/tmp/waste-daemon-run \
|
||||||
|
-alias "$ALIAS" -data-dir "$DATA_DIR" \
|
||||||
|
-ipc-port "$IPC_PORT" -ws-port "$WS_PORT" \
|
||||||
|
-anchor "$ANCHOR" \
|
||||||
|
2>/tmp/waste-daemon.log &
|
||||||
|
DAEMON_PID=$!
|
||||||
|
|
||||||
|
n=0
|
||||||
|
while ! nc -z 127.0.0.1 "$IPC_PORT" 2>/dev/null; do
|
||||||
|
sleep 0.1; n=$(( n + 1 ))
|
||||||
|
[ "$n" -gt 80 ] && echo -e "${RED}daemon failed — check /tmp/waste-daemon.log${RESET}" >&2 && exit 1
|
||||||
|
done
|
||||||
|
echo -e "${GREEN}✓ daemon started (pid ${DAEMON_PID})${RESET}"
|
||||||
|
|
||||||
|
sleep 0.3
|
||||||
|
if [ -n "$SHARE_DIR" ]; then
|
||||||
|
JOIN=$(jq -cn --arg net "$NETWORK" --arg dir "$SHARE_DIR" \
|
||||||
|
'{"type":"join_network","network_name":$net,"share_dir":$dir}')
|
||||||
|
else
|
||||||
|
JOIN=$(jq -cn --arg net "$NETWORK" '{"type":"join_network","network_name":$net}')
|
||||||
|
fi
|
||||||
|
echo "$JOIN" | nc -q 0 127.0.0.1 "$IPC_PORT" >/dev/null 2>&1 || true
|
||||||
|
echo -e "${DIM}joined network: ${BOLD}${NETWORK}${RESET}"
|
||||||
|
|
||||||
|
cleanup() { kill "$DAEMON_PID" 2>/dev/null || true; }
|
||||||
|
trap cleanup EXIT INT TERM
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo -e "${BOLD}launching TUI${RESET} — ${DIM}ctrl+c to quit${RESET}"
|
||||||
|
echo ""
|
||||||
|
exec /tmp/waste-tui-run -ipc "$IPC_PORT" -network "$NETWORK"
|
||||||
74
launch-web.sh.example
Normal file
74
launch-web.sh.example
Normal file
@@ -0,0 +1,74 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
# launch-web.sh — start the daemon and open the web UI Vite dev server.
|
||||||
|
# For local development / daemon-mode browsing.
|
||||||
|
#
|
||||||
|
# SETUP: copy this file to launch-web.sh (gitignored) and set ANCHOR below.
|
||||||
|
#
|
||||||
|
# Usage:
|
||||||
|
# ./launch-web.sh
|
||||||
|
# ALIAS=alice NETWORK=friends ./launch-web.sh
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
ANCHOR="${ANCHOR:-wss://YOUR_ANCHOR_DOMAIN/ws}" # ← edit this
|
||||||
|
|
||||||
|
NETWORK="${NETWORK:-friends}"
|
||||||
|
ALIAS="${ALIAS:-${USER:-anon}}"
|
||||||
|
DATA_DIR="${DATA_DIR:-${HOME}/.waste-${ALIAS}}"
|
||||||
|
IPC_PORT="${IPC_PORT:-17337}"
|
||||||
|
WS_PORT=$(( IPC_PORT + 1 ))
|
||||||
|
|
||||||
|
if [[ "$ANCHOR" == *YOUR_ANCHOR_DOMAIN* ]]; then
|
||||||
|
echo "error: edit ANCHOR in this script (or export ANCHOR=wss://... before running)" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
PIDS=()
|
||||||
|
cleanup() {
|
||||||
|
for pid in "${PIDS[@]:-}"; do kill "$pid" 2>/dev/null || true; done
|
||||||
|
wait 2>/dev/null || true
|
||||||
|
}
|
||||||
|
trap cleanup EXIT INT TERM
|
||||||
|
|
||||||
|
for port in "$IPC_PORT" "$WS_PORT"; do
|
||||||
|
existing=$(lsof -ti tcp:"$port" 2>/dev/null || true)
|
||||||
|
[ -n "$existing" ] && kill "$existing" 2>/dev/null || true
|
||||||
|
done
|
||||||
|
for port in "$IPC_PORT" "$WS_PORT"; do
|
||||||
|
n=0
|
||||||
|
while lsof -ti tcp:"$port" >/dev/null 2>&1; do
|
||||||
|
sleep 0.1; n=$(( n + 1 )); [ "$n" -gt 30 ] && break
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
mkdir -p "$DATA_DIR"
|
||||||
|
|
||||||
|
echo "alias : $ALIAS"
|
||||||
|
echo "network : $NETWORK"
|
||||||
|
echo "anchor : $ANCHOR"
|
||||||
|
echo "ws-port : $WS_PORT"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
echo "building daemon…"
|
||||||
|
go build -o /tmp/waste-daemon-web ./cmd/daemon
|
||||||
|
|
||||||
|
/tmp/waste-daemon-web \
|
||||||
|
-alias "$ALIAS" -data-dir "$DATA_DIR" \
|
||||||
|
-ipc-port "$IPC_PORT" -ws-port "$WS_PORT" \
|
||||||
|
-anchor "$ANCHOR" \
|
||||||
|
2>/tmp/waste-daemon-web.log &
|
||||||
|
PIDS+=($!)
