Nextcloud: integrate Talk & Whiteboard; adjust ports & healthchecks

- Enable Spreed (Talk); signaling via /standalone-signaling/ - STUN/TURN: move STUN to 3480 (3479 occupied by BBB), keep TURN 5350 reserved - docker-compose: expose internal WS ports; explicit TURN port mapping - Healthchecks: add nc-based TCP checks (roles/docker-container/templates/healthcheck/nc.yml.j2) - Nginx: location proxy to talk:8081 - Schema: add talk_* secrets (turn/signaling/internal) - Plugins: configure spreed/whiteboard via vars/*; remove old task files - Ports matrix (group_vars/all/09_ports.yml) updated/commented Conversation: https://chatgpt.com/share/68b61a6a-e1dc-800f-b793-4aa600bc0166
2025-09-07 18:57:12 +02:00 · 2025-09-02 00:13:23 +02:00
parent 7ca8b7c71d
commit ce3fe1cd51
13 changed files with 107 additions and 51 deletions
--- a/group_vars/all/09_ports.yml
+++ b/group_vars/all/09_ports.yml
@@ -8,7 +8,6 @@ ports:
    websocket:
      web-app-mastodon:   4001
      web-app-espocrm:    4002
-      web-app-nextcloud:  4003
    oauth2_proxy:
      web-app-phpmyadmin: 4181
      web-app-lam: 4182
@@ -24,11 +23,10 @@ ports:
    http:
      # Ports which are exposed to the World Wide Web
      web-app-nextcloud: 8001
-      # web-app-nextcloud_talk: 8005
-      # web-app-nextcloud_whiteboard: 8015
      web-app-gitea: 8002
      web-app-wordpress: 8003
      web-app-mediawiki: 8004
+      # Free : 8005
      web-app-yourls: 8006
      web-app-mailu: 8007
      web-app-elk: 8008
@@ -38,6 +36,7 @@ ports:
      web-app-funkwhale: 8012
      web-app-roulette-wheel: 8013
      web-app-joomla: 8014
+      # Free: 8015
      web-app-pgadmin: 8016
      web-app-baserow: 8017
      web-app-matomo: 8018
@@ -81,9 +80,10 @@ ports:
      svc-db-openldap: 636
    stun:
      web-app-bigbluebutton: 3478    # Not sure if it's right placed here or if it should be moved to localhost section
-      web-app-nextcloud: 3479
+      # Occupied by BBB:     3479
+      web-app-nextcloud:     3480
    turn:
      web-app-bigbluebutton: 5349    # Not sure if it's right placed here or if it should be moved to localhost section
-      web-app-nextcloud: 5350        # Not used yet
+      web-app-nextcloud:     5350        # Not used yet
    federation:
      web-app-matrix_synapse: 8448
--- a/roles/docker-container/templates/healthcheck/nc.yml.j2
+++ b/roles/docker-container/templates/healthcheck/nc.yml.j2
@@ -0,0 +1,7 @@
+    healthcheck:
+      test: ["CMD-SHELL", "nc -z localhost {{ container_port }} || exit 1"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
+      start_period: 10s
+{{ "\n" }}
--- a/roles/web-app-nextcloud/config/main.yml
+++ b/roles/web-app-nextcloud/config/main.yml
@@ -17,9 +17,7 @@ server:
        - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
  domains:
    canonical:
-      nextcloud:    "cloud.{{ PRIMARY_DOMAIN }}"
-      talk:         "talk.{{ PRIMARY_DOMAIN }}"
-      whiteboard:   "whiteboard.{{ PRIMARY_DOMAIN }}"
+      - "cloud.{{ PRIMARY_DOMAIN }}"
 docker:
  volumes:
    data: nextcloud_data
@@ -242,7 +240,7 @@ plugins:
      - oidc_login  # Will be disabled
  spreed:
    # Nextcloud Spreed: offers video conferencing and chat functionalities (https://apps.nextcloud.com/apps/spreed)
-    enabled: false # @todo to activate it first implement web-svc-coturn and activate it
+    enabled: true
  tables:
    # Nextcloud tables: allows creation and editing of tables within the interface (https://apps.nextcloud.com/apps/tables)
    enabled: true
--- a/roles/web-app-nextcloud/schema/main.yml
+++ b/roles/web-app-nextcloud/schema/main.yml
@@ -6,4 +6,16 @@ credentials:
  administrator_password:
    description: "Initial password for the Nextcloud administrator (change immediately and enable 2FA)"
    algorithm: "sha256"
-    validation: "^[a-f0-9]{64}$"
+    validation: "^[a-f0-9]{64}$"
+  talk_turn_secret:
+    description: "TURN REST secret for coturn"
+    algorithm: "base64_prefixed_32"
+    validation: "^base64:[A-Za-z0-9+/]{43}=$"
+  talk_signaling_secret:
+    description: "Secret for Talk signaling"
+    algorithm: "base64_prefixed_32"
+    validation: "^base64:[A-Za-z0-9+/]{43}=$"
+  talk_internal_secret:
+    description: "Internal secret for AIO Talk"
+    algorithm: "base64_prefixed_32"
+    validation: "^base64:[A-Za-z0-9+/]{43}=$"
--- a/roles/web-app-nextcloud/tasks/_plugin_b_enable_and_configure.yml
+++ b/roles/web-app-nextcloud/tasks/_plugin_b_enable_and_configure.yml
@@ -34,6 +34,7 @@
  failed_when: not ASYNC_ENABLED and config_set_shell.rc != 0
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | default(true) | bool }}"

