Refactor TURN/STUN handling:

- Split internal/external Coturn for BBB and Nextcloud - Added dedicated relay port ranges per app - Updated env and compose overrides for coturn - Ensure coturn role is loaded conditionally - Standardize credential/env passing for coturn @See https://chatgpt.com/share/68d6f376-4878-800f-b4f7-62822caa49ea
2025-10-10 10:48:10 +02:00 · 2025-09-26 22:11:55 +02:00
parent e3c0880e98
commit 73a38e0b2b
17 changed files with 97 additions and 27 deletions
--- a/roles/web-app-nextcloud/config/main.yml
+++ b/roles/web-app-nextcloud/config/main.yml
@@ -51,6 +51,7 @@ docker:
      version:  "latest"
      backup:
        no_stop_required: false
+      internal: "{{ not 'web-svc-coturn' in group_names | lower }}"
    whiteboard:
      name:     "nextcloud-whiteboard"
      image:    "ghcr.io/nextcloud-releases/whiteboard"
--- a/roles/web-app-nextcloud/tasks/plugins/spreed.yml
+++ b/roles/web-app-nextcloud/tasks/plugins/spreed.yml
@@ -0,0 +1,7 @@
+- name: "Load Coturn Role for '{{ application_id }}'"
+  include_role:
+    name: web-svc-coturn
+  vars:
+    flush_handlers: true
+  when:    
+    - run_once_web_svc_coturn is not defined
--- a/roles/web-app-nextcloud/templates/docker-compose.yml.j2
+++ b/roles/web-app-nextcloud/templates/docker-compose.yml.j2
@@ -34,7 +34,7 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
        ipv4_address: 192.168.102.69

-{% if NEXTCLOUD_TALK_ENABLED %}
+{% if NEXTCLOUD_TALK_INTERNAL_ENABLED %}
  talk:
 {% set container_port = NEXTCLOUD_TALK_PORT_INTERNAL %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
@@ -43,8 +43,9 @@
    container_name: {{ NEXTCLOUD_TALK_CONTAINER }}
    init: true
    ports:
-      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:{{ NEXTCLOUD_TALK_INT_TURN_PORT }}/tcp #TURN TCP
-      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:{{ NEXTCLOUD_TALK_INT_TURN_PORT }}/udp #TURN UDP
+      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:{{ NEXTCLOUD_TALK_INT_TURN_PORT }}/tcp
+      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:{{ NEXTCLOUD_TALK_INT_TURN_PORT }}/udp
+      - {{ NEXTCLOUD_TALK_RELAY_PORT_RANGE }}:{{ NEXTCLOUD_TALK_RELAY_PORT_RANGE }}/udp
    expose:
      - "{{ container_port }}"
    networks:
--- a/roles/web-app-nextcloud/templates/env.j2
+++ b/roles/web-app-nextcloud/templates/env.j2
@@ -49,6 +49,10 @@ SIGNALING_SECRET={{ applications | get_app_conf(application_id, 'credentials.tal
 INTERNAL_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_internal_secret') }}
 TZ={{ HOST_TIMEZONE }}
 TALK_PORT={{ NEXTCLOUD_TALK_INT_TURN_PORT }}
+TURN_MIN_PORT={{ NEXTCLOUD_TALK_RELAY_PORT_START }}
+TURN_MAX_PORT={{ NEXTCLOUD_TALK_RELAY_PORT_END }}
+COTURN_MIN_PORT={{ NEXTCLOUD_TALK_RELAY_PORT_START }}
+COTURN_MAX_PORT={{ NEXTCLOUD_TALK_RELAY_PORT_END }}
 {% endif %}

 {% if NEXTCLOUD_WHITEBOARD_ENABLED %}
--- a/roles/web-app-nextcloud/vars/main.yml
+++ b/roles/web-app-nextcloud/vars/main.yml
@@ -58,16 +58,23 @@ NEXTCLOUD_PROXY_VERSION:            "{{ applications | get_app_conf(application_
 NEXTCLOUD_CRON_CONTAINER:           "{{ applications | get_app_conf(application_id, 'docker.services.cron.name') }}"

 ### Talk 
+#### Service
 NEXTCLOUD_TALK_CONTAINER:           "{{ applications | get_app_conf(application_id, 'docker.services.talk.name') }}"
 NEXTCLOUD_TALK_IMAGE:               "{{ applications | get_app_conf(application_id, 'docker.services.talk.image') }}"
 NEXTCLOUD_TALK_VERSION:             "{{ applications | get_app_conf(application_id, 'docker.services.talk.version') }}"
-NEXTCLOUD_TALK_ENABLED:             "{{ applications | get_app_conf(application_id, 'plugins.spreed.enabled') }}"
-NEXTCLOUD_TALK_STUN_PORT:           "{{ ports.public.stun[application_id] }}"
-NEXTCLOUD_TALK_DOMAIN:              "{{ NEXTCLOUD_DOMAIN }}"
+NEXTCLOUD_TALK_ENABLED:             "{{ applications | get_app_conf(application_id, 'docker.services.talk.internal') }}"
+NEXTCLOUD_TALK_INTERNAL_ENABLED:    "{{ applications | get_app_conf(application_id, 'plugins.spreed.enabled') }}"
 NEXTCLOUD_TALK_LOCATION:            "/standalone-signaling/"
-NEXTCLOUD_TALK_URL:                 "{{ [ NEXTCLOUD_URL, NEXTCLOUD_TALK_LOCATION ] | url_join }}"
 NEXTCLOUD_TALK_PORT_INTERNAL:       "8081"
 NEXTCLOUD_TALK_INT_TURN_PORT:       "3478"
+NEXTCLOUD_TALK_RELAY_PORT_START:    "{{ ports.public.relay_port_ranges[application_id ~ '_start'] }}"
+NEXTCLOUD_TALK_RELAY_PORT_END:      "{{ ports.public.relay_port_ranges[application_id ~ '_end'  ] }}"
+NEXTCLOUD_TALK_RELAY_PORT_RANGE:    "{{ NEXTCLOUD_TALK_RELAY_PORT_START }}-{{ NEXTCLOUD_TALK_RELAY_PORT_END }}"
+
+# Connection
+NEXTCLOUD_TALK_STUN_PORT:           "{{ ports.public.stun[application_id] }}"
+NEXTCLOUD_TALK_DOMAIN:              "{{ NEXTCLOUD_DOMAIN }}"
+NEXTCLOUD_TALK_URL:                 "{{ [ NEXTCLOUD_URL, NEXTCLOUD_TALK_LOCATION ] | url_join }}"

 ### Whiteboard
 NEXTCLOUD_WHITEBOARD_CONTAINER:     "{{ applications | get_app_conf(application_id, 'docker.services.whiteboard.name') }}"