diff --git a/inventories/demo-gymburgdorf/host_vars/application/nextcloud_talk_snippet.yml b/inventories/demo-gymburgdorf/host_vars/application/nextcloud_talk_snippet.yml new file mode 100644 index 0000000..49bcca0 --- /dev/null +++ b/inventories/demo-gymburgdorf/host_vars/application/nextcloud_talk_snippet.yml @@ -0,0 +1,29 @@ +# Append-only excerpt: add this to the existing nextcloud.yml on the application host. +# Demo layout: TURN + HPB are collocated on the `turn` host, so both secrets +# live under playbooks/secrets/turn/. + +nextcloud_enable_talk: true + +# HPB / signaling server registration +# secret value must match talk_backend_secret deployed to the turn host +nextcloud_talk_signaling_servers: + - server: "https://signaling.digitalboard.ch" + secret: "{{ lookup('file', playbook_dir ~ '/secrets/turn/talk_backend_secret') }}" + verify: true + +nextcloud_talk_signaling_servers_removed: [] + +# TURN registration +# secret value must match coturn_static_auth_secret deployed to the turn host. +# Port 5349 matches coturn_tls_listening_port default; change to 443 if you +# overrode coturn_tls_listening_port: 443 on the turn host. +nextcloud_talk_turn_servers: + - schemes: "turn,turns" + server: "stun.digitalboard.ch:5349" + protocols: "udp,tcp" + secret: "{{ lookup('file', playbook_dir ~ '/secrets/turn/coturn_static_auth_secret') }}" + +# Optional: plain STUN entries +nextcloud_talk_stun_servers: + - "stun.digitalboard.ch:3478" +nextcloud_talk_stun_servers_removed: [] diff --git a/inventories/demo-gymburgdorf/host_vars/turn/coturn.yml b/inventories/demo-gymburgdorf/host_vars/turn/coturn.yml new file mode 100644 index 0000000..57fcc52 --- /dev/null +++ b/inventories/demo-gymburgdorf/host_vars/turn/coturn.yml @@ -0,0 +1,29 @@ +# coturn host_vars (collocated layout: same host runs HPB) +# Place secrets at: +# playbooks/secrets/turn/coturn_static_auth_secret (mode 0600) +# playbooks/secrets/turn/nsupdate.key (mode 0600) + +coturn_realm: "stun.digitalboard.ch" +coturn_internal_realm: "stun.int.digitalboard.ch" + +# Ports use IANA defaults (3478/5349) so the local backend Traefik can +# keep using 443 for the signaling routes on the same host. +# Override to 443/443 if this host is dedicated to TURN and you need +# to punch through restrictive firewalls. +# coturn_listening_port: 443 +# coturn_tls_listening_port: 443 + +# Public IP that media is reached on. Format: PUBLIC[/PRIVATE] +coturn_external_ip: "193.43.183.74/172.18.0.2" # adjust per environment + +# Let's Encrypt via RFC2136 / nsupdate (acme.sh sidecar) +coturn_cert_mode: "acme" +coturn_acme_email: "admin@digitalboard.ch" +coturn_acme_nsupdate_server: "ns1.digitalboard.ch" +coturn_acme_nsupdate_server_ip: "172.16.9.169" +coturn_acme_nsupdate_zone: "digitalboard._acme.digitalboard.ch" +coturn_acme_challenge_aliases: + - name: stun.digitalboard.ch + alias: stun.digitalboard._acme.digitalboard.ch + - name: stun.int.digitalboard.ch + alias: stun.int.digitalboard._acme.digitalboard.ch diff --git a/inventories/demo-gymburgdorf/host_vars/turn/talk.yml b/inventories/demo-gymburgdorf/host_vars/turn/talk.yml new file mode 100644 index 0000000..a6d5455 --- /dev/null +++ b/inventories/demo-gymburgdorf/host_vars/turn/talk.yml @@ -0,0 +1,23 @@ +# talk / HPB host_vars (collocated layout: same host runs coturn) +# Place secrets at: +# playbooks/secrets/turn/talk_backend_secret (mode 0600) +# playbooks/secrets/turn/talk_turn_secret (mode 0600, == coturn_static_auth_secret) +# playbooks/secrets/turn/talk_session_hashkey (mode 0600, openssl rand -hex 32) +# playbooks/secrets/turn/talk_session_blockkey (mode 0600, openssl rand -hex 32) + +talk_domain: "signaling.digitalboard.ch" +talk_internal_domain: "signaling.int.digitalboard.ch" + +talk_nextcloud_url: "https://cloud.digitalboard.ch" +talk_nextcloud_extra_host_ip: "172.16.19.111" # application backend IP + +# Janus media advertisement IP = the public IP of this (collocated) host +talk_janus_public_ip: "193.43.183.74" # same host as coturn + +# TURN config — matches coturn defaults on this host (3478/5349). +# In a production deployment with coturn on 443, replace ports with :443. +talk_turn_servers: "turns:stun.int.digitalboard.ch:5349?transport=tcp,turn:stun.int.digitalboard.ch:3478" +talk_turn_realm: "stun.digitalboard.ch" + +talk_janus_stun_server: "stun.int.digitalboard.ch" +talk_janus_stun_port: 5349 diff --git a/inventories/demo-gymburgdorf/host_vars/turn/traefik.yml b/inventories/demo-gymburgdorf/host_vars/turn/traefik.yml new file mode 100644 index 0000000..6b38027 --- /dev/null +++ b/inventories/demo-gymburgdorf/host_vars/turn/traefik.yml @@ -0,0 +1,13 @@ +# Local Traefik on the turn host (docker provider mode) picks up +# container labels from the signaling