Twiga

ramsusjonssn

The Private IPTV Layer — an online service that encrypts your IPTV credentials and routes your streams through a secure proxy. Paste your M3U or Xtream Codes URL.

#channels-dvr #docker #dvr #emby #epg #go #golang #hdhomerun #iptv #iptv-proxy

Download

Twiga

The Private IPTV Layer — a managed online service that encrypts your IPTV credentials and routes your streams through a secure VPN. Paste your M3U or Xtream Codes URL, and Twiga hands you a clean proxy URL to use in any media player. No credentials in your URL. No unencrypted traffic. No plain-text database entries.

What it does

AES-256 encryption at rest — source URLs and credentials are encrypted the moment you submit them. A full database dump is useless without the key.
Clean proxy URL — your players (Kodi, VLC, Smarters, IPTVX) only ever see a /m3u/… URL with no credentials and no provider hostname.
Centralized VPN routing — all stream traffic (live TV, VOD) exits through a managed NordVPN/WireGuard connection. Your ISP sees VPN traffic, not IPTV traffic.
Tor-routed metadata — playlist and EPG fetches go through a Tor SOCKS5 proxy when configured. Your provider cannot log your real IP for metadata requests.
M3U filtering — clients can request a subset of their playlist: ?group=Sports,News or ?q=bbc (case-insensitive, AND-able).
Operational admin portal — /admin provides GitHub OAuth login, real-time VPN connect/disconnect with fallback, dashboard metrics, and audit logs.

Architecture

   your player (Kodi · VLC · Smarters · IPTVX)
          │
          │  HTTPS · clean proxy URL · no credentials
          │
  ┌───────▼──────────────────────────────────┐
  │              Cloudflare edge             │
  │  WAF · DDoS mitigation · TLS 1.3        │
  └───────┬──────────────────────────────────┘
          │  encrypted tunnel (no open inbound ports)
          │
  ┌───────▼──────────────────────────────────┐
  │                 TWIGA                    │
  │  Go HTTP server · Svelte 5 SPA          │
  │  SQLite · AES-256 vault                  │
  └──────────┬──────────────┬───────────────┘
             │              │
         streams         metadata
      live TV · VOD     M3U · EPG
             │              │
      ┌──────▼───┐    ┌─────▼──────┐
      │  VPN     │    │  Tor       │
      │  tunnel  │    │  (opt.)    │
      └──────┬───┘    └─────┬──────┘
             │              │
             └──────┬───────┘
                    │
          ┌─────────▼──────────┐
          │   IPTV provider    │
          │  ✓ VPN exit IP     │
          │  ✗ your real IP    │
          └────────────────────┘

The VPN is centrally managed by the admin — no user configuration required. All streams route through the same WireGuard connection.

Tech stack

Layer	Tech
Backend	Go (stdlib `net/http`), SQLite, sqlc
Frontend	Svelte 5 (runes, `$state`/`$derived`), Vite 7
Auth	Session-based, invite code gating, email + Turnstile verification
Admin auth	GitHub OAuth + `admin_session` cookie middleware
VPN	NordVPN / WireGuard — centrally managed, credentials AES-256 encrypted at rest
Tor	Optional SOCKS5 proxy for metadata fetches (`TWIGA_TOR_SOCKS`)
Deployment	Single binary; Cloudflare Tunnel → Nginx → Twiga :8088
Tests	`go test ./...` — playlist parser + M3U generation + filter logic

Getting started

Visit twiga.tv to create an account.

For developers

git clone https://github.com/ramsusjonssn/twiga.git
cd twiga

# 1. Copy and fill in secrets
cp .env.example .env

# 2. Build frontend
cd web && npm install && npm run build && cd ..

# 3. Build backend (embeds web/dist at compile time)
go build -o twiga ./cmd/server/
./twiga
# → listening on :8088

# 4. Run tests
go test ./...

Key paths

Path	Purpose
`cmd/server/`	Go entrypoint — loads `.env`, starts HTTP server
`internal/app/app.go`	HTTP mux, all user-facing handlers
`internal/app/admin.go`	Admin auth, VPN/Tor control, dashboard, logs
`internal/app/auth.go`	Auth middleware, public path whitelist
`internal/vpn/service.go`	VPN lifecycle — connect/disconnect/fallback/health
`internal/playlist/`	M3U parser + tests
`internal/ingest/`	Source ingestion pipeline (M3U + Xtream)
`internal/storage/`	SQLite schema, sqlc-generated queries
`internal/crypto/`	AES-256-GCM helpers
`web/src/lib/`	Svelte component library
`web/src/lib/Admin*.svelte`	Admin portal views

Public endpoints

Endpoint	Auth	Purpose
`GET /m3u/{token}`	token	Full M3U playlist with proxy URLs
`GET /m3u/{token}?group=Sports,News`	token	Filtered by group-title (comma list)
`GET /m3u/{token}?q=bbc`	token	Filtered by channel name (substring)
`GET /stream/{channelID}`	none	Stream proxy through VPN
`GET /epg/{token}`	token	XMLTV EPG proxy
`GET /healthz`	none	Health check

Configuration

See .env.example for all options. Key variables:

NORDVPN_WIREGUARD_KEY=  # WireGuard private key from nordvpn
TWIGA_BASE_URL=https://twiga.tv
SMTP_HOST=smtp.protonmail.com
TURNSTILE_SITE_KEY=     # Cloudflare Turnstile
GITHUB_OAUTH_CLIENT_ID= # Admin panel (two apps: prod + local dev)
GITHUB_ADMIN_USERNAME=  # GitHub username with /admin access
# TWIGA_TOR_SOCKS=127.0.0.1:9050  # Optional Tor daemon

Docs

Topic	File
Architecture	`docs/ARCHITECTURE.md`
Roadmap	`docs/ROADMAP.md`
Backlog	`docs/BACKLOG.md`
Data model	`docs/data_model.md`
Deployment	`DEPLOYMENT.md`
VPN providers	`docs/VPN_PROVIDERS.md`

Beta

Twiga is in private beta. Sign up at twiga.tv or email [email protected].

Top categories

tailwind daisyui admin template popup mdsvex portfolio blog form ecommerce ui carousel auth dark seo image routing