diff --git a/group_vars/all/09_ports.yml b/group_vars/all/09_ports.yml index d4fc4e2f..86515475 100644 --- a/group_vars/all/09_ports.yml +++ b/group_vars/all/09_ports.yml @@ -8,7 +8,6 @@ ports: websocket: web-app-mastodon: 4001 web-app-espocrm: 4002 - web-app-nextcloud: 4003 oauth2_proxy: web-app-phpmyadmin: 4181 web-app-lam: 4182 @@ -24,11 +23,10 @@ ports: http: # Ports which are exposed to the World Wide Web web-app-nextcloud: 8001 - # web-app-nextcloud_talk: 8005 - # web-app-nextcloud_whiteboard: 8015 web-app-gitea: 8002 web-app-wordpress: 8003 web-app-mediawiki: 8004 + # Free : 8005 web-app-yourls: 8006 web-app-mailu: 8007 web-app-elk: 8008 @@ -38,6 +36,7 @@ ports: web-app-funkwhale: 8012 web-app-roulette-wheel: 8013 web-app-joomla: 8014 + # Free: 8015 web-app-pgadmin: 8016 web-app-baserow: 8017 web-app-matomo: 8018 @@ -81,9 +80,10 @@ ports: svc-db-openldap: 636 stun: web-app-bigbluebutton: 3478 # Not sure if it's right placed here or if it should be moved to localhost section - web-app-nextcloud: 3479 + # Occupied by BBB: 3479 + web-app-nextcloud: 3480 turn: web-app-bigbluebutton: 5349 # Not sure if it's right placed here or if it should be moved to localhost section - web-app-nextcloud: 5350 # Not used yet + web-app-nextcloud: 5350 # Not used yet federation: web-app-matrix_synapse: 8448 diff --git a/roles/docker-container/templates/healthcheck/nc.yml.j2 b/roles/docker-container/templates/healthcheck/nc.yml.j2 new file mode 100644 index 00000000..12acbf69 --- /dev/null +++ b/roles/docker-container/templates/healthcheck/nc.yml.j2 @@ -0,0 +1,7 @@ + healthcheck: + test: ["CMD-SHELL", "nc -z localhost {{ container_port }} || exit 1"] + interval: 30s + timeout: 3s + retries: 3 + start_period: 10s +{{ "\n" }} \ No newline at end of file diff --git a/roles/web-app-nextcloud/config/main.yml b/roles/web-app-nextcloud/config/main.yml index 1fee84f0..d064a611 100644 --- a/roles/web-app-nextcloud/config/main.yml +++ b/roles/web-app-nextcloud/config/main.yml @@ -17,9 +17,7 @@ server: - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}" domains: canonical: - nextcloud: "cloud.{{ PRIMARY_DOMAIN }}" - talk: "talk.{{ PRIMARY_DOMAIN }}" - whiteboard: "whiteboard.{{ PRIMARY_DOMAIN }}" + - "cloud.{{ PRIMARY_DOMAIN }}" docker: volumes: data: nextcloud_data @@ -242,7 +240,7 @@ plugins: - oidc_login # Will be disabled spreed: # Nextcloud Spreed: offers video conferencing and chat functionalities (https://apps.nextcloud.com/apps/spreed) - enabled: false # @todo to activate it first implement web-svc-coturn and activate it + enabled: true tables: # Nextcloud tables: allows creation and editing of tables within the interface (https://apps.nextcloud.com/apps/tables) enabled: true diff --git a/roles/web-app-nextcloud/schema/main.yml b/roles/web-app-nextcloud/schema/main.yml index 12a8735e..c0adff7e 100644 --- a/roles/web-app-nextcloud/schema/main.yml +++ b/roles/web-app-nextcloud/schema/main.yml @@ -6,4 +6,16 @@ credentials: administrator_password: description: "Initial password for the Nextcloud administrator (change immediately and enable 2FA)" algorithm: "sha256" - validation: "^[a-f0-9]{64}$" \ No newline at end of file + validation: "^[a-f0-9]{64}$" + talk_turn_secret: + description: "TURN REST secret for