feat(turn): add GitHub Actions deployment and idempotent setup script

- Create deploy-turn.yml workflow for automated droplet deployment
- Make setup-turn-server.sh fully idempotent (safe to run multiple times)
- Give ubuntu user passwordless sudo for deployments
- Update .env.example with DROPLET_* variables
- Update README with GitHub Actions deployment docs
- Fix desktop app postcss.config.js for CommonJS

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: ralyodio

.env.example

@@ -30,9 +30,12 @@ SUPABASE_DB_PASSWORD=your-db-password-here
 # TURN Server Configuration
 # Required for WebRTC NAT traversal
 # ===========================================
-TURN_SERVER_URL=turn:your-turn-server.com:3478
-TURN_SERVER_USERNAME=your-turn-username
-TURN_SERVER_CREDENTIAL=your-turn-credential
+TURN_SERVER_URL=turn:turn.pairux.com:3478
+TURN_SERVER_USERNAME=ubuntu
+TURN_SERVER_CREDENTIAL=your-turn-secret-here
+
+# TLS TURN (for restrictive firewalls)
+TURNS_SERVER_URL=turns:turn.pairux.com:5349
 
 # ===========================================
 # Application Configuration
@@ -61,3 +64,12 @@ NODE_ENV=development
 # GPG_PRIVATE_KEY=base64-encoded-key
 # GPG_PASSPHRASE=your-passphrase
 # GPG_KEY_ID=your-key-id
+
+# ===========================================
+# Droplet Deployment (TURN Server)
+# Used by GitHub Actions to deploy to DigitalOcean droplet
+# ===========================================
+# DROPLET_HOST=143.198.96.161
+# DROPLET_PORT=22
+# DROPLET_USER=root
+# DROPLET_SSH_KEY=base64-encoded-private-key

.github/workflows/deploy-turn.yml

@@ -0,0 +1,56 @@
+name: Deploy TURN Server
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'apps/turn/**'
+  workflow_dispatch:
+
+concurrency:
+  group: deploy-turn
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    name: Deploy to TURN Droplet
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.DROPLET_SSH_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan -p ${{ secrets.DROPLET_PORT || 22 }} ${{ secrets.DROPLET_HOST }} >> ~/.ssh/known_hosts
+
+      - name: Deploy setup script
+        env:
+          SSH_HOST: ${{ secrets.DROPLET_HOST }}
+          SSH_PORT: ${{ secrets.DROPLET_PORT || 22 }}
+          SSH_USER: ${{ secrets.DROPLET_USER }}
+          TURN_PASSWORD: ${{ secrets.TURN_SERVER_CREDENTIAL }}
+          TURN_REALM: turn.pairux.com
+        run: |
+          # Copy setup script to droplet
+          scp -P $SSH_PORT apps/turn/setup-turn-server.sh $SSH_USER@$SSH_HOST:/tmp/
+
+          # Run setup script
+          ssh -p $SSH_PORT $SSH_USER@$SSH_HOST "sudo bash /tmp/setup-turn-server.sh '$TURN_PASSWORD' '' '$TURN_REALM'"
+
+      - name: Verify TURN server
+        env:
+          SSH_HOST: ${{ secrets.DROPLET_HOST }}
+          SSH_PORT: ${{ secrets.DROPLET_PORT || 22 }}
+          SSH_USER: ${{ secrets.DROPLET_USER }}
+        run: |
+          ssh -p $SSH_PORT $SSH_USER@$SSH_HOST "sudo systemctl status coturn --no-pager"
+
+      - name: Cleanup
+        if: always()
+        run: |
+          rm -f ~/.ssh/id_rsa

.github/workflows/desktop-release.yml

@@ -97,6 +97,11 @@ jobs:
       - name: Build desktop app
         run: pnpm --filter @pairux/desktop build
         env:
+          # TURN server configuration
+          TURN_SERVER_URL: ${{ secrets.TURN_SERVER_URL }}
+          TURN_SERVER_USERNAME: ${{ secrets.TURN_SERVER_USERNAME }}
+          TURN_SERVER_CREDENTIAL: ${{ secrets.TURN_SERVER_CREDENTIAL }}
+          TURNS_SERVER_URL: ${{ secrets.TURNS_SERVER_URL }}
           # macOS signing
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}

apps/desktop/electron.vite.config.ts

@@ -7,23 +7,21 @@ export default defineConfig({
     plugins: [externalizeDepsPlugin()],
     build: {
       outDir: 'dist/main',
-      lib: {
-        entry: resolve(__dirname, 'src/main/index.ts'),
-      },
       rollupOptions: {
-        external: ['electron'],
+        input: {
+          index: resolve(__dirname, 'src/main/index.ts'),
+        },
       },
     },
   },
   preload: {
     plugins: [externalizeDepsPlugin()],
     build: {
       outDir: 'dist/preload',
-      lib: {
-        entry: resolve(__dirname, 'src/preload/index.ts'),
-      },
       rollupOptions: {
-        external: ['electron'],
+        input: {
+          index: resolve(__dirname, 'src/preload/index.ts'),
+        },
       },
     },
   },