 - name: Check if {{ plugin_task_path }} exists
  stat:
--- a/roles/web-app-nextcloud/tasks/plugins/spreed.yml
+++ b/roles/web-app-nextcloud/tasks/plugins/spreed.yml
--- a/roles/web-app-nextcloud/tasks/plugins/whiteboard.yml
+++ b/roles/web-app-nextcloud/tasks/plugins/whiteboard.yml
@@ -1,9 +0,0 @@
- name: Set Whiteboard Configuration
-  ansible.builtin.shell: >
-    {{ NEXTCLOUD_DOCKER_EXEC_OCC }} config:app:set whiteboard collabBackendUrl --value='{{ NEXTCLOUD_WHITEBOARD_URL }}'
-    && {{ NEXTCLOUD_DOCKER_EXEC_OCC }} config:app:set whiteboard jwt_secret_key --value='{{ NEXTCLOUD_WHITEBOARD_JWT }}'
-  args:
-    executable: /bin/bash
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
--- a/roles/web-app-nextcloud/templates/docker-compose.yml.j2
+++ b/roles/web-app-nextcloud/templates/docker-compose.yml.j2
@@ -1,5 +1,23 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}

+  proxy:
+    image: "{{ NEXTCLOUD_PROXY_IMAGE }}:{{ NEXTCLOUD_PROXY_VERSION }}"
+    container_name: "{{ NEXTCLOUD_PROXY_CONTAINER }}"
+    logging:
+      driver: journald
+    restart: {{ DOCKER_RESTART_POLICY }}
+    ports:
+      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
+    volumes:
+        - "{{ docker_compose.directories.volumes }}nginx.conf:/etc/nginx/nginx.conf:ro"
+    volumes_from:
+      - application
+
+{% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
+    networks:
+      default:
+        ipv4_address: 192.168.102.67
+
  application:
    image: "{{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}"
    container_name: {{ NEXTCLOUD_CONTAINER }}
@@ -18,14 +36,17 @@

 {% if NEXTCLOUD_TALK_ENABLED %}
  talk:
-    {% include 'roles/docker-container/templates/base.yml.j2' %}
+{% set container_port = NEXTCLOUD_TALK_INTERNAL_PORT %}
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+{% include 'roles/docker-container/templates/healthcheck/tcp.yml.j2' %}
    image: "{{ NEXTCLOUD_TALK_IMAGE }}:{{ NEXTCLOUD_TALK_VERSION }}"
    container_name: {{ NEXTCLOUD_TALK_CONTAINER }}
    init: true
    ports:
-      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:3478/tcp #TURN TCP
-      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:3478/udp #TURN UDP
-      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_WS_PORT }}:8081/tcp
+      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:{{ NEXTCLOUD_TALK_INT_TURN_PORT }}/tcp #TURN TCP
+      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:{{ NEXTCLOUD_TALK_INT_TURN_PORT }}/udp #TURN UDP
+    expose:
+      - "{{ container_port }}"
    networks:
      default:
        ipv4_address: 192.168.102.68
@@ -33,34 +54,18 @@