|
||||||
|
|
||||||
|
n=0
|
||||||
|
while ! nc -z 127.0.0.1 "$IPC_PORT" 2>/dev/null; do
|
||||||
|
sleep 0.1; n=$(( n + 1 ))
|
||||||
|
[ "$n" -gt 80 ] && echo "daemon failed to start — check /tmp/waste-daemon-web.log" >&2 && exit 1
|
||||||
|
done
|
||||||
|
|
||||||
|
sleep 0.2
|
||||||
|
jq -cn --arg net "$NETWORK" '{"type":"join_network","network_name":$net}' \
|
||||||
|
| nc -q0 127.0.0.1 "$IPC_PORT" >/dev/null 2>&1 || true
|
||||||
|
echo "daemon ready — joined $NETWORK"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
npm run dev --prefix "$(dirname "$0")/web"
|
||||||
38
serve-web.sh.example
Normal file
38
serve-web.sh.example
Normal file
@@ -0,0 +1,38 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
# serve-web.sh — start (or restart) the static file server on the VPS.
|
||||||
|
# Runs `npx serve` in the background, logs to ~/waste-www.log.
|
||||||
|
#
|
||||||
|
# SETUP: copy this file to serve-web.sh (gitignored) and set HOST below.
|
||||||
|
#
|
||||||
|
# Usage:
|
||||||
|
# ./serve-web.sh
|
||||||
|
#
|
||||||
|
# Optional env vars:
|
||||||
|
# HOST SSH target (user@host) (required — edit below)
|
||||||
|
# REMOTE_DIR path on VPS (default: ~/waste-www)
|
||||||
|
# PORT local port on VPS (default: 1337)
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
HOST="${HOST:-user@YOUR_VPS_IP}" # ← edit this
|
||||||
|
REMOTE_DIR="${REMOTE_DIR:-~/waste-www}"
|
||||||
|
REMOTE_LOG="~/waste-www.log"
|
||||||
|
REMOTE_PID="~/waste-www.pid"
|
||||||
|
PORT="${PORT:-1337}"
|
||||||
|
|
||||||
|
if [[ "$HOST" == *YOUR_VPS_IP* ]]; then
|
||||||
|
echo "error: edit HOST in this script (or export HOST=user@your-vps before running)" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
ssh "$HOST" bash <<EOF
|
||||||
|
if [ -f $REMOTE_PID ]; then
|
||||||
|
kill \$(cat $REMOTE_PID) 2>/dev/null || true
|
||||||
|
rm -f $REMOTE_PID
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "[\$(date)] starting npx serve on port $PORT" >> $REMOTE_LOG
|
||||||
|
nohup npx serve -s $REMOTE_DIR -l $PORT >> $REMOTE_LOG 2>&1 &
|
||||||
|
echo \$! > $REMOTE_PID
|
||||||
|
echo "→ started (pid \$(cat $REMOTE_PID)), logging to $REMOTE_LOG"
|
||||||
|
EOF
|
||||||
@@ -16,23 +16,31 @@ const EKEY_PREFIX = 'yaw/2.1 ekey'
|
|||||||
const FS_TIMEOUT = 2000
|
const FS_TIMEOUT = 2000
|
||||||
const STUN = 'stun:stun.l.google.com:19302'
|
const STUN = 'stun:stun.l.google.com:19302'
|
||||||
|
|
||||||
async function turnCredential(secret: string, username: string): Promise<string> {
|
// TURN credentials are short-lived and minted server-side by the anchor's
|
||||||
const key = await crypto.subtle.importKey(
|
// GET /turn-credentials endpoint (see cmd/anchor). The shared coturn secret
|
||||||
'raw', new TextEncoder().encode(secret),
|
// never reaches the browser — only a time-limited username/credential pair.
|
||||||
{ name: 'HMAC', hash: 'SHA-1' },
|
async function fetchTurnCredentials(credentialsURL: string): Promise<{ username: string; credential: string } | null> {
|
||||||
false, ['sign']
|
try {
|
||||||
)
|
const res = await fetch(credentialsURL)
|
||||||
const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(username))
|
if (!res.ok) return null
|
||||||
return btoa(String.fromCharCode(...new Uint8Array(sig)))
|
const data = await res.json()
|
||||||
|
if (!data.username || !data.credential) return null
|
||||||
|
return { username: data.username, credential: data.credential }
|
||||||
|
} catch {
|
||||||
|
return null
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
async function iceServers(): Promise<RTCIceServer[]> {
|
async function iceServers(): Promise<RTCIceServer[]> {
|
||||||
const cfg = (window as unknown as { WASTE_CONFIG?: { turnURL?: string; turnSecret?: string } }).WASTE_CONFIG
|
const cfg = (window as unknown as { WASTE_CONFIG?: { turnURL?: string; turnCredentialsURL?: string; signalURL?: string } }).WASTE_CONFIG
|
||||||
const servers: RTCIceServer[] = [{ urls: STUN }]
|
const servers: RTCIceServer[] = [{ urls: STUN }]
|
||||||
if (cfg?.turnURL && cfg?.turnSecret) {
|
if (cfg?.turnURL) {
|
||||||
const user = Math.floor(Date.now() / 1000) + 3600 + ':waste'
|
const credentialsURL = cfg.turnCredentialsURL
|
||||||
const credential = await turnCredential(cfg.turnSecret, user)
|
?? cfg.signalURL?.replace(/^ws/, 'http').replace(/\/ws\/?$/, '/turn-credentials')
|
||||||
servers.push({ urls: cfg.turnURL, username: user, credential })
|
if (credentialsURL) {
|
||||||
|
const creds = await fetchTurnCredentials(credentialsURL)
|
||||||
|
if (creds) servers.push({ urls: cfg.turnURL, username: creds.username, credential: creds.credential })
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return servers
|
return servers
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user