LetUsMsg - LettuceMsg - LetUsMsg

Deploy Your Own Ephemeral Relay

LUM runs anywhere. A single Go binary handles message routing in volatile memory and rotates on schedule.
You control the servers, certificates, and rotation policy.

For Developers

  • Single Go binary (lum-relay) deployable via Docker or Kubernetes.
  • Cosign‑signed images, non‑root, read‑only, zero disk writes.
  • gRPC APIs over HTTP/2 with mutual TLS.

Deploy Now

1 • Run Locally – Docker Compose

Save the following in docker-compose.yml:

version: "3.9"
services:
  lum-relay:
    image: ghcr.io/lum/lum-relay:latest
    restart: always
    read_only: true
    tmpfs:
      - /tmp
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    ports:
      - "443:443"
    environment:
      RELAY_TLS_CERT: /run/secrets/tls.crt
      RELAY_TLS_KEY: /run/secrets/tls.key
    secrets:
      - tls.crt
      - tls.key
secrets:
  tls.crt:
    file: ./secrets/tls.crt
  tls.key:
    file: ./secrets/tls.key

Then build and run:

docker compose up

Messages remain in memory only; relays expire in roughly seven days by default.

2 • Run on Kubernetes – K3s or Cloud

apiVersion: apps/v1
kind: Deployment
metadata:
  name: lum-relay
spec:
  replicas: 2
  template:
    spec:
      containers:
      - name: relay
        image: ghcr.io/lum/lum-relay:latest
        ports:
          - containerPort: 443
        volumeMounts:
          - mountPath: /tmp
            name: tmp-storage
        securityContext:
          runAsNonRoot: true
          readOnlyRootFilesystem: true
          capabilities:
            drop: ["ALL"]
        env:
          - name: RELAY_TLS_CERT
            value: /run/secrets/tls.crt
          - name: RELAY_TLS_KEY
            value: /run/secrets/tls.key
      volumes:
        - name: tmp-storage
          emptyDir:
            medium: Memory

Apply it with:

kubectl apply -f relay.yaml

Use the same manifest on K3s, EKS, GKE, or AKS.
All storage uses emptyDir.medium: Memory; nothing touches disk.

3 • Verify Binary Integrity

cosign verify --key cosign.pub ghcr.io/lum/lum-relay:latest

Relays run as non‑root, read‑only, and verified before startup.

4 • Connect a Client

Use the invite code and PIN generated from your app or dashboard.
Clients discover the appropriate relay pool automatically.

5 • Default Rotation and Lifetimes

ParameterDefaultDescription
Relay TTL7 daysAutomatic rotation
Grace period48 hOverlap window for message pulls
Message TTL72 hCache expiry
Cipher rounds100 (default)Configurable per channel

Change these via environment variables or Helm chart values.

6 • Ready to Experiment?

  • View the Whitepaper for full‑architecture details.
  • Explore comparisons on How LUM Compares.
  • Or simply start the relay binary and watch it appear, serve, and then vanish.

Own your infrastructure. Control your encryption. Leave nothing behind.