feat(talk/turn/signaling/hpb): add role for Talk with backend services

2026-05-22 01:10:56 +02:00 · 2026-05-22 01:10:56 +02:00 · 27255a4bfa
commit 27255a4bfa
parent 78095cca1d
25 changed files with 930 additions and 0 deletions
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@ -91,3 +91,7 @@
 - name: Configure OIDC providers
  ansible.builtin.include_tasks: oidc.yml
  when: nextcloud_oidc_providers | length > 0 or nextcloud_oidc_providers_removed | length > 0
+
+- name: Configure Nextcloud Talk (HPB + TURN + STUN)
+  ansible.builtin.include_tasks: talk.yml
+  when: nextcloud_enable_talk
--- a/roles/nextcloud/tasks/talk.yml
+++ b/roles/nextcloud/tasks/talk.yml
@ -0,0 +1,70 @@
+#SPDX-License-Identifier: MIT-0
+---
+# tasks file for configuring Nextcloud Talk HPB + TURN + STUN registration
+
+# --- HPB / signaling -----------------------------------------------------------
+
+- name: Remove HPB signaling servers no longer in use
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: php /var/www/html/occ talk:signaling:delete {{ item }}
+  loop: "{{ nextcloud_talk_signaling_servers_removed }}"
+  register: _talk_sig_removed
+  changed_when: "'deleted' in (_talk_sig_removed.stdout | default(''))"
+  failed_when:
+    - _talk_sig_removed.rc != 0
+    - "'is not configured' not in (_talk_sig_removed.stderr | default(''))"
+
+- name: Register HPB signaling servers
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: >
+      php /var/www/html/occ talk:signaling:add
+      {{ item.server }}
+      {{ item.secret }}
+      {% if item.verify | default(true) %}--verify{% endif %}
+  loop: "{{ nextcloud_talk_signaling_servers }}"
+  no_log: true
+
+# --- TURN ----------------------------------------------------------------------
+# `talk:turn:add` appends without deduplication, so on each run we first clear
+# the list via the underlying app config key (turn_servers, JSON array) and
+# then re-add the declared set. This keeps the host_vars list as the single
+# source of truth.
+
+- name: Reset TURN server list before re-applying
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: php /var/www/html/occ config:app:set spreed turn_servers --value='[]'
+  when: nextcloud_talk_turn_reset_before_add | bool
+
+- name: Register TURN servers
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: >
+      php /var/www/html/occ talk:turn:add
+      {{ item.schemes | default('turn,turns') }}
+      {{ item.server }}
+      {{ item.protocols | default('udp,tcp') }}
+      --secret={{ item.secret }}
+  loop: "{{ nextcloud_talk_turn_servers }}"
+  no_log: true
+
+# --- STUN ----------------------------------------------------------------------
+
+- name: Remove STUN servers no longer in use
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: php /var/www/html/occ talk:stun:delete {{ item }}
+  loop: "{{ nextcloud_talk_stun_servers_removed }}"
+  register: _talk_stun_removed
+  changed_when: "'deleted' in (_talk_stun_removed.stdout | default(''))"
+  failed_when:
+    - _talk_stun_removed.rc != 0
+    - "'is not configured' not in (_talk_stun_removed.stderr | default(''))"
+
+- name: Register STUN servers
+  community.docker.docker_container_exec:
+    container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1"
+    command: php /var/www/html/occ talk:stun:add {{ item }}
+  loop: "{{ nextcloud_talk_stun_servers }}"