Nextcloud: integrate Talk & Whiteboard; adjust ports & healthchecks

- Enable Spreed (Talk); signaling via /standalone-signaling/ - STUN/TURN: move STUN to 3480 (3479 occupied by BBB), keep TURN 5350 reserved - docker-compose: expose internal WS ports; explicit TURN port mapping - Healthchecks: add nc-based TCP checks (roles/docker-container/templates/healthcheck/nc.yml.j2) - Nginx: location proxy to talk:8081 - Schema: add talk_* secrets (turn/signaling/internal) - Plugins: configure spreed/whiteboard via vars/*; remove old task files - Ports matrix (group_vars/all/09_ports.yml) updated/commented Conversation: https://chatgpt.com/share/68b61a6a-e1dc-800f-b793-4aa600bc0166
2025-09-08 19:27:18 +02:00 · 2025-09-02 00:13:23 +02:00
parent 7ca8b7c71d
commit ce3fe1cd51
13 changed files with 107 additions and 51 deletions
--- a/group_vars/all/09_ports.yml
+++ b/group_vars/all/09_ports.yml
@@ -8,7 +8,6 @@ ports:
    websocket:
      web-app-mastodon:   4001
      web-app-espocrm:    4002
      web-app-nextcloud:  4003
    oauth2_proxy:
      web-app-phpmyadmin: 4181
      web-app-lam: 4182
@@ -24,11 +23,10 @@ ports:
    http:
      # Ports which are exposed to the World Wide Web
      web-app-nextcloud: 8001
      # web-app-nextcloud_talk: 8005
      # web-app-nextcloud_whiteboard: 8015
      web-app-gitea: 8002
      web-app-wordpress: 8003
      web-app-mediawiki: 8004
      # Free : 8005
      web-app-yourls: 8006
      web-app-mailu: 8007
      web-app-elk: 8008
@@ -38,6 +36,7 @@ ports:
      web-app-funkwhale: 8012
      web-app-roulette-wheel: 8013
      web-app-joomla: 8014
      # Free: 8015
      web-app-pgadmin: 8016
      web-app-baserow: 8017
      web-app-matomo: 8018
@@ -81,9 +80,10 @@ ports:
      svc-db-openldap: 636
    stun:
      web-app-bigbluebutton: 3478    # Not sure if it's right placed here or if it should be moved to localhost section
-      web-app-nextcloud: 3479
+      # Occupied by BBB:     3479
      web-app-nextcloud:     3480
    turn:
      web-app-bigbluebutton: 5349    # Not sure if it's right placed here or if it should be moved to localhost section
-      web-app-nextcloud: 5350        # Not used yet
+      web-app-nextcloud:     5350        # Not used yet
    federation:
      web-app-matrix_synapse: 8448
--- a/roles/docker-container/templates/healthcheck/nc.yml.j2
+++ b/roles/docker-container/templates/healthcheck/nc.yml.j2
@@ -0,0 +1,7 @@
    healthcheck:
      test: ["CMD-SHELL", "nc -z localhost {{ container_port }} || exit 1"]
      interval: 30s
      timeout: 3s
      retries: 3
      start_period: 10s
 {{ "\n" }}
--- a/roles/web-app-nextcloud/config/main.yml
+++ b/roles/web-app-nextcloud/config/main.yml
@@ -17,9 +17,7 @@ server:
        - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
  domains:
    canonical:
-      nextcloud:    "cloud.{{ PRIMARY_DOMAIN }}"
+      - "cloud.{{ PRIMARY_DOMAIN }}"
      talk:         "talk.{{ PRIMARY_DOMAIN }}"
      whiteboard:   "whiteboard.{{ PRIMARY_DOMAIN }}"
 docker:
  volumes:
    data: nextcloud_data
@@ -242,7 +240,7 @@ plugins:
      - oidc_login  # Will be disabled
  spreed:
    # Nextcloud Spreed: offers video conferencing and chat functionalities (https://apps.nextcloud.com/apps/spreed)
