From a044028e032c140a4cb1c79f8b7744cb4baadae3 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Sat, 27 Sep 2025 04:39:11 +0200
Subject: [PATCH] Nextcloud Talk integration cleanup: unify secrets and
 signaling config

- Replace inline get_app_conf secrets in env.j2 with dedicated vars (TURN, signaling, internal)
- Correctly model signaling_servers as object {servers, secret} in spreed.yml
- Use UDP stun_turn port instead of TLS for transport=udp
- Add fallback logic for standalone Coturn role in main.yml
- Remove obsolete Greenlight section from BBB override

Ref: https://chatgpt.com/share/68d74e25-c068-800f-ae20-d0e34ac8ee12
---
 .../templates/docker-compose.override.yml.j2  |  5 -----
 roles/web-app-nextcloud/templates/env.j2      |  7 +++----
 roles/web-app-nextcloud/vars/main.yml         | 12 +++++++----
 .../web-app-nextcloud/vars/plugins/spreed.yml | 21 ++++++++++++-------
 4 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/roles/web-app-bigbluebutton/templates/docker-compose.override.yml.j2 b/roles/web-app-bigbluebutton/templates/docker-compose.override.yml.j2
index 6db93ea9..a03c4684 100644
--- a/roles/web-app-bigbluebutton/templates/docker-compose.override.yml.j2
+++ b/roles/web-app-bigbluebutton/templates/docker-compose.override.yml.j2
@@ -29,11 +29,6 @@ services:
       --cert=${COTURN_TLS_CERT_PATH}
       --pkey=${COTURN_TLS_KEY_PATH}
 {% endif %}
-{% if BBB_GREENLIGHT_ENABLED | bool %}
-  greenlight:
-{% set container_port = 3000 %}
-{% include 'roles/docker-container/templates/healthcheck/nc.yml.j2' %}
-{% endif %}
 {% if BBB_COLLABORA_ENABLED | bool %}
   bbb-web:
     depends_on:
diff --git a/roles/web-app-nextcloud/templates/env.j2 b/roles/web-app-nextcloud/templates/env.j2
index 04eb0d5f..2fa87660 100644
--- a/roles/web-app-nextcloud/templates/env.j2
+++ b/roles/web-app-nextcloud/templates/env.j2
@@ -41,12 +41,11 @@ REDIS_PORT=                     6379
 
 {% if NEXTCLOUD_TALK_PLUGIN_ENABLED %}
 # Talk Configuration
-# @todo move it to an own env file for encapsulation reasons
 NC_DOMAIN={{ NEXTCLOUD_DOMAIN }}
 TALK_HOST={{ NEXTCLOUD_TALK_DOMAIN }}
-TURN_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_turn_secret') }}
-SIGNALING_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_signaling_secret') }}
-INTERNAL_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_internal_secret') }}
+TURN_SECRET={{ NEXTCLOUD_TALK_TURN_SECRET }}
+SIGNALING_SECRET={{ NEXTCLOUD_TALK_SIGNALING_SECRET }}
+INTERNAL_SECRET={{ NEXTCLOUD_TALK_INTERNAL_SECRET }}
 TZ={{ HOST_TIMEZONE }}
 TALK_PORT={{ NEXTCLOUD_TALK_INT_TURN_PORT }}
 TURN_MIN_PORT={{ NEXTCLOUD_TALK_RELAY_PORT_START }}
diff --git a/roles/web-app-nextcloud/vars/main.yml b/roles/web-app-nextcloud/vars/main.yml
index ee99e5d2..83811f6a 100644
--- a/roles/web-app-nextcloud/vars/main.yml
+++ b/roles/web-app-nextcloud/vars/main.yml
@@ -59,11 +59,15 @@ NEXTCLOUD_CRON_CONTAINER:           "{{ applications | get_app_conf(application_
 