 {% if NEXTCLOUD_WHITEBOARD_ENABLED %}
  whiteboard:
-    {% include 'roles/docker-container/templates/base.yml.j2' %}
+{% set container_port = NEXTCLOUD_WHITEBOARD_INTERNAL_PORT %}
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+{% include 'roles/docker-container/templates/healthcheck/nc.yml.j2' %}
    image: "{{ NEXTCLOUD_WHITEBOARD_IMAGE }}:{{ NEXTCLOUD_WHITEBOARD_VERSION }}"
    container_name: {{ NEXTCLOUD_WHITEBOARD_CONTAINER }}
    expose:
-      - "{{ NEXTCLOUD_WHITEBOARD_INTERNAL_PORT }}"
+      - "{{ container_port }}"
    networks:
      default:
        ipv4_address: 192.168.102.71
 {% endif %}

-  proxy:
-    image: "{{ NEXTCLOUD_PROXY_IMAGE }}:{{ NEXTCLOUD_PROXY_VERSION }}"
-    container_name: "{{ NEXTCLOUD_PROXY_CONTAINER }}"
-    logging:
-      driver: journald
-    restart: {{ DOCKER_RESTART_POLICY }}
-    ports:
-      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
-    volumes:
-        - "{{ docker_compose.directories.volumes }}nginx.conf:/etc/nginx/nginx.conf:ro"
-    volumes_from:
-      - application
-
-{% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
-    networks:
-      default:
-        ipv4_address: 192.168.102.67
-
  cron:
    container_name: "{{ NEXTCLOUD_CRON_CONTAINER }}"
    image: "{{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}"
--- a/roles/web-app-nextcloud/templates/env.j2
+++ b/roles/web-app-nextcloud/templates/env.j2
@@ -41,15 +41,14 @@ REDIS_PORT=                     6379

 {% if NEXTCLOUD_TALK_ENABLED %}
 # Talk Configuration
-# This code was just moved here during refactoring and isn't tested yet.
 # @todo move it to an own env file for encapsulation reasons
 NC_DOMAIN={{ NEXTCLOUD_DOMAIN }}
 TALK_HOST={{ NEXTCLOUD_TALK_DOMAIN }}
-TURN_SECRET=${TURN_SECRET}
-SIGNALING_SECRET=${SIGNALING_SECRET}
-TZ=Europe/Berlin
+TURN_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_turn_secret') }}
+SIGNALING_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_signaling_secret') }}
+INTERNAL_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_internal_secret') }}
+TZ={{ HOST_TIMEZONE }}
 TALK_PORT=3478
-INTERNAL_SECRET=${INTERNAL_SECRET}
 {% endif %}