apps/desktop/postcss.config.js

@@ -1,4 +1,4 @@
-export default {
+module.exports = {
   plugins: {
     tailwindcss: {},
     autoprefixer: {},

apps/turn/README.md

@@ -31,11 +31,12 @@ doctl compute droplet create pairux-turn \
 ### 2. Deploy
 
 ```bash
-cd apps/turn
-./deploy-droplet.sh <DROPLET_IP> <TURN_PASSWORD>
+# SSH to droplet and run setup script
+ssh root@<DROPLET_IP> "curl -fsSL https://raw.githubusercontent.com/profullstack/pairux.com/master/apps/turn/setup-turn-server.sh | bash -s -- 'YOUR_PASSWORD'"
 
-# Example:
-./deploy-droplet.sh 164.92.105.42 'super-secure-password-123'
+# Or copy and run locally
+scp apps/turn/setup-turn-server.sh root@<DROPLET_IP>:/root/
+ssh root@<DROPLET_IP> "./setup-turn-server.sh 'YOUR_PASSWORD'"
 ```
 
 ### 3. Add DNS
@@ -46,13 +47,47 @@ Add an A record: `turn.pairux.com` → `<droplet-ip>`
 
 ```bash
 # From anywhere
-turnutils_uclient -t -u pairux -w YOUR_PASSWORD turn.pairux.com
+turnutils_uclient -t -u ubuntu -w YOUR_PASSWORD turn.pairux.com
 ```
 
 **Cost:** ~$6/month (1 vCPU, 1GB RAM)
 
 ---
 
+## GitHub Actions Deployment
+
+The TURN server can be automatically deployed via GitHub Actions when changes are pushed to `apps/turn/`.
+
+### Required GitHub Secrets
+
+| Secret                   | Description                                 |
+| ------------------------ | ------------------------------------------- |
+| `DROPLET_HOST`           | Droplet IP address (e.g., `143.198.96.161`) |
+| `DROPLET_PORT`           | SSH port (default: `22`)                    |
+| `DROPLET_USER`           | SSH user (e.g., `root` or `ubuntu`)         |
+| `DROPLET_SSH_KEY`        | Private SSH key (base64 encoded)            |
+| `TURN_SERVER_CREDENTIAL` | TURN password                               |
+
+### Add Secrets
+
+```bash
+# Encode your SSH private key
+cat ~/.ssh/id_rsa | base64 -w 0
+
+# Add to GitHub:
+# Settings → Secrets and variables → Actions → New repository secret
+```
+
+### Manual Trigger
+
+You can also trigger deployment manually:
+
+```bash
+gh workflow run deploy-turn.yml
+```
+
+---
+
 ## Configuration
 
 ### Ports Required
@@ -85,12 +120,12 @@ const config = {
     // TURN fallback (when direct connections fail)
     {
       urls: 'turn:turn.pairux.com:3478',
-      username: 'pairux',
+      username: 'ubuntu',
       credential: process.env.TURN_PASSWORD,
     },
     {
       urls: 'turns:turn.pairux.com:5349',
-      username: 'pairux',
+      username: 'ubuntu',
       credential: process.env.TURN_PASSWORD,
     },
   ],
@@ -119,7 +154,7 @@ If you prefer not to self-host:
 
 1. Go to https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
 2. Add server: `turn:turn.pairux.com:3478`
-3. Enter username: `pairux`
+3. Enter username: `ubuntu`
 4. Enter password: `<your-password>`
 5. Click "Gather candidates"
 6. Look for `relay` candidates
@@ -134,7 +169,7 @@ apt install coturn-utils
 turnutils_uclient -p 3478 turn.pairux.com
 
 # Test TURN
-turnutils_uclient -t -u pairux -w YOUR_PASSWORD turn.pairux.com
+turnutils_uclient -t -u ubuntu -w YOUR_PASSWORD turn.pairux.com
 ```
 
 ---
@@ -143,13 +178,14 @@ turnutils_uclient -t -u pairux -w YOUR_PASSWORD turn.pairux.com
 
 ```bash
 # Check status
-ssh root@<droplet-ip> "docker compose -f /opt/pairux-turn/docker-compose.yml ps"
+ssh root@<droplet-ip> "systemctl status coturn"
 
 # View logs
-ssh root@<droplet-ip> "docker compose -f /opt/pairux-turn/docker-compose.yml logs -f"
+ssh root@<droplet-ip> "tail -f /var/log/turnserver.log"
+ssh root@<droplet-ip> "journalctl -u coturn -f"
 
 # Restart
-ssh root@<droplet-ip> "docker compose -f /opt/pairux-turn/docker-compose.yml restart"
+ssh root@<droplet-ip> "systemctl restart coturn"
 ```
 
 ---