 ### Talk 
 #### Service
+_NEXTCLOUD_COTURN_STANDALONE_ROLE: 'web-svc-coturn'
 NEXTCLOUD_TALK_CONTAINER:           "{{ applications | get_app_conf(application_id, 'docker.services.talk.name') }}"
 NEXTCLOUD_TALK_IMAGE:               "{{ applications | get_app_conf(application_id, 'docker.services.talk.image') }}"
 NEXTCLOUD_TALK_VERSION:             "{{ applications | get_app_conf(application_id, 'docker.services.talk.version') }}"
 NEXTCLOUD_TALK_PLUGIN_ENABLED:      "{{ applications | get_app_conf(application_id, 'plugins.spreed.enabled') }}"
-NEXTCLOUD_TALK_SERVICE_ENABLED:     "{{ applications | get_app_conf(application_id, 'docker.services.talk.internal') if NEXTCLOUD_TALK_PLUGIN_ENABLED else false }}"
+NEXTCLOUD_TALK_SERVICE_ENABLED:     "{{ applications | get_app_conf(application_id, 'docker.services.talk.internal')  if NEXTCLOUD_TALK_PLUGIN_ENABLED  else false }}"
+NEXTCLOUD_TALK_TURN_SECRET:         "{{ applications | get_app_conf(application_id, 'credentials.talk_turn_secret')   if NEXTCLOUD_TALK_SERVICE_ENABLED else applications | get_app_conf(_NEXTCLOUD_COTURN_STANDALONE_ROLE, 'credentials.auth_secret') }}"
+NEXTCLOUD_TALK_SIGNALING_SECRET:    "{{ applications | get_app_conf(application_id, 'credentials.talk_signaling_secret') }}"
+NEXTCLOUD_TALK_INTERNAL_SECRET:     "{{ applications | get_app_conf(application_id, 'credentials.talk_internal_secret') }}"
 NEXTCLOUD_TALK_LOCATION:            "/standalone-signaling/"
 NEXTCLOUD_TALK_PORT_INTERNAL:       "8081"
 NEXTCLOUD_TALK_INT_TURN_PORT:       "3478"
@@ -73,9 +77,9 @@ NEXTCLOUD_TALK_RELAY_PORT_RANGE:    "{{ NEXTCLOUD_TALK_RELAY_PORT_START }}-{{ NE
 NEXTCLOUD_TALK_NETWORK_MODE:        "{{ applications | get_app_conf(application_id, 'docker.services.talk.network_mode') }}"
 
 # Connection
-NEXTCLOUD_TALK_STUN_PORT:           "{{ ports.public.stun_turn_tls[application_id] }}"
-NEXTCLOUD_TALK_DOMAIN:              "{{ NEXTCLOUD_DOMAIN }}"
-NEXTCLOUD_TALK_URL:                 "{{ [ NEXTCLOUD_URL, NEXTCLOUD_TALK_LOCATION ] | url_join }}"
+NEXTCLOUD_TALK_STUN_PORT:           "{{ ports.public.stun_turn[application_id] if NEXTCLOUD_TALK_SERVICE_ENABLED else ports.public.stun_turn[_NEXTCLOUD_COTURN_STANDALONE_ROLE] }}"
+NEXTCLOUD_TALK_DOMAIN:              "{{ NEXTCLOUD_DOMAIN if NEXTCLOUD_TALK_SERVICE_ENABLED else (domains | get_domain(_NEXTCLOUD_COTURN_STANDALONE_ROLE)) }}"
+NEXTCLOUD_TALK_SIGNALING_URL:       "{{ [ NEXTCLOUD_URL, NEXTCLOUD_TALK_LOCATION ] | url_join }}"
 
 ### Whiteboard
 NEXTCLOUD_WHITEBOARD_CONTAINER:     "{{ applications | get_app_conf(application_id, 'docker.services.whiteboard.name') }}"
diff --git a/roles/web-app-nextcloud/vars/plugins/spreed.yml b/roles/web-app-nextcloud/vars/plugins/spreed.yml
index 54f0e8a1..28d5a5b3 100644
--- a/roles/web-app-nextcloud/vars/plugins/spreed.yml
+++ b/roles/web-app-nextcloud/vars/plugins/spreed.yml
@@ -1,23 +1,30 @@
 plugin_configuration:
+  # Signaling (object: { servers: [...], secret: "..." })
   - appid: "spreed"
     configkey: "signaling_servers"
     configvalue:
-      - server: "{{ NEXTCLOUD_TALK_URL }}"
-        verify: true
-        # optional:
-        alias: "primary"
+      servers:
+        - server: "{{ NEXTCLOUD_TALK_SIGNALING_URL }}"
+          verify: true
+          alias: "primary"
+      secret: "{{ NEXTCLOUD_TALK_SIGNALING_SECRET }}"
 
-  # STUN
+  # STUN (list of strings)
   - appid: "spreed"
     configkey: "stun_servers"
     configvalue:
       - "stun:{{ NEXTCLOUD_TALK_DOMAIN }}:{{ NEXTCLOUD_TALK_STUN_PORT }}"
 
-  # TURN with REST-Secret (used by Talk/Coturn)
+  # TURN with REST-Secret (list of objects)
   - appid: "spreed"
     configkey: "turn_servers"
     configvalue:
       - server: "turn:{{ NEXTCLOUD_TALK_DOMAIN }}:{{ NEXTCLOUD_TALK_STUN_PORT }}?transport=udp"
-        secret: "{{ applications | get_app_conf(application_id, 'credentials.talk_turn_secret') }}"
+        secret: "{{ NEXTCLOUD_TALK_TURN_SECRET }}"
         ttl: 86400
         protocols: "udp,tcp"
+
+  # Internal secret (still required as a separate key)
+  - appid: "spreed"
+    configkey: "internal_secret"
+    configvalue: "{{ NEXTCLOUD_TALK_INTERNAL_SECRET }}"