-    enabled: false # @todo to activate it first implement web-svc-coturn and activate it
+    enabled: true
  tables:
    # Nextcloud tables: allows creation and editing of tables within the interface (https://apps.nextcloud.com/apps/tables)
    enabled: true
--- a/roles/web-app-nextcloud/schema/main.yml
+++ b/roles/web-app-nextcloud/schema/main.yml
@@ -6,4 +6,16 @@ credentials:
  administrator_password:
    description: "Initial password for the Nextcloud administrator (change immediately and enable 2FA)"
    algorithm: "sha256"
-    validation: "^[a-f0-9]{64}$"
+    validation: "^[a-f0-9]{64}$"
  talk_turn_secret:
    description: "TURN REST secret for coturn"
    algorithm: "base64_prefixed_32"
    validation: "^base64:[A-Za-z0-9+/]{43}=$"
  talk_signaling_secret:
    description: "Secret for Talk signaling"
    algorithm: "base64_prefixed_32"
    validation: "^base64:[A-Za-z0-9+/]{43}=$"
  talk_internal_secret:
    description: "Internal secret for AIO Talk"
    algorithm: "base64_prefixed_32"
    validation: "^base64:[A-Za-z0-9+/]{43}=$"
--- a/roles/web-app-nextcloud/tasks/_plugin_b_enable_and_configure.yml
+++ b/roles/web-app-nextcloud/tasks/_plugin_b_enable_and_configure.yml
@@ -34,6 +34,7 @@
  failed_when: not ASYNC_ENABLED and config_set_shell.rc != 0
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | default(true) | bool }}"
 - name: Check if {{ plugin_task_path }} exists
  stat:
--- a/roles/web-app-nextcloud/tasks/plugins/spreed.yml
+++ b/roles/web-app-nextcloud/tasks/plugins/spreed.yml
--- a/roles/web-app-nextcloud/tasks/plugins/whiteboard.yml
+++ b/roles/web-app-nextcloud/tasks/plugins/whiteboard.yml
@@ -1,9 +0,0 @@
 - name: Set Whiteboard Configuration
  ansible.builtin.shell: >
    {{ NEXTCLOUD_DOCKER_EXEC_OCC }} config:app:set whiteboard collabBackendUrl --value='{{ NEXTCLOUD_WHITEBOARD_URL }}'
    && {{ NEXTCLOUD_DOCKER_EXEC_OCC }} config:app:set whiteboard jwt_secret_key --value='{{ NEXTCLOUD_WHITEBOARD_JWT }}'
  args:
    executable: /bin/bash
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
--- a/roles/web-app-nextcloud/templates/docker-compose.yml.j2
+++ b/roles/web-app-nextcloud/templates/docker-compose.yml.j2
@@ -1,5 +1,23 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
  proxy:
    image: "{{ NEXTCLOUD_PROXY_IMAGE }}:{{ NEXTCLOUD_PROXY_VERSION }}"
    container_name: "{{ NEXTCLOUD_PROXY_CONTAINER }}"
    logging:
      driver: journald
    restart: {{ DOCKER_RESTART_POLICY }}
    ports:
      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
    volumes:
        - "{{ docker_compose.directories.volumes }}nginx.conf:/etc/nginx/nginx.conf:ro"
    volumes_from:
      - application
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
    networks:
      default:
        ipv4_address: 192.168.102.67
  application:
    image: "{{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}"
    container_name: {{ NEXTCLOUD_CONTAINER }}
@@ -18,14 +36,17 @@
 {% if NEXTCLOUD_TALK_ENABLED %}
  talk:
-    {% include 'roles/docker-container/templates/base.yml.j2' %}
+{% set container_port = NEXTCLOUD_TALK_INTERNAL_PORT %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/healthcheck/tcp.yml.j2' %}
    image: "{{ NEXTCLOUD_TALK_IMAGE }}:{{ NEXTCLOUD_TALK_VERSION }}"
