Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions
digitalboard.core/roles/talk/README.md

3.6 KiB
Raw Blame History

talk

Deploys the Nextcloud Talk High Performance Backend (HPB) stack:

  • nextcloud-spreed-signaling (Strukturag)
  • janus-gateway (canyan build, WebRTC MCU)
  • nats (internal message broker)

Designed to be paired with the digitalboard.core.coturn role (TURN/STUN) and registered in Nextcloud via the new digitalboard.core.nextcloud talk.yml task.

Required variables

Variable Description
talk_domain Public host name (e.g. signaling.digitalboard.ch)
talk_nextcloud_url Base URL of the Nextcloud instance the HPB talks back to
talk_janus_public_ip Public IP used by Janus for ICE candidate gathering (nat_1_1_mapping)
talk_backend_secret HMAC secret shared with Nextcloud Talk; loaded from secrets/{host}/talk_backend_secret
talk_turn_secret Shared secret with coturn; loaded from secrets/{host}/talk_turn_secret (must equal coturn_static_auth_secret)
talk_session_hashkey 32-byte hex; loaded from secrets/{host}/talk_session_hashkey
talk_session_blockkey 32-byte hex; loaded from secrets/{host}/talk_session_blockkey

Important variables

Variable Default Description
talk_internal_domain "" Optional split-horizon FQDN (matches the second SAN on the coturn cert)
talk_turn_servers turns:.../443?transport=tcp,turn:.../443 Comma-separated TURN URI list passed to the signaling server
talk_turn_realm stun.example.test Realm advertised to clients
talk_janus_stun_server stun.int.example.test STUN endpoint Janus uses for its own ICE; default points at the internal coturn name
talk_janus_rtp_port_min/max 20000/21000 UDP/TCP relay range opened on the Janus container
talk_nextcloud_extra_host_ip "" Optional pin: bind the Nextcloud FQDN to a specific backend IP (bypasses hairpin/SNI)
talk_signaling_image strukturag/nextcloud-spreed-signaling:1.3.4 Pinned
talk_janus_image canyan/janus-gateway:1.2.4 Pinned
talk_nats_image nats:2.10-alpine Pinned

All defaults can be overridden per host_vars. The configurable image variables exist explicitly because this stack is still under active development upstream and you may want to roll forward independently.

Secrets

The role expects these files under playbooks/secrets/{{ inventory_hostname }}/, mode 0600:

talk_backend_secret       # shared with Nextcloud Talk app (HPB shared secret)
talk_turn_secret          # = coturn_static_auth_secret on the TURN host
talk_session_hashkey      # 32-byte hex (openssl rand -hex 32)
talk_session_blockkey     # 32-byte hex (openssl rand -hex 32)

If you prefer a different secret store, override the variables directly in host_vars.

What gets registered in Nextcloud

The matching digitalboard.core.nextcloud task talk.yml runs:

  • php occ talk:signaling:add <talk_domain> <talk_backend_secret> — register HPB
  • php occ talk:turn:add for each entry in nextcloud_talk_turn_servers — register TURN

That part lives in the nextcloud role and runs when nextcloud_enable_talk: true.

Traefik

The role assumes a digitalboard.core.traefik instance in backend mode runs on the same host (picks up Docker container labels). The public talk_domain then needs to be exposed via the DMZ Traefik, by adding an entry to traefik_dmz_exposed_services in the signaling host's host_vars:

traefik_dmz_exposed_services:
  - name: signaling
    domain: signaling.digitalboard.ch
    port: 443
    protocol: https

(The DMZ proxy aggregates exposed services from all backend_servers host_vars.)