feat(talk/turn/signaling/hpb): add role for Talk with backend services

2026-05-22 01:10:56 +02:00 · 2026-05-22 01:10:56 +02:00 · 27255a4bfa
commit 27255a4bfa
parent 78095cca1d
25 changed files with 930 additions and 0 deletions
--- a/roles/talk/defaults/main.yml
+++ b/roles/talk/defaults/main.yml
@ -0,0 +1,74 @@
+#SPDX-License-Identifier: MIT-0
+---
+# defaults file for talk (Nextcloud Talk High Performance Backend)
+
+# Base directories (inherited from base role)
+docker_compose_base_dir: /etc/docker/compose
+docker_volume_base_dir: /srv/data
+
+talk_service_name: signaling
+talk_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ talk_service_name }}"
+talk_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ talk_service_name }}"
+
+# --- Container images (pinned) ---
+talk_signaling_image: "strukturag/nextcloud-spreed-signaling:1.3.4"
+talk_janus_image: "canyan/janus-gateway:1.2.4"
+talk_nats_image: "nats:2.10-alpine"
+
+# --- Networking ---
+talk_traefik_network: "proxy"
+talk_internal_network: "hpb_internal"
+
+# --- Public exposure ---
+talk_use_ssl: true
+talk_cert_resolver: "dns"
+talk_domain: "signaling.example.test"            # public domain (over DMZ Traefik)
+talk_internal_domain: ""                         # optional split-horizon "int" domain (e.g. signaling.int.example.test)
+
+# --- Backend (Nextcloud) registration ---
+# Nextcloud base URL the HPB talks back to. Must be reachable from the HPB container.
+talk_nextcloud_url: "https://cloud.example.test"
+# Pin Nextcloud domain to a backend IP via extra_hosts to bypass DMZ hairpin/SNI issues
+talk_nextcloud_extra_host_ip: ""                 # e.g. "172.16.9.88" — empty disables the pin
+
+# Backend HMAC secret shared with Nextcloud Talk.
+# Pattern follows playbooks/secrets/{host}/<name>; override the lookup with vault if desired.
+talk_backend_secret: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/talk_backend_secret') }}"
+
+# --- TURN integration ---
+# Shared secret with coturn (--static-auth-secret). Must match coturn_static_auth_secret on the TURN host.
+talk_turn_secret: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/talk_turn_secret') }}"
+# TURN server URI list as understood by the signaling server.
+# Defaults follow IANA standards (3478/5349). Override to ":443" in restrictive
+# network environments where coturn binds on 443.
+talk_turn_servers: "turns:stun.example.test:5349?transport=tcp,turn:stun.example.test:3478"
+talk_turn_realm: "stun.example.test"
+talk_turn_apikey: ""                             # optional; if empty a random one is generated on first run
+
+# --- Session keys (server.conf [sessions]) ---
+# 32-byte hex strings. Loaded from secrets dir like the other shared secrets.
+talk_session_hashkey: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/talk_session_hashkey') }}"
+talk_session_blockkey: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/talk_session_blockkey') }}"
+
+# --- MCU (Janus) ---
+talk_mcu_type: "janus"
+talk_janus_public_ip: ""                          # set in host_vars; goes into janus nat_1_1_mapping
+talk_janus_rtp_port_min: 20000
+talk_janus_rtp_port_max: 21000
+# STUN server Janus uses for its own ICE candidate gathering. Default points to internal coturn DNS name.
+talk_janus_stun_server: "stun.int.example.test"
+talk_janus_stun_port: 5349
+talk_janus_ice_lite: true
+talk_janus_ice_tcp: true
+
+# --- Trusted proxies / allowed hosts for the signaling [app] section ---
+talk_trusted_proxies:
+  - "172.16.0.0/12"
+  - "192.168.0.0/16"
+  - "10.0.0.0/8"
+talk_allowed_hosts:
+  - "172.16.0.0/12"
+
+# --- Extra hosts forwarded to all three containers ---
+# Pre-populated with the Nextcloud pin if talk_nextcloud_extra_host_ip is set; you can append more here.
+talk_extra_hosts: []