    container_name: {{ NEXTCLOUD_TALK_CONTAINER }}
    init: true
    ports:
-      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:3478/tcp #TURN TCP
+      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:{{ NEXTCLOUD_TALK_INT_TURN_PORT }}/tcp #TURN TCP
-      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:3478/udp #TURN UDP
+      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_STUN_PORT }}:{{ NEXTCLOUD_TALK_INT_TURN_PORT }}/udp #TURN UDP
-      - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_WS_PORT }}:8081/tcp
+    expose:
      - "{{ container_port }}"
    networks:
      default:
        ipv4_address: 192.168.102.68
@@ -33,34 +54,18 @@
 {% if NEXTCLOUD_WHITEBOARD_ENABLED %}
  whiteboard:
-    {% include 'roles/docker-container/templates/base.yml.j2' %}
+{% set container_port = NEXTCLOUD_WHITEBOARD_INTERNAL_PORT %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/healthcheck/nc.yml.j2' %}
    image: "{{ NEXTCLOUD_WHITEBOARD_IMAGE }}:{{ NEXTCLOUD_WHITEBOARD_VERSION }}"
    container_name: {{ NEXTCLOUD_WHITEBOARD_CONTAINER }}
    expose:
-      - "{{ NEXTCLOUD_WHITEBOARD_INTERNAL_PORT }}"
+      - "{{ container_port }}"
    networks:
      default:
        ipv4_address: 192.168.102.71
 {% endif %}
  proxy:
    image: "{{ NEXTCLOUD_PROXY_IMAGE }}:{{ NEXTCLOUD_PROXY_VERSION }}"
    container_name: "{{ NEXTCLOUD_PROXY_CONTAINER }}"
    logging:
      driver: journald
    restart: {{ DOCKER_RESTART_POLICY }}
    ports:
      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
    volumes:
        - "{{ docker_compose.directories.volumes }}nginx.conf:/etc/nginx/nginx.conf:ro"
    volumes_from:
      - application
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
    networks:
      default:
        ipv4_address: 192.168.102.67
  cron:
    container_name: "{{ NEXTCLOUD_CRON_CONTAINER }}"
    image: "{{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}"
--- a/roles/web-app-nextcloud/templates/env.j2
+++ b/roles/web-app-nextcloud/templates/env.j2
@@ -41,15 +41,14 @@ REDIS_PORT=                     6379
 {% if NEXTCLOUD_TALK_ENABLED %}
 # Talk Configuration
 # This code was just moved here during refactoring and isn't tested yet.
 # @todo move it to an own env file for encapsulation reasons
 NC_DOMAIN={{ NEXTCLOUD_DOMAIN }}
 TALK_HOST={{ NEXTCLOUD_TALK_DOMAIN }}
-TURN_SECRET=${TURN_SECRET}
+TURN_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_turn_secret') }}
-SIGNALING_SECRET=${SIGNALING_SECRET}
+SIGNALING_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_signaling_secret') }}
-TZ=Europe/Berlin
+INTERNAL_SECRET={{ applications | get_app_conf(application_id, 'credentials.talk_internal_secret') }}
 TZ={{ HOST_TIMEZONE }}
 TALK_PORT=3478
 INTERNAL_SECRET=${INTERNAL_SECRET}
 {% endif %}
 {% if NEXTCLOUD_WHITEBOARD_ENABLED %}
--- a/roles/web-app-nextcloud/templates/nginx/docker.conf.j2
+++ b/roles/web-app-nextcloud/templates/nginx/docker.conf.j2
@@ -189,5 +189,14 @@ http {
            proxy_set_header   Connection        "upgrade";
            proxy_read_timeout 3600;
        }
        location {{ NEXTCLOUD_TALK_LOCATION }} {
            proxy_pass         http://talk:{{ NEXTCLOUD_TALK_INTERNAL_PORT }}/;
            proxy_http_version 1.1;
            proxy_set_header   Host              $host;