coturn" + algorithm: "base64_prefixed_32" + validation: "^base64:[A-Za-z0-9+/]{43}=$" + talk_signaling_secret: + description: "Secret for Talk signaling" + algorithm: "base64_prefixed_32" + validation: "^base64:[A-Za-z0-9+/]{43}=$" + talk_internal_secret: + description: "Internal secret for AIO Talk" + algorithm: "base64_prefixed_32" + validation: "^base64:[A-Za-z0-9+/]{43}=$" diff --git a/roles/web-app-nextcloud/tasks/_plugin_b_enable_and_configure.yml b/roles/web-app-nextcloud/tasks/_plugin_b_enable_and_configure.yml index ab849d8c..a693973e 100644 --- a/roles/web-app-nextcloud/tasks/_plugin_b_enable_and_configure.yml +++ b/roles/web-app-nextcloud/tasks/_plugin_b_enable_and_configure.yml @@ -34,6 +34,7 @@ failed_when: not ASYNC_ENABLED and config_set_shell.rc != 0 async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}" poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}" + no_log: "{{ MASK_CREDENTIALS_IN_LOGS | default(true) | bool }}" - name: Check if {{ plugin_task_path }} exists stat: diff --git a/roles/web-app-nextcloud/tasks/plugins/spreed.yml b/roles/web-app-nextcloud/tasks/plugins/spreed.yml deleted file mode 100644 index e69de29b..00000000 diff --git a/roles/web-app-nextcloud/tasks/plugins/whiteboard.yml b/roles/web-app-nextcloud/tasks/plugins/whiteboard.yml deleted file mode 100644 index da4e6c6c..00000000 --- a/roles/web-app-nextcloud/tasks/plugins/whiteboard.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Set Whiteboard Configuration - ansible.builtin.shell: > - {{ NEXTCLOUD_DOCKER_EXEC_OCC }} config:app:set whiteboard collabBackendUrl --value='{{ NEXTCLOUD_WHITEBOARD_URL }}' - && {{ NEXTCLOUD_DOCKER_EXEC_OCC }} config:app:set whiteboard jwt_secret_key --value='{{ NEXTCLOUD_WHITEBOARD_JWT }}' - args: - executable: /bin/bash - async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}" - poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}" - no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}" diff --git a/roles/web-app-nextcloud/templates/docker-compose.yml.j2 b/roles/web-app-nextcloud/templates/docker-compose.yml.j2 index bfaf8326..4b8279b8 100644 --- a/roles/web-app-nextcloud/templates/docker-compose.yml.j2 +++ b/roles/web-app-nextcloud/templates/docker-compose.yml.j2 @@ -1,5 +1,23 @@ {% include 'roles/docker-compose/templates/base.yml.j2' %} + proxy: + image: "{{ NEXTCLOUD_PROXY_IMAGE }}:{{ NEXTCLOUD_PROXY_VERSION }}" + container_name: "{{ NEXTCLOUD_PROXY_CONTAINER }}" + logging: + driver: journald + restart: {{ DOCKER_RESTART_POLICY }} + ports: + - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}" + volumes: + - "{{ docker_compose.directories.volumes }}nginx.conf:/etc/nginx/nginx.conf:ro" + volumes_from: + - application + +{% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %} + networks: + default: + ipv4_address: 192.168.102.67 + application: image: "{{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}" container_name: {{ NEXTCLOUD_CONTAINER }} @@ -18,14 +36,17 @@ {% if NEXTCLOUD_TALK_ENABLED %} talk: - {% include 'roles/docker-container/templates/base.yml.j2' %} +{% set container_port = NEXTCLOUD_TALK_INTERNAL_PORT %} +{% include 'roles/docker-container/templates/base.yml.j2' %} +{% include 'roles/docker-container/templates/healthcheck/tcp.yml.j2' %} image: "{{ NEXTCLOUD_TALK_IMAGE }}:{{ NEXTCLOUD_TALK_VERSION }}" container_name: {{ NEXTCLOUD_TALK_CONTAINER }} init: true ports: - - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:3478/tcp #TURN TCP - - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:3478/udp #TURN UDP - - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_WS_PORT }}:8081/tcp + - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:{{ NEXTCLOUD_TALK_INT_TURN_PORT }}/tcp #TURN TCP + - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:{{ NEXTCLOUD_TALK_INT_TURN_PORT }}/udp #TURN UDP + expose: + - "{{ container_port }}" networks: default: ipv4_address: 192.168.102.68 @@ -33,34 +54,18 @@ {% if NEXTCLOUD_WHITEBOARD_ENABLED %} whiteboard: - {% include 'roles/docker-container/templates/base.yml.j2' %} +{% set container_port = NEXTCLOUD_WHITEBOARD_INTERNAL_PORT %} +{% include 'roles/docker-container/templates/base.yml.j2' %} +{% include 'roles/docker-container/templates/healthcheck/nc.yml.j2' %} image: "{{ NEXTCLOUD_WHITEBOARD_IMAGE }}:{{ NEXTCLOUD_WHITEBOARD_VERSION }}" container_name: {{ NEXTCLOUD_WHITEBOARD_CONTAINER }} expose: - - "{{ NEXTCLOUD_WHITEBOARD_INTERNAL_PORT }}" + - "{{ container_port }}" networks: default: ipv4_address: 192.168.102.71 {% endif %} - proxy: - image: "{{ NEXTCLOUD_PROXY_IMAGE }}:{{ NEXTCLOUD_PROXY_VERSION }}" - container_name: "{{ NEXTCLOUD_PROXY_CONTAINER }}" - logging: - driver: journald - restart: {{ DOCKER_RESTART_POLICY }} - ports: - - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}" - volumes: - - "{{ docker_compose.directories.volumes }}nginx.conf:/etc/nginx/nginx.conf:ro" - volumes_from: - - application - -{% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %} - networks: - default: - ipv4_address: 192.168.102.67 - cron: container_name: "{{ NEXTCLOUD_CRON_CONTAINER }}" image: "{{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}" diff --git a/roles/web-app-nextcloud/templates/env.j2 b/roles/web-app-nextcloud/templates/env.j2 index 11f65b01..781b8525 100644 --- a/roles/web-app-nextcloud/templates/env.j2 +++ b/roles/web-app-nextcloud/templates/env.j2 @@ -41,15 +41,14 @@ REDIS_PORT= 6379 {% if NEXTCLOUD_TALK_ENABLED %} # Talk Configuration -# This code was just moved here during refactoring and isn't tested yet. # @todo move it to an own env file for encapsulation reasons NC_DOMAIN={{ NEXTCLOUD_DOMAIN }} TALK_HOST={{ NEXTCLOUD_TALK_DOMAIN }} -TURN_SECRET=${TURN_SECRET} -SIGNALING_SECRET=${SIGNALING_SECRET} -TZ=Europe/Berlin +TURN_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_turn_secret') }} +SIGNALING_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_signaling_secret') }} +INTERNAL_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_internal_secret') }} +TZ={{ HOST_TIMEZONE }} TALK_PORT=3478 -INTERNAL_SECRET=${INTERNAL_SECRET} {% endif %} {% if NEXTCLOUD_WHITEBOARD_ENABLED %} diff --git a/roles/web-app-nextcloud/templates/nginx/docker.conf.j2 b/roles/web-app-nextcloud/templates/nginx/docker.conf.j2 index 6ed966db..cea2fa77 100644 --- a/roles/web-app-nextcloud/templates/nginx/docker.conf.j2 +++ b/roles/web-app-nextcloud/templates/nginx/docker.conf.j2 @@ -189,5 +189,14 @@ http { proxy_set_header Connection "upgrade"; proxy_read_timeout 