feat(talk/turn/signaling/hpb): add role for Talk with backend services

inventories/demo-gymburgdorf/host_vars/application/nextcloud_talk_snippet.yml

@@ -0,0 +1,29 @@
+# Append-only excerpt: add this to the existing nextcloud.yml on the application host.
+# Demo layout: TURN + HPB are collocated on the `turn` host, so both secrets
+# live under playbooks/secrets/turn/.
+
+nextcloud_enable_talk: true
+
+# HPB / signaling server registration
+# secret value must match talk_backend_secret deployed to the turn host
+nextcloud_talk_signaling_servers:
+  - server: "https://signaling.digitalboard.ch"
+    secret: "{{ lookup('file', playbook_dir ~ '/secrets/turn/talk_backend_secret') }}"
+    verify: true
+
+nextcloud_talk_signaling_servers_removed: []
+
+# TURN registration
+# secret value must match coturn_static_auth_secret deployed to the turn host.
+# Port 5349 matches coturn_tls_listening_port default; change to 443 if you
+# overrode coturn_tls_listening_port: 443 on the turn host.
+nextcloud_talk_turn_servers:
+  - schemes: "turn,turns"
+    server: "stun.digitalboard.ch:5349"
+    protocols: "udp,tcp"
+    secret: "{{ lookup('file', playbook_dir ~ '/secrets/turn/coturn_static_auth_secret') }}"
+
+# Optional: plain STUN entries
+nextcloud_talk_stun_servers:
+  - "stun.digitalboard.ch:3478"
+nextcloud_talk_stun_servers_removed: []

inventories/demo-gymburgdorf/host_vars/turn/coturn.yml

@@ -0,0 +1,29 @@
+# coturn host_vars (collocated layout: same host runs HPB)
+# Place secrets at:
+#   playbooks/secrets/turn/coturn_static_auth_secret   (mode 0600)
+#   playbooks/secrets/turn/nsupdate.key                 (mode 0600)
+
+coturn_realm: "stun.digitalboard.ch"
+coturn_internal_realm: "stun.int.digitalboard.ch"
+
+# Ports use IANA defaults (3478/5349) so the local backend Traefik can
+# keep using 443 for the signaling routes on the same host.
+# Override to 443/443 if this host is dedicated to TURN and you need
+# to punch through restrictive firewalls.
+# coturn_listening_port: 443
+# coturn_tls_listening_port: 443
+
+# Public IP that media is reached on. Format: PUBLIC[/PRIVATE]
+coturn_external_ip: "193.43.183.74/172.18.0.2"  # adjust per environment
+
+# Let's Encrypt via RFC2136 / nsupdate (acme.sh sidecar)
+coturn_cert_mode: "acme"
+coturn_acme_email: "admin@digitalboard.ch"
+coturn_acme_nsupdate_server: "ns1.digitalboard.ch"
+coturn_acme_nsupdate_server_ip: "172.16.9.169"
+coturn_acme_nsupdate_zone: "digitalboard._acme.digitalboard.ch"
+coturn_acme_challenge_aliases:
+  - name: stun.digitalboard.ch
+    alias: stun.digitalboard._acme.digitalboard.ch
+  - name: stun.int.digitalboard.ch
+    alias: stun.int.digitalboard._acme.digitalboard.ch

inventories/demo-gymburgdorf/host_vars/turn/talk.yml

@@ -0,0 +1,23 @@
+# talk / HPB host_vars (collocated layout: same host runs coturn)
+# Place secrets at:
+#   playbooks/secrets/turn/talk_backend_secret    (mode 0600)
+#   playbooks/secrets/turn/talk_turn_secret       (mode 0600, == coturn_static_auth_secret)
+#   playbooks/secrets/turn/talk_session_hashkey   (mode 0600, openssl rand -hex 32)
+#   playbooks/secrets/turn/talk_session_blockkey  (mode 0600, openssl rand -hex 32)
+
+talk_domain: "signaling.digitalboard.ch"
+talk_internal_domain: "signaling.int.digitalboard.ch"
+
+talk_nextcloud_url: "https://cloud.digitalboard.ch"
+talk_nextcloud_extra_host_ip: "172.16.19.111"  # application backend IP
+
+# Janus media advertisement IP = the public IP of this (collocated) host
+talk_janus_public_ip: "193.43.183.74"           # same host as coturn
+
+# TURN config — matches coturn defaults on this host (3478/5349).
+# In a production deployment with coturn on 443, replace ports with :443.
+talk_turn_servers: "turns:stun.int.digitalboard.ch:5349?transport=tcp,turn:stun.int.digitalboard.ch:3478"
+talk_turn_realm: "stun.digitalboard.ch"
+
+talk_janus_stun_server: "stun.int.digitalboard.ch"
+talk_janus_stun_port: 5349

inventories/demo-gymburgdorf/host_vars/turn/traefik.yml

@@ -0,0 +1,13 @@
+# Local Traefik on the turn host (docker provider mode) picks up
+# container labels from the signaling stack. coturn lives next to it
+# via host networking on 3478/5349 — no port collision.
+traefik_mode: "backend"
+traefik_network: "proxy"
+
+# Tell the DMZ reverseproxy to expose this host for signaling.digitalboard.ch
+# (DMZ proxy aggregates traefik_dmz_exposed_services from all backend_servers).
+traefik_dmz_exposed_services:
+  - name: signaling
+    domain: signaling.digitalboard.ch
+    port: 443
+    protocol: https

inventories/demo-gymburgdorf/hosts.yml

@@ -17,12 +17,31 @@ all:
 
     traefik_servers:
       children:
-        all_servers:
+        traefik_servers_dmz:
+        traefik_servers_backend:
 