            proxy_set_header   Upgrade           $http_upgrade;
            proxy_set_header   Connection        "upgrade";
            proxy_read_timeout 3600;
        }
    }
 }
--- a/roles/web-app-nextcloud/vars/main.yml
+++ b/roles/web-app-nextcloud/vars/main.yml
@@ -63,9 +63,13 @@ NEXTCLOUD_TALK_IMAGE:               "{{ applications | get_app_conf(application_
 NEXTCLOUD_TALK_VERSION:             "{{ applications | get_app_conf(application_id, 'docker.services.talk.version') }}"
 NEXTCLOUD_TALK_ENABLED:             "{{ applications | get_app_conf(application_id, 'plugins.spreed.enabled') }}"
 NEXTCLOUD_TALK_STUN_PORT:           "{{ ports.public.stun[application_id] }}"
-NEXTCLOUD_TALK_WS_PORT:             "{{ ports.localhost.websocket[application_id] }}"
+NEXTCLOUD_TALK_DOMAIN:              "{{ NEXTCLOUD_DOMAIN }}"
-NEXTCLOUD_TALK_DOMAIN:              "{{ domains[application_id].talk }}"
+NEXTCLOUD_TALK_LOCATION:            "/standalone-signaling/"
 NEXTCLOUD_TALK_URL:                 "{{ [ NEXTCLOUD_URL, NEXTCLOUD_TALK_LOCATION ] | url_join }}"
 NEXTCLOUD_TALK_INTERNAL_PORT:       "8081"
 NEXTCLOUD_TALK_INT_TURN_PORT:       "3478"
 ### Whiteboard
 NEXTCLOUD_WHITEBOARD_CONTAINER:     "{{ applications | get_app_conf(application_id, 'docker.services.whiteboard.name') }}"
 NEXTCLOUD_WHITEBOARD_IMAGE:         "{{ applications | get_app_conf(application_id, 'docker.services.whiteboard.image') }}"
 NEXTCLOUD_WHITEBOARD_VERSION:       "{{ applications | get_app_conf(application_id, 'docker.services.whiteboard.version') }}"
@@ -77,7 +81,6 @@ NEXTCLOUD_WHITEBOARD_URL:           "{{ [ NEXTCLOUD_URL, NEXTCLOUD_WHITEBOARD_LO
 ### Collabora
 NEXTCLOUD_COLLABORA_URL:            "{{ domains | get_url('web-svc-collabora', WEB_PROTOCOL) }}"
 # NEXTCLOUD_COLLABORA_ENABLED:        "{{ applications | get_app_conf(application_id, 'plugins.richdocuments.enabled') }}"
 ## User Configuration
 NEXTCLOUD_DOCKER_USER_id:           82                                                            # UID of the www-data user
--- a/roles/web-app-nextcloud/vars/plugins/spreed.yml
+++ b/roles/web-app-nextcloud/vars/plugins/spreed.yml
@@ -0,0 +1,23 @@
 plugin_configuration:
  - appid: "spreed"
    configkey: "signaling_servers"
    configvalue:
      - server: "{{ NEXTCLOUD_TALK_URL }}"
        verify: true
        # optional:
        alias: "primary"
  # STUN
  - appid: "spreed"
    configkey: "stun_servers"
    configvalue:
      - "stun:{{ NEXTCLOUD_TALK_DOMAIN }}:{{ NEXTCLOUD_TALK_STUN_PORT }}"
  # TURN with REST-Secret (used by Talk/Coturn)
  - appid: "spreed"
    configkey: "turn_servers"
    configvalue:
      - server: "turn:{{ NEXTCLOUD_TALK_DOMAIN }}:{{ NEXTCLOUD_TALK_STUN_PORT }}?transport=udp"
        secret: "{{ applications | get_app_conf(application_id, 'credentials.talk_turn_secret') }}"
        ttl: 86400
        protocols: "udp,tcp"
--- a/roles/web-app-nextcloud/vars/plugins/whiteboard.yml
+++ b/roles/web-app-nextcloud/vars/plugins/whiteboard.yml
@@ -0,0 +1,8 @@
 plugin_configuration:
  - appid: "whiteboard"
    configkey: "collabBackendUrl"
    configvalue: "{{ NEXTCLOUD_WHITEBOARD_URL }}"
  - appid: "whiteboard"
    configkey: "jwt_secret_key"
    configvalue: "{{ NEXTCLOUD_WHITEBOARD_JWT }}"