 {% if NEXTCLOUD_WHITEBOARD_ENABLED %}
--- a/roles/web-app-nextcloud/templates/nginx/docker.conf.j2
+++ b/roles/web-app-nextcloud/templates/nginx/docker.conf.j2
@@ -189,5 +189,14 @@ http {
            proxy_set_header   Connection        "upgrade";
            proxy_read_timeout 3600;
        }
+
+        location {{ NEXTCLOUD_TALK_LOCATION }} {
+            proxy_pass         http://talk:{{ NEXTCLOUD_TALK_INTERNAL_PORT }}/;
+            proxy_http_version 1.1;
+            proxy_set_header   Host              $host;
+            proxy_set_header   Upgrade           $http_upgrade;
+            proxy_set_header   Connection        "upgrade";
+            proxy_read_timeout 3600;
+        }
    }
 }
--- a/roles/web-app-nextcloud/vars/main.yml
+++ b/roles/web-app-nextcloud/vars/main.yml
@@ -63,9 +63,13 @@ NEXTCLOUD_TALK_IMAGE:               "{{ applications | get_app_conf(application_
 NEXTCLOUD_TALK_VERSION:             "{{ applications | get_app_conf(application_id, 'docker.services.talk.version') }}"
 NEXTCLOUD_TALK_ENABLED:             "{{ applications | get_app_conf(application_id, 'plugins.spreed.enabled') }}"
 NEXTCLOUD_TALK_STUN_PORT:           "{{ ports.public.stun[application_id] }}"
-NEXTCLOUD_TALK_WS_PORT:             "{{ ports.localhost.websocket[application_id] }}"
-NEXTCLOUD_TALK_DOMAIN:              "{{ domains[application_id].talk }}"
+NEXTCLOUD_TALK_DOMAIN:              "{{ NEXTCLOUD_DOMAIN }}"
+NEXTCLOUD_TALK_LOCATION:            "/standalone-signaling/"
+NEXTCLOUD_TALK_URL:                 "{{ [ NEXTCLOUD_URL, NEXTCLOUD_TALK_LOCATION ] | url_join }}"
+NEXTCLOUD_TALK_INTERNAL_PORT:       "8081"
+NEXTCLOUD_TALK_INT_TURN_PORT:       "3478"

+### Whiteboard
 NEXTCLOUD_WHITEBOARD_CONTAINER:     "{{ applications | get_app_conf(application_id, 'docker.services.whiteboard.name') }}"
 NEXTCLOUD_WHITEBOARD_IMAGE:         "{{ applications | get_app_conf(application_id, 'docker.services.whiteboard.image') }}"
 NEXTCLOUD_WHITEBOARD_VERSION:       "{{ applications | get_app_conf(application_id, 'docker.services.whiteboard.version') }}"
@@ -77,7 +81,6 @@ NEXTCLOUD_WHITEBOARD_URL:           "{{ [ NEXTCLOUD_URL, NEXTCLOUD_WHITEBOARD_LO

 ### Collabora
 NEXTCLOUD_COLLABORA_URL:            "{{ domains | get_url('web-svc-collabora', WEB_PROTOCOL) }}"
-# NEXTCLOUD_COLLABORA_ENABLED:        "{{ applications | get_app_conf(application_id, 'plugins.richdocuments.enabled') }}"

 ## User Configuration
 NEXTCLOUD_DOCKER_USER_id:           82                                                            # UID of the www-data user
--- a/roles/web-app-nextcloud/vars/plugins/spreed.yml
+++ b/roles/web-app-nextcloud/vars/plugins/spreed.yml
@@ -0,0 +1,23 @@
+plugin_configuration:
+  - appid: "spreed"
+    configkey: "signaling_servers"
+    configvalue:
+      - server: "{{ NEXTCLOUD_TALK_URL }}"
+        verify: true
+        # optional:
+        alias: "primary"
+
+  # STUN
+  - appid: "spreed"
+    configkey: "stun_servers"
+    configvalue:
+      - "stun:{{ NEXTCLOUD_TALK_DOMAIN }}:{{ NEXTCLOUD_TALK_STUN_PORT }}"
+
+  # TURN with REST-Secret (used by Talk/Coturn)
+  - appid: "spreed"
+    configkey: "turn_servers"
+    configvalue:
+      - server: "turn:{{ NEXTCLOUD_TALK_DOMAIN }}:{{ NEXTCLOUD_TALK_STUN_PORT }}?transport=udp"
+        secret: "{{ applications | get_app_conf(application_id, 'credentials.talk_turn_secret') }}"
+        ttl: 86400
+        protocols: "udp,tcp"
--- a/roles/web-app-nextcloud/vars/plugins/whiteboard.yml
+++ b/roles/web-app-nextcloud/vars/plugins/whiteboard.yml
@@ -0,0 +1,8 @@
+plugin_configuration:
+  - appid: "whiteboard"
+    configkey: "collabBackendUrl"
+    configvalue: "{{ NEXTCLOUD_WHITEBOARD_URL }}"
+
+  - appid: "whiteboard"
+    configkey: "jwt_secret_key"
+    configvalue: "{{ NEXTCLOUD_WHITEBOARD_JWT }}"