Merge branch 'main' into feature/vanish-optimization

Author: vikashsiwach

.github/workflows/checks.yml

@@ -42,6 +42,8 @@ jobs:
         run: npm ci
       - name: Run ESLint
         run: npm run lint
+      - name: Run Knip
+        run: npm run knip
   build-check:
     name: Build check
     runs-on: ubuntu-latest

.knip.json

@@ -0,0 +1,19 @@
+{
+  "$schema": "https://unpkg.com/knip@2/schema.json",
+  "entry": [
+    "src/index.ts",
+    "src/import-events.ts",
+    "knexfile.js"
+  ],
+  "project": [
+    "src/**/*.ts"
+  ],
+  "ignoreFiles": [],
+  "commitlint": false,
+  "eslint": false,
+  "github-actions": false,
+  "husky": false,
+  "mocha": false,
+  "nyc": false,
+  "semantic-release": false
+}

CONTRIBUTING.md

@@ -6,6 +6,16 @@ before making a change.
 
 Please keep the conversations civil, respectful and focus on the topic being discussed.
 
+## Local Quality Checks
+
+Run dead code and dependency analysis before opening a pull request:
+
+```
+npm run knip
+```
+
+`npm run lint` now runs Knip first, then ESLint.
+
 ## Pull Request Process
 
 1. Update the relevant documentation with details of changes to the interface, this includes new environment

README.md

@@ -209,6 +209,10 @@ Start:
   ```
   ./scripts/start_with_tor
   ```
+  or, with Nginx reverse proxy and Let's Encrypt SSL:
+  ```
+  RELAY_DOMAIN=relay.example.com CERTBOT_EMAIL=you@example.com ./scripts/start_with_nginx
+  ```
 
 **Windows / WSL2 users:** Docker bind-mounts can cause PostgreSQL permission errors on Windows. Use the dedicated override file instead:
   ```

docker-compose.nginx.yml

@@ -0,0 +1,48 @@
+services:
+  nginx:
+    image: nginx:1.25-alpine
+    container_name: nostream-nginx
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ${PWD}/nginx/conf.d:/etc/nginx/conf.d
+      - ${PWD}/nginx/ssl:/etc/nginx/ssl
+      - certbot-webroot:/var/www/certbot
+    depends_on:
+      - nostream
+    restart: on-failure
+    # Run nginx in foreground (so container exits if nginx dies).
+    # A background loop watches for a signal file created by certbot
+    # after cert issuance/renewal, and reloads nginx within seconds.
+    command: >
+      /bin/sh -c "while :; do
+        if [ -f /etc/nginx/ssl/reload-nginx ]; then
+          if nginx -t && nginx -s reload; then
+            rm -f /etc/nginx/ssl/reload-nginx;
+          fi;
+        fi;
+        sleep 5;
+      done & nginx -g 'daemon off;'"
+    networks:
+      default:
+
+  certbot:
+    image: certbot/certbot:v2.11.0
+    container_name: nostream-certbot
+    environment:
+      RELAY_DOMAIN: ${RELAY_DOMAIN:?RELAY_DOMAIN required}
+      CERTBOT_EMAIL: ${CERTBOT_EMAIL:?CERTBOT_EMAIL required}
+    volumes:
+      - ${PWD}/nginx/ssl:/etc/letsencrypt
+      - ${PWD}/scripts/certbot_entrypoint.sh:/entrypoint.sh:ro
+      - certbot-webroot:/var/www/certbot
+    entrypoint: /entrypoint.sh
+    depends_on:
+      - nginx
+    restart: on-failure
+    networks:
+      default:
+
+volumes:
+  certbot-webroot:

nginx/conf.d/nostream.conf.template

@@ -0,0 +1,53 @@
+# Nginx configuration template for Nostream relay
+# ${RELAY_DOMAIN} is substituted automatically by the start script
+
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+# HTTP — redirect to HTTPS and serve ACME challenge for Let's Encrypt
+server {
+    listen 80;
+    server_name ${RELAY_DOMAIN};
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# HTTPS — reverse proxy to nostream relay
+server {
+    listen 443 ssl;
+    server_name ${RELAY_DOMAIN};
+
+    ssl_certificate     /etc/nginx/ssl/live/${RELAY_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/live/${RELAY_DOMAIN}/privkey.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    location / {
+        proxy_pass http://nostream:8008;
+
+        # WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        # Pass client IP to relay
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket timeouts
+        proxy_read_timeout 86400s;
+        proxy_send_timeout 86400s;
+    }
+}