+    # Public-facing DMZ reverse proxy (file provider mode)
+    traefik_servers_dmz:
+      hosts:
+        reverseproxy:
+
+    # Hosts that run a local Traefik in docker-provider mode.
+    # The turn host runs one too, so the signaling stack's container labels
+    # get picked up. coturn sits next to it via host networking on alternate
+    # ports (3478/5349) and does not collide.
+    traefik_servers_backend:
+      hosts:
+        application:
+        turn:
+
+    # backend_servers feeds the DMZ proxy's exposed-services aggregation.
+    # Including the turn host here lets it advertise signaling.digitalboard.ch
+    # via traefik_dmz_exposed_services.
     backend_servers:
       hosts:
         application:
         storage:
+        turn:
 
     garage_servers:
       hosts:
@@ -47,3 +66,12 @@ all:
     authentik_servers:
       hosts:
         application:
+
+    # --- Talk: TURN + HPB collocated on the turn host ---
+    turn_servers:
+      hosts:
+        turn:
+
+    talk_signaling_servers:
+      hosts:
+        turn:

inventories/demo-mbazürich/hosts.yml

@@ -17,11 +17,31 @@ all:
 
     traefik_servers:
       children:
-        all_servers:
+        traefik_servers_dmz:
+        traefik_servers_backend:
 
+    # Public-facing DMZ reverse proxy (file provider mode)
+    traefik_servers_dmz:
+      hosts:
+        reverseproxy:
+
+    # Hosts that run a local Traefik in docker-provider mode.
+    # The turn host runs one too, so the signaling stack's container labels
+    # get picked up. coturn sits next to it via host networking on alternate
+    # ports (3478/5349) and does not collide.
+    traefik_servers_backend:
+      hosts:
+        application:
+        turn:
+
+    # backend_servers feeds the DMZ proxy's exposed-services aggregation.
+    # Including the turn host here lets it advertise signaling.digitalboard.ch
+    # via traefik_dmz_exposed_services.
     backend_servers:
       hosts:
         application:
+        storage:
+        turn:
 
     garage_servers:
       hosts:
@@ -46,3 +66,12 @@ all:
     authentik_servers:
       hosts:
         application:
+
+    # --- Talk: TURN + HPB collocated on the turn host ---
+    turn_servers:
+      hosts:
+        turn:
+
+    talk_signaling_servers:
+      hosts:
+        turn:

inventories/demo-phbern/hosts.yml

@@ -17,11 +17,31 @@ all:
 
     traefik_servers:
       children:
-        all_servers:
+        traefik_servers_dmz:
+        traefik_servers_backend:
 
+    # Public-facing DMZ reverse proxy (file provider mode)
+    traefik_servers_dmz:
+      hosts:
+        reverseproxy:
+
+    # Hosts that run a local Traefik in docker-provider mode.
+    # The turn host runs one too, so the signaling stack's container labels
+    # get picked up. coturn sits next to it via host networking on alternate
+    # ports (3478/5349) and does not collide.
+    traefik_servers_backend:
+      hosts:
+        application:
+        turn:
+
+    # backend_servers feeds the DMZ proxy's exposed-services aggregation.
+    # Including the turn host here lets it advertise signaling.digitalboard.ch
+    # via traefik_dmz_exposed_services.
     backend_servers:
       hosts:
         application:
+        storage:
+        turn:
 
     garage_servers:
       hosts:
@@ -46,3 +66,12 @@ all:
     authentik_servers:
       hosts:
         application:
+
+    # --- Talk: TURN + HPB collocated on the turn host ---
+    turn_servers:
+      hosts:
+        turn:
+
+    talk_signaling_servers:
+      hosts:
+        turn:

playbooks/site.yml

@@ -88,3 +88,21 @@
   become: yes
   roles:
     - digitalboard.core.opnform
+
+- name: Deploy coturn TURN/STUN service
+  hosts: turn_servers
+  become: yes
+  roles:
+    - digitalboard.core.coturn
+
+- name: Deploy Nextcloud Talk High Performance Backend
+  hosts: talk_signaling_servers
+  become: yes
+  roles:
+    - digitalboard.core.talk
+
+- name: Deploy BookStack service
+  hosts: bookstack_servers
+  become: true
+  roles:
+    - digitalboard.core.bookstack