Digitalboard/reference-ansible
6
1
Fork 0
Code Pull requests Activity Actions

feat(talk/turn/signaling/hpb): add role for Talk with backend services

Browse source
This commit is contained in:
Tobias Wüst 2026-05-22 01:07:39 +02:00
parent 1ddd5d9eb9
commit 6ebd5dc9ab
8 changed files with 204 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

29
inventories/demo-gymburgdorf/host_vars/application/nextcloud_talk_snippet.yml Normal file
View file

@ -0,0 +1,29 @@
# Append-only excerpt: add this to the existing nextcloud.yml on the application host.
# Demo layout: TURN + HPB are collocated on the `turn` host, so both secrets
# live under playbooks/secrets/turn/.
nextcloud_enable_talk: true
# HPB / signaling server registration
# secret value must match talk_backend_secret deployed to the turn host
nextcloud_talk_signaling_servers:
- server: "https://signaling.digitalboard.ch"
secret: "{{ lookup('file', playbook_dir ~ '/secrets/turn/talk_backend_secret') }}"
verify: true
nextcloud_talk_signaling_servers_removed: []
# TURN registration
# secret value must match coturn_static_auth_secret deployed to the turn host.
# Port 5349 matches coturn_tls_listening_port default; change to 443 if you
# overrode coturn_tls_listening_port: 443 on the turn host.
nextcloud_talk_turn_servers:
- schemes: "turn,turns"
server: "stun.digitalboard.ch:5349"
protocols: "udp,tcp"
secret: "{{ lookup('file', playbook_dir ~ '/secrets/turn/coturn_static_auth_secret') }}"
# Optional: plain STUN entries
nextcloud_talk_stun_servers:
- "stun.digitalboard.ch:3478"
nextcloud_talk_stun_servers_removed: []

29
inventories/demo-gymburgdorf/host_vars/turn/coturn.yml Normal file
View file

@ -0,0 +1,29 @@
# coturn host_vars (collocated layout: same host runs HPB)
# Place secrets at:
# playbooks/secrets/turn/coturn_static_auth_secret (mode 0600)
# playbooks/secrets/turn/nsupdate.key (mode 0600)
coturn_realm: "stun.digitalboard.ch"
coturn_internal_realm: "stun.int.digitalboard.ch"
# Ports use IANA defaults (3478/5349) so the local backend Traefik can
# keep using 443 for the signaling routes on the same host.
# Override to 443/443 if this host is dedicated to TURN and you need
# to punch through restrictive firewalls.
# coturn_listening_port: 443
# coturn_tls_listening_port: 443
# Public IP that media is reached on. Format: PUBLIC[/PRIVATE]
coturn_external_ip: "193.43.183.74/172.18.0.2" # adjust per environment
# Let's Encrypt via RFC2136 / nsupdate (acme.sh sidecar)
coturn_cert_mode: "acme"
coturn_acme_email: "admin@digitalboard.ch"
coturn_acme_nsupdate_server: "ns1.digitalboard.ch"
coturn_acme_nsupdate_server_ip: "172.16.9.169"
coturn_acme_nsupdate_zone: "digitalboard._acme.digitalboard.ch"
coturn_acme_challenge_aliases:
- name: stun.digitalboard.ch
alias: stun.digitalboard._acme.digitalboard.ch
- name: stun.int.digitalboard.ch
alias: stun.int.digitalboard._acme.digitalboard.ch

23
inventories/demo-gymburgdorf/host_vars/turn/talk.yml Normal file
View file

@ -0,0 +1,23 @@
# talk / HPB host_vars (collocated layout: same host runs coturn)
# Place secrets at:
# playbooks/secrets/turn/talk_backend_secret (mode 0600)
# playbooks/secrets/turn/talk_turn_secret (mode 0600, == coturn_static_auth_secret)
# playbooks/secrets/turn/talk_session_hashkey (mode 0600, openssl rand -hex 32)
# playbooks/secrets/turn/talk_session_blockkey (mode 0600, openssl rand -hex 32)
talk_domain: "signaling.digitalboard.ch"
talk_internal_domain: "signaling.int.digitalboard.ch"
talk_nextcloud_url: "https://cloud.digitalboard.ch"
talk_nextcloud_extra_host_ip: "172.16.19.111" # application backend IP
# Janus media advertisement IP = the public IP of this (collocated) host
talk_janus_public_ip: "193.43.183.74" # same host as coturn
# TURN config — matches coturn defaults on this host (3478/5349).
# In a production deployment with coturn on 443, replace ports with :443.
talk_turn_servers: "turns:stun.int.digitalboard.ch:5349?transport=tcp,turn:stun.int.digitalboard.ch:3478"
talk_turn_realm: "stun.digitalboard.ch"
talk_janus_stun_server: "stun.int.digitalboard.ch"
talk_janus_stun_port: 5349