stack. coturn lives next to it +# via host networking on 3478/5349 — no port collision. +traefik_mode: "backend" +traefik_network: "proxy" + +# Tell the DMZ reverseproxy to expose this host for signaling.digitalboard.ch +# (DMZ proxy aggregates traefik_dmz_exposed_services from all backend_servers). +traefik_dmz_exposed_services: + - name: signaling + domain: signaling.digitalboard.ch + port: 443 + protocol: https diff --git a/inventories/demo-gymburgdorf/hosts.yml b/inventories/demo-gymburgdorf/hosts.yml index 648b2cf..ab58c4f 100644 --- a/inventories/demo-gymburgdorf/hosts.yml +++ b/inventories/demo-gymburgdorf/hosts.yml @@ -17,12 +17,31 @@ all: traefik_servers: children: - all_servers: + traefik_servers_dmz: + traefik_servers_backend: + # Public-facing DMZ reverse proxy (file provider mode) + traefik_servers_dmz: + hosts: + reverseproxy: + + # Hosts that run a local Traefik in docker-provider mode. + # The turn host runs one too, so the signaling stack's container labels + # get picked up. coturn sits next to it via host networking on alternate + # ports (3478/5349) and does not collide. + traefik_servers_backend: + hosts: + application: + turn: + + # backend_servers feeds the DMZ proxy's exposed-services aggregation. + # Including the turn host here lets it advertise signaling.digitalboard.ch + # via traefik_dmz_exposed_services. backend_servers: hosts: application: storage: + turn: garage_servers: hosts: @@ -46,4 +65,13 @@ all: authentik_servers: hosts: - application: \ No newline at end of file + application: + + # --- Talk: TURN + HPB collocated on the turn host --- + turn_servers: + hosts: + turn: + + talk_signaling_servers: + hosts: + turn: diff --git a/inventories/demo-mbazürich/hosts.yml b/inventories/demo-mbazürich/hosts.yml index 6185519..5de7d54 100644 --- a/inventories/demo-mbazürich/hosts.yml +++ b/inventories/demo-mbazürich/hosts.yml @@ -17,11 +17,31 @@ all: traefik_servers: children: - all_servers: + traefik_servers_dmz: + traefik_servers_backend: + # Public-facing DMZ reverse proxy (file provider mode) + traefik_servers_dmz: + hosts: + reverseproxy: + + # Hosts that run a local Traefik in docker-provider mode. + # The turn host runs one too, so the signaling stack's container labels + # get picked up. coturn sits next to it via host networking on alternate + # ports (3478/5349) and does not collide. + traefik_servers_backend: + hosts: + application: + turn: + + # backend_servers feeds the DMZ proxy's exposed-services aggregation. + # Including the turn host here lets it advertise signaling.digitalboard.ch + # via traefik_dmz_exposed_services. backend_servers: hosts: application: + storage: + turn: garage_servers: hosts: @@ -45,4 +65,13 @@ all: authentik_servers: hosts: - application: \ No newline at end of file + application: + + # --- Talk: TURN + HPB collocated on the turn host --- + turn_servers: + hosts: + turn: + + talk_signaling_servers: + hosts: + turn: diff --git a/inventories/demo-phbern/hosts.yml b/inventories/demo-phbern/hosts.yml index 1dafcf5..72d1f6d 100644 --- a/inventories/demo-phbern/hosts.yml +++ b/inventories/demo-phbern/hosts.yml @@ -17,11 +17,31 @@ all: traefik_servers: children: - all_servers: + traefik_servers_dmz: + traefik_servers_backend: + # Public-facing DMZ reverse proxy (file provider mode) + traefik_servers_dmz: + hosts: + reverseproxy: + + # Hosts that run a local Traefik in docker-provider mode. + # The turn host runs one too, so the signaling stack's container labels + # get picked up. coturn sits next to it via host networking on alternate + # ports (3478/5349) and does not collide. + traefik_servers_backend: + hosts: + application: + turn: + + # backend_servers feeds the DMZ proxy's exposed-services aggregation. + # Including the turn host here lets it advertise signaling.digitalboard.ch + # via traefik_dmz_exposed_services. backend_servers: hosts: application: + storage: + turn: garage_servers: hosts: @@ -45,4 +65,13 @@ all: authentik_servers: hosts: - application: \ No newline at end of file + application: + + # --- Talk: TURN + HPB collocated on the turn host --- + turn_servers: + hosts: + turn: + + talk_signaling_servers: + hosts: + turn: diff --git a/playbooks/site.yml b/playbooks/site.yml index d46b5b7..bf4253d 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -88,3 +88,21 @@ become: yes roles: - digitalboard.core.opnform + +- name: Deploy coturn TURN/STUN service + hosts: turn_servers + become: yes + roles: + - digitalboard.core.coturn + +- name: Deploy Nextcloud Talk High Performance Backend + hosts: talk_signaling_servers + become: yes + roles: + - digitalboard.core.talk + +- name: Deploy BookStack service + hosts: bookstack_servers + become: true + roles: + - digitalboard.core.bookstack