📝(self-hosted) add documentation for self-hosting on docker compose

It describes the minimalist LaSuite Meet instance, with the simple
feature of having a room conference.

docs/examples/compose/compose.yaml

@@ -0,0 +1,88 @@
+services:
+  postgresql:
+    image: postgres:16
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      interval: 1s
+      timeout: 2s
+      retries: 300
+    env_file:
+    - env.d/postgresql
+    - env.d/common
+    volumes:
+    - ./data/databases/backend:/var/lib/postgresql/data/pgdata
+
+  redis:
+    image: redis:5
+
+  backend:
+    image: lasuite/meet-backend:latest
+    user: ${DOCKER_USER:-1000}
+    restart: always
+    env_file:
+    - env.d/common
+    - env.d/backend
+    - env.d/postgresql
+    healthcheck:
+      test: ["CMD", "python", "manage.py", "check"]
+      interval: 15s
+      timeout: 30s
+      retries: 20
+      start_period: 10s
+    depends_on:
+      postgresql:
+        condition: service_healthy
+        restart: true
+      redis:
+        condition: service_started
+      livekit:
+        condition: service_started
+
+  frontend:
+    image: lasuite/meet-frontend:latest
+    user: "${DOCKER_USER:-1000}"
+    entrypoint:
+    - /docker-entrypoint.sh
+    command: ["nginx", "-g", "daemon off;"]
+    env_file:
+    - env.d/common
+    # Uncomment and set your values if using our nginx proxy example
+    # environment:
+    # - VIRTUAL_HOST=${MEET_HOST} # used by nginx proxy 
+    # - VIRTUAL_PORT=8083 # used by nginx proxy
+    # - LETSENCRYPT_HOST=${MEET_HOST} # used by lets encrypt to generate TLS certificate
+    depends_on:
+      backend:
+        condition: service_healthy
+    volumes:
+    - ./default.conf.template:/etc/nginx/templates/docs.conf.template
+# Uncomment if using our nginx proxy example
+#    networks:
+#    - proxy-tier
+#    - default
+
+  livekit:
+    image: livekit/livekit-server:latest
+    command: --config /config.yaml
+    ports:
+    - 7881:7881/tcp
+    - 7882:7882/udp
+    volumes:
+      - ./livekit-server.yaml:/config.yaml
+    # Uncomment and set your values if using our nginx proxy example
+    # environment:
+    # - VIRTUAL_HOST=${LIVEKIT_HOST} # used by nginx proxy 
+    # - VIRTUAL_PORT=7880 # used by nginx proxy
+    # - LETSENCRYPT_HOST=${LIVEKIT_HOST} # used by lets encrypt to generate TLS certificate
+    depends_on:
+      redis:
+        condition: service_started
+# Uncomment if using our nginx proxy example
+#    networks:
+#    - proxy-tier
+#    - default
+
+# Uncomment if using our nginx proxy example
+#networks:
+#  proxy-tier:
+#    external: true

docs/examples/compose/keycloak/README.md

@@ -0,0 +1,92 @@
+# Deploy and Configure Keycloak for Meet
+
+## Installation
+
+> [!CAUTION]
+> We provide those instructions as an example, for production environments, you should follow the [official documentation](https://www.keycloak.org/documentation).
+
+### Step 1: Prepare your working environment:
+
+```bash
+mkdir keycloak/env.d && cd keycloak
+curl -o compose.yaml https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/docs/examples/compose/keycloak/compose.yaml
+curl -o env.d/kc_postgresql https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/env.d/production.dist/kc_postgresql
+curl -o env.d/keycloak https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/env.d/production.dist/keycloak
+```
+
+### Step 2:. Update `env.d/` files
+
+The following variables need to be updated with your own values, others can be left as is:
+
+```env
+POSTGRES_PASSWORD=<generate postgres password>
+KC_HOSTNAME=https://id.yourdomain.tld # Change with your own URL
+KC_BOOTSTRAP_ADMIN_PASSWORD=<generate your password>
+```
+
+### Step 3: Expose keycloak instance on https
+
+> [!NOTE]
+> You can skip this section if you already have your own setup.
+
+To access your Keycloak instance on the public network, it needs to be exposed on a domain with SSL termination. You can use our [example with nginx proxy and Let's Encrypt companion](../nginx-proxy/README.md) for automated creation/renewal of certificates using [acme.sh](http://acme.sh).
+
+If following our example, uncomment the environment and network sections in compose file and update it with your values.
+
+```yaml
+version: '3'
+services:
+  keycloak:
+   ...
+    # Uncomment and set your values if using our nginx proxy example
+    # environment:
+    # - VIRTUAL_HOST=id.yourdomain.tld # used by nginx proxy 
+    # - VIRTUAL_PORT=8080 # used by nginx proxy
+    # - LETSENCRYPT_HOST=id.yourdomain.tld # used by lets encrypt to generate TLS certificate
+   ...
+# Uncomment if using our nginx proxy example
+#    networks:
+#    - proxy-tier
+#    - default
+
+# Uncomment if using our nginx proxy example
+#networks:
+#  proxy-tier:
+#    external: true
+```
+
+### Step 4: Start the service
+
+```bash
+`docker compose up -d`
+```
+
+Your keycloak instance is now available on https://doc.yourdomain.tld
+
+> [!CAUTION]
+> Version of the images are set to latest, you should pin it to the desired version to avoid unwanted upgrades when pulling latest image. You can find available versions on [Keycloak registry](https://quay.io/repository/keycloak/keycloak?tab=tags).
+```
+
+## Creating an OIDC Client for Meet Application
+
+### Step 1: Create a New Realm
+
+1. Log in to the Keycloak administration console.
+2. Navigate to the realm tab and click on the "Create realm" button.
+3. Enter the name of the realm  - `meet`.
+4. Click "Create".
+
+#### Step 2: Create a New Client
+
+1. Navigate to the "Clients" tab.
+2. Click on the "Create client" button.
+3. Enter the client ID - e.g. `meet`.
+4. Enable "Client authentication" option.
+6. Set the "Valid redirect URIs" to the URL of your meet application suffixed with `/*` - e.g., "https://meet.example.com/*".
+1. Set the "Web Origins" to the URL of your meet application - e.g. `https://meet.example.com`.
+1. Click "Save".
+
+#### Step 3: Get Client Credentials
+
+1. Go to the "Credentials" tab.
+2. Copy the client ID (`meet` in this example) and the client secret.