13
inventories/demo-gymburgdorf/host_vars/turn/traefik.yml Normal file
View file

@ -0,0 +1,13 @@
# Local Traefik on the turn host (docker provider mode) picks up
# container labels from the signaling stack. coturn lives next to it
# via host networking on 3478/5349 — no port collision.
traefik_mode: "backend"
traefik_network: "proxy"
# Tell the DMZ reverseproxy to expose this host for signaling.digitalboard.ch
# (DMZ proxy aggregates traefik_dmz_exposed_services from all backend_servers).
traefik_dmz_exposed_services:
- name: signaling
domain: signaling.digitalboard.ch
port: 443
protocol: https

30
inventories/demo-gymburgdorf/hosts.yml
View file

@ -17,12 +17,31 @@ all:
traefik_servers:
children:
all_servers:
traefik_servers_dmz:
traefik_servers_backend:
# Public-facing DMZ reverse proxy (file provider mode)
traefik_servers_dmz:
hosts:
reverseproxy:
# Hosts that run a local Traefik in docker-provider mode.
# The turn host runs one too, so the signaling stack's container labels
# get picked up. coturn sits next to it via host networking on alternate
# ports (3478/5349) and does not collide.
traefik_servers_backend:
hosts:
application:
turn:
# backend_servers feeds the DMZ proxy's exposed-services aggregation.
# Including the turn host here lets it advertise signaling.digitalboard.ch
# via traefik_dmz_exposed_services.
backend_servers:
hosts:
application:
storage:
turn:
garage_servers:
hosts:
@ -47,3 +66,12 @@ all:
authentik_servers:
hosts:
application:
# --- Talk: TURN + HPB collocated on the turn host ---
turn_servers:
hosts:
turn:
talk_signaling_servers:
hosts:
turn:

31
inventories/demo-mbazürich/hosts.yml
View file

@ -17,11 +17,31 @@ all:
traefik_servers:
children:
all_servers:
traefik_servers_dmz:
traefik_servers_backend:
# Public-facing DMZ reverse proxy (file provider mode)
traefik_servers_dmz:
hosts:
reverseproxy:
# Hosts that run a local Traefik in docker-provider mode.
# The turn host runs one too, so the signaling stack's container labels
# get picked up. coturn sits next to it via host networking on alternate
# ports (3478/5349) and does not collide.
traefik_servers_backend:
hosts:
application:
turn:
# backend_servers feeds the DMZ proxy's exposed-services aggregation.
# Including the turn host here lets it advertise signaling.digitalboard.ch
# via traefik_dmz_exposed_services.
backend_servers:
hosts:
application:
storage:
turn:
garage_servers:
hosts:
@ -46,3 +66,12 @@ all:
authentik_servers:
hosts:
application:
# --- Talk: TURN + HPB collocated on the turn host ---
turn_servers:
hosts:
turn:
talk_signaling_servers:
hosts:
turn:

31
inventories/demo-phbern/hosts.yml
View file

@ -17,11 +17,31 @@ all:
traefik_servers:
children:
all_servers:
traefik_servers_dmz:
traefik_servers_backend:
# Public-facing DMZ reverse proxy (file provider mode)
traefik_servers_dmz:
hosts:
reverseproxy:
# Hosts that run a local Traefik in docker-provider mode.
# The turn host runs one too, so the signaling stack's container labels
# get picked up. coturn sits next to it via host networking on alternate
# ports (3478/5349) and does not collide.
traefik_servers_backend:
hosts:
application:
turn:
# backend_servers feeds the DMZ proxy's exposed-services aggregation.
# Including the turn host here lets it advertise signaling.digitalboard.ch
# via traefik_dmz_exposed_services.
backend_servers:
hosts:
application:
storage:
turn:
garage_servers:
hosts:
@ -46,3 +66,12 @@ all:
authentik_servers:
hosts:
application:
# --- Talk: TURN + HPB collocated on the turn host ---
turn_servers:
hosts:
turn:
talk_signaling_servers:
hosts:
turn:

18
playbooks/site.yml
View file

@ -88,3 +88,21 @@
become: yes
roles:
- digitalboard.core.opnform
- name: Deploy coturn TURN/STUN service
hosts: turn_servers
become: yes
roles:
- digitalboard.core.coturn
- name: Deploy Nextcloud Talk High Performance Backend
hosts: talk_signaling_servers
become: yes
roles:
- digitalboard.core.talk
- name: Deploy BookStack service
hosts: bookstack_servers
become: true
roles:
- digitalboard.core.bookstack