3600; } + + location {{ NEXTCLOUD_TALK_LOCATION }} { + proxy_pass http://talk:{{ NEXTCLOUD_TALK_INTERNAL_PORT }}/; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 3600; + } } } diff --git a/roles/web-app-nextcloud/vars/main.yml b/roles/web-app-nextcloud/vars/main.yml index a5981f39..e629c6f3 100644 --- a/roles/web-app-nextcloud/vars/main.yml +++ b/roles/web-app-nextcloud/vars/main.yml @@ -63,9 +63,13 @@ NEXTCLOUD_TALK_IMAGE: "{{ applications | get_app_conf(application_ NEXTCLOUD_TALK_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.talk.version') }}" NEXTCLOUD_TALK_ENABLED: "{{ applications | get_app_conf(application_id, 'plugins.spreed.enabled') }}" NEXTCLOUD_TALK_STUN_PORT: "{{ ports.public.stun[application_id] }}" -NEXTCLOUD_TALK_WS_PORT: "{{ ports.localhost.websocket[application_id] }}" -NEXTCLOUD_TALK_DOMAIN: "{{ domains[application_id].talk }}" +NEXTCLOUD_TALK_DOMAIN: "{{ NEXTCLOUD_DOMAIN }}" +NEXTCLOUD_TALK_LOCATION: "/standalone-signaling/" +NEXTCLOUD_TALK_URL: "{{ [ NEXTCLOUD_URL, NEXTCLOUD_TALK_LOCATION ] | url_join }}" +NEXTCLOUD_TALK_INTERNAL_PORT: "8081" +NEXTCLOUD_TALK_INT_TURN_PORT: "3478" +### Whiteboard NEXTCLOUD_WHITEBOARD_CONTAINER: "{{ applications | get_app_conf(application_id, 'docker.services.whiteboard.name') }}" NEXTCLOUD_WHITEBOARD_IMAGE: "{{ applications | get_app_conf(application_id, 'docker.services.whiteboard.image') }}" NEXTCLOUD_WHITEBOARD_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.whiteboard.version') }}" @@ -77,7 +81,6 @@ NEXTCLOUD_WHITEBOARD_URL: "{{ [ NEXTCLOUD_URL, NEXTCLOUD_WHITEBOARD_LO ### Collabora NEXTCLOUD_COLLABORA_URL: "{{ domains | get_url('web-svc-collabora', WEB_PROTOCOL) }}" -# NEXTCLOUD_COLLABORA_ENABLED: "{{ applications | get_app_conf(application_id, 'plugins.richdocuments.enabled') }}" ## User Configuration NEXTCLOUD_DOCKER_USER_id: 82 # UID of the www-data user diff --git a/roles/web-app-nextcloud/vars/plugins/spreed.yml b/roles/web-app-nextcloud/vars/plugins/spreed.yml new file mode 100644 index 00000000..54f0e8a1 --- /dev/null +++ b/roles/web-app-nextcloud/vars/plugins/spreed.yml @@ -0,0 +1,23 @@ +plugin_configuration: + - appid: "spreed" + configkey: "signaling_servers" + configvalue: + - server: "{{ NEXTCLOUD_TALK_URL }}" + verify: true + # optional: + alias: "primary" + + # STUN + - appid: "spreed" + configkey: "stun_servers" + configvalue: + - "stun:{{ NEXTCLOUD_TALK_DOMAIN }}:{{ NEXTCLOUD_TALK_STUN_PORT }}" + + # TURN with REST-Secret (used by Talk/Coturn) + - appid: "spreed" + configkey: "turn_servers" + configvalue: + - server: "turn:{{ NEXTCLOUD_TALK_DOMAIN }}:{{ NEXTCLOUD_TALK_STUN_PORT }}?transport=udp" + secret: "{{ applications | get_app_conf(application_id, 'credentials.talk_turn_secret') }}" + ttl: 86400 + protocols: "udp,tcp" diff --git a/roles/web-app-nextcloud/vars/plugins/whiteboard.yml b/roles/web-app-nextcloud/vars/plugins/whiteboard.yml new file mode 100644 index 00000000..cc4fd7ed --- /dev/null +++ b/roles/web-app-nextcloud/vars/plugins/whiteboard.yml @@ -0,0 +1,8 @@ +plugin_configuration: + - appid: "whiteboard" + configkey: "collabBackendUrl" + configvalue: "{{ NEXTCLOUD_WHITEBOARD_URL }}" + + - appid: "whiteboard" + configkey: "jwt_secret_key" + configvalue: "{{ NEXTCLOUD_WHITEBOARD_JWT }}"