feat(talk/turn/signaling/hpb): add role for Talk with backend services

2026-05-22 01:10:56 +02:00 · 2026-05-22 01:10:56 +02:00 · 27255a4bfa
commit 27255a4bfa
parent 78095cca1d
25 changed files with 930 additions and 0 deletions
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@ -61,6 +61,26 @@ nextcloud_trusted_proxies: "172.16.0.0/12"
 nextcloud_enable_notify_push: false
 nextcloud_notify_push_image: "icewind1991/notify_push:1.3.1"

+# Nextcloud Talk: register external HPB signaling + TURN + STUN
+# Set to true to run tasks/talk.yml after Nextcloud is up.
+nextcloud_enable_talk: false
+
+# HPB signaling servers to register.
+# Each item: { server: "https://signaling.example.test", secret: "<hpb_shared_secret>", verify: true }
+nextcloud_talk_signaling_servers: []
+# Hostnames/URLs to remove via `talk:signaling:delete` before adding the new set.
+nextcloud_talk_signaling_servers_removed: []
+
+# TURN servers to register.
+# Each item: { server: "stun.example.test:443", secret: "<turn_shared_secret>", schemes: "turn,turns", protocols: "udp,tcp" }
+nextcloud_talk_turn_servers: []
+# Clear the spreed.turn_servers config key before re-adding (single source of truth)
+nextcloud_talk_turn_reset_before_add: true
+
+# Plain STUN endpoints (host:port). Optional; usually not needed if TURN servers handle STUN too.
+nextcloud_talk_stun_servers: []
+nextcloud_talk_stun_servers_removed: []
+
 # Non-default apps to install and enable
 nextcloud_apps_to_install:
  - groupfolders
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@ -91,3 +91,7 @@
 - name: Configure OIDC providers
  ansible.builtin.include_tasks: oidc.yml
  when: nextcloud_oidc_providers | length > 0 or nextcloud_oidc_providers_removed | length > 0
+
+- name: Configure Nextcloud Talk (HPB + TURN + STUN)
+  ansible.builtin.include_tasks: talk.yml
+  when: nextcloud_enable_talk
--- a/roles/nextcloud/tasks/talk.yml
+++ b/roles/nextcloud/tasks/talk.yml
@ -0,0 +1,70 @@
+#SPDX-License-Identifier: MIT-0
+---
+# tasks file for configuring Nextcloud Talk HPB + TURN + STUN registration
+
+# --- HPB / signaling -----------------------------------------------------------
+
+- name: Remove HPB signaling servers no longer in use
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: php /var/www/html/occ talk:signaling:delete {{ item }}
+  loop: "{{ nextcloud_talk_signaling_servers_removed }}"
+  register: _talk_sig_removed
+  changed_when: "'deleted' in (_talk_sig_removed.stdout | default(''))"
+  failed_when:
+    - _talk_sig_removed.rc != 0
+    - "'is not configured' not in (_talk_sig_removed.stderr | default(''))"
+
+- name: Register HPB signaling servers
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: >
+      php /var/www/html/occ talk:signaling:add
+      {{ item.server }}
+      {{ item.secret }}
+      {% if item.verify | default(true) %}--verify{% endif %}
+  loop: "{{ nextcloud_talk_signaling_servers }}"
+  no_log: true
+
+# --- TURN ----------------------------------------------------------------------
+# `talk:turn:add` appends without deduplication, so on each run we first clear
+# the list via the underlying app config key (turn_servers, JSON array) and
+# then re-add the declared set. This keeps the host_vars list as the single
+# source of truth.
+
+- name: Reset TURN server list before re-applying
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: php /var/www/html/occ config:app:set spreed turn_servers --value='[]'
+  when: nextcloud_talk_turn_reset_before_add | bool
+
+- name: Register TURN servers
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: >
+      php /var/www/html/occ talk:turn:add
+      {{ item.schemes | default('turn,turns') }}
+      {{ item.server }}
+      {{ item.protocols | default('udp,tcp') }}
+      --secret={{ item.secret }}
+  loop: "{{ nextcloud_talk_turn_servers }}"
+  no_log: true
+
+# --- STUN ----------------------------------------------------------------------
+
+- name: Remove STUN servers no longer in use
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: php /var/www/html/occ talk:stun:delete {{ item }}
+  loop: "{{ nextcloud_talk_stun_servers_removed }}"
+  register: _talk_stun_removed
+  changed_when: "'deleted' in (_talk_stun_removed.stdout | default(''))"
+  failed_when:
+    - _talk_stun_removed.rc != 0
+    - "'is not configured' not in (_talk_stun_removed.stderr | default(''))"
+
+- name: Register STUN servers
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: php /var/www/html/occ talk:stun:add {{ item }}
+  loop: "{{ nextcloud_talk_stun_servers }}"