#SPDX-License-Identifier: MIT-0 --- # defaults file for talk (Nextcloud Talk High Performance Backend) # Base directories (inherited from base role) docker_compose_base_dir: /etc/docker/compose docker_volume_base_dir: /srv/data talk_service_name: signaling talk_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ talk_service_name }}" talk_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ talk_service_name }}" # --- Container images (pinned) --- talk_signaling_image: "strukturag/nextcloud-spreed-signaling:1.3.4" talk_janus_image: "canyan/janus-gateway:1.2.4" talk_nats_image: "nats:2.10-alpine" # --- Networking --- talk_traefik_network: "proxy" talk_internal_network: "hpb_internal" # --- Public exposure --- talk_use_ssl: true talk_cert_resolver: "dns" talk_domain: "signaling.example.test" # public domain (over DMZ Traefik) talk_internal_domain: "" # optional split-horizon "int" domain (e.g. signaling.int.example.test) # --- Backend (Nextcloud) registration --- # Nextcloud base URL the HPB talks back to. Must be reachable from the HPB container. talk_nextcloud_url: "https://cloud.example.test" # Pin Nextcloud domain to a backend IP via extra_hosts to bypass DMZ hairpin/SNI issues talk_nextcloud_extra_host_ip: "" # e.g. "172.16.9.88" — empty disables the pin # Backend HMAC secret shared with Nextcloud Talk. # Pattern follows playbooks/secrets/{host}/; override the lookup with vault if desired. talk_backend_secret: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/talk_backend_secret') }}" # --- TURN integration --- # Shared secret with coturn (--static-auth-secret). Must match coturn_static_auth_secret on the TURN host. talk_turn_secret: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/talk_turn_secret') }}" # TURN server URI list as understood by the signaling server. # Defaults follow IANA standards (3478/5349). Override to ":443" in restrictive # network environments where coturn binds on 443. talk_turn_servers: "turns:stun.example.test:5349?transport=tcp,turn:stun.example.test:3478" talk_turn_realm: "stun.example.test" talk_turn_apikey: "" # optional; if empty a random one is generated on first run # --- Session keys (server.conf [sessions]) --- # 32-byte hex strings. Loaded from secrets dir like the other shared secrets. talk_session_hashkey: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/talk_session_hashkey') }}" talk_session_blockkey: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/talk_session_blockkey') }}" # --- MCU (Janus) --- talk_mcu_type: "janus" talk_janus_public_ip: "" # set in host_vars; goes into janus nat_1_1_mapping talk_janus_rtp_port_min: 20000 talk_janus_rtp_port_max: 21000 # STUN server Janus uses for its own ICE candidate gathering. Default points to internal coturn DNS name. talk_janus_stun_server: "stun.int.example.test" talk_janus_stun_port: 5349 talk_janus_ice_lite: true talk_janus_ice_tcp: true # --- Trusted proxies / allowed hosts for the signaling [app] section --- talk_trusted_proxies: - "172.16.0.0/12" - "192.168.0.0/16" - "10.0.0.0/8" talk_allowed_hosts: - "172.16.0.0/12" # --- Extra hosts forwarded to all three containers --- # Pre-populated with the Nextcloud pin if talk_nextcloud_extra_host_ip is set; you can append more here. talk_extra_hosts: []