docs/examples/compose/keycloak/compose.yaml

@@ -0,0 +1,36 @@
+services:
+  postgresql:
+    image: postgres:16
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      interval: 1s
+      timeout: 2s
+      retries: 300
+    env_file:
+    - env.d/kc_postgresql
+    volumes:
+    - ./data/keycloak:/var/lib/postgresql/data/pgdata
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:latest
+    command: ["start"]
+    env_file:
+    - env.d/kc_postgresql
+    - env.d/keycloak
+    # Uncomment and set your values if using our nginx proxy example
+    # environment:
+    # - VIRTUAL_HOST=id.yourdomain.tld # used by nginx proxy 
+    # - VIRTUAL_PORT=8080 # used by nginx proxy
+    # - LETSENCRYPT_HOST=id.yourdomain.tld # used by lets encrypt to generate TLS certificate
+    depends_on:
+      postgresql:
+        condition: service_healthy
+        restart: true
+# Uncomment if using our nginx proxy example
+#    networks:
+#    - proxy-tier
+#    - default
+#
+#networks:
+#  proxy-tier:
+#    external: true

docs/examples/compose/nginx-proxy/README.md

@@ -0,0 +1,39 @@
+# Nginx proxy with automatic SSL certificates
+
+> [!CAUTION]
+> We provide those instructions as an example, for extended development or production environments, you should follow the [official documentation](https://github.com/nginx-proxy/acme-companion/tree/main/docs).
+
+Nginx-proxy sets up a container running nginx and docker-gen. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped.
+
+Acme-companion is a lightweight companion container for nginx-proxy. It handles the automated creation, renewal and use of SSL certificates for proxied Docker containers through the ACME protocol.
+
+## Installation
+
+### Step 1: Prepare your working environment:
+
+```bash
+mkdir nginx-proxy && cd nginx-proxy
+curl -o compose.yaml https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/docs/examples/compose/nginx-proxy/compose.yaml
+```
+
+### Step 2: Edit `DEFAULT_EMAIL` in the compose file.
+
+Albeit optional, it is recommended to provide a valid default email address through the `DEFAULT_EMAIL` environment variable, so that Let's Encrypt can warn you about expiring certificates and allow you to recover your account.
+
+### Step 3: Create docker network
+
+Containers need share the same network for auto-discovery.
+
+```bash
+docker network create proxy-tier
+```
+
+### Step 4: Start service
+
+```bash
+docker compose up -d
+```
+
+## Usage
+
+Once both nginx-proxy and acme-companion containers are up and running, start any container you want proxied with environment variables `VIRTUAL_HOST` and `LETSENCRYPT_HOST` both set to the domain(s) your proxied container is going to use.

docs/examples/compose/nginx-proxy/compose.yaml

@@ -0,0 +1,36 @@
+services:
+  nginx-proxy:
+    image: nginxproxy/nginx-proxy
+    container_name: nginx-proxy
+    ports:
+    - "80:80"
+    - "443:443"
+    volumes:
+    - html:/usr/share/nginx/html
+    - certs:/etc/nginx/certs:ro
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    networks:
+    - proxy-tier
+
+  acme-companion:
+    image: nginxproxy/acme-companion
+    container_name: nginx-proxy-acme
+    environment:
+    - DEFAULT_EMAIL=mail@yourdomain.tld
+    volumes_from:
+    - nginx-proxy
+    volumes:
+    - certs:/etc/nginx/certs:rw
+    - acme:/etc/acme.sh
+    - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+    - proxy-tier
+
+networks:
+  proxy-tier:
+    external: true
+
+volumes:
+  html:
+  certs:
+  acme:

docs/examples/livekit/server.yaml

@@ -0,0 +1,22 @@
+port: 7880
+redis:
+  address: redis:6379
+keys:
+  meet: <your livekit secret key>
+# WebRTC configuration
+rtc:
+  # # when set, LiveKit will attempt to use a UDP mux so all UDP traffic goes through
+  # # listed port(s). To maximize system performance, we recommend using a range of ports
+  # # greater or equal to the number of vCPUs on the machine.
+  # # port_range_start & end must not be set for this config to take effect
+  udp_port: 7882
+  # when set, LiveKit enable WebRTC ICE over TCP when UDP isn't available
+  # this port *cannot* be behind load balancer or TLS, and must be exposed on the node
+  # WebRTC transports are encrypted and do not require additional encryption
+  # only 80/443 on public IP are allowed if less than 1024
+  tcp_port: 7881
+  # use_external_ip should be set to true for most cloud environments where
+  # the host has a public IP address, but is not exposed to the process.
+  # LiveKit will attempt to use STUN to discover the true IP, and advertise
+  # that IP with its clients
+  use_external_ip: true