Updates

nextcloud-aio/Containers/talk/Dockerfile

@@ -0,0 +1,110 @@
+# syntax=docker/dockerfile:latest
+FROM nats:2.12.0-scratch AS nats
+FROM eturnal/eturnal:1.12.2-alpine AS eturnal
+FROM strukturag/nextcloud-spreed-signaling:2.0.4 AS signaling
+FROM alpine:3.22.1 AS janus
+
+ARG JANUS_VERSION=v1.3.2
+WORKDIR /src
+RUN set -ex; \
+    apk upgrade --no-cache -a; \
+    apk add --no-cache \
+        ca-certificates \
+        git \
+        autoconf \
+        automake \
+        build-base \
+        pkgconfig \
+        libtool \
+        util-linux \
+        glib-dev \
+        zlib-dev \
+        openssl-dev \
+        jansson-dev \
+        libnice-dev \
+        libconfig-dev \
+        libsrtp-dev \
+        libusrsctp-dev \
+        gengetopt-dev \
+        libwebsockets-dev; \
+    git clone --recursive https://github.com/meetecho/janus-gateway --depth=1 --single-branch --branch "$JANUS_VERSION" /src; \
+    /src/autogen.sh; \
+    /src/configure --disable-rabbitmq --disable-mqtt --disable-boringssl; \
+    make; \
+    make install; \
+    make configs; \
+    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
+
+FROM alpine:3.22.1
+ENV ETURNAL_ETC_DIR="/conf"
+ENV SKIP_CERT_VERIFY=false
+COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
+COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
+COPY --from=nats      --chmod=777 --chown=1000:1000 /nats-server                        /usr/local/bin/nats-server
+COPY --from=signaling --chmod=777 --chown=1000:1000 /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
+
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=775 healthcheck.sh /healthcheck.sh
+COPY --chmod=664 supervisord.conf /supervisord.conf
+
+RUN set -ex; \
+    apk upgrade --no-cache -a; \
+    apk add --no-cache \
+        ca-certificates \
+        tzdata \
+        bash \
+        openssl \
+        supervisor \
+        bind-tools \
+        netcat-openbsd \
+        \
+        glib \
+        zlib \
+        libssl3 \
+        libcrypto3 \
+        jansson \
+        libnice \
+        libconfig \
+        libsrtp \
+        libusrsctp \
+        libwebsockets \
+        \
+        shadow \
+        grep; \
+    useradd --system -u 1000 eturnal; \
+    apk del --no-cache \
+        shadow; \
+    \
+# Give root a random password
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    \
+    touch \
+        /etc/nats.conf \
+        /etc/eturnal.yml; \
+    echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
+    mkdir -p \
+        /var/tmp \
+        /conf \
+        /var/lib/turn \
+        /var/log/supervisord \
+        /var/run/supervisord \
+        /usr/local/lib/janus/loggers; \
+    chown eturnal:eturnal -R \
+        /etc/nats.conf \
+        /var/log/supervisord \
+        /var/run/supervisord; \
+    chmod 777 -R \
+        /tmp \
+        /conf \
+        /var/run/supervisord \
+        /var/log/supervisord; \
+    ln -s /opt/eturnal/bin/stun /usr/local/bin/stun; \
+    ln -s /opt/eturnal/bin/eturnalctl /usr/local/bin/eturnalctl
+
+USER 1000
+ENTRYPOINT ["/start.sh"]
+CMD ["supervisord", "-c", "/supervisord.conf"]
+
+HEALTHCHECK CMD /healthcheck.sh
+LABEL com.centurylinklabs.watchtower.enable="false" \
+    org.label-schema.vendor="Nextcloud"

nextcloud-aio/Containers/talk/healthcheck.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+nc -z 127.0.0.1 8081 || exit 1
+nc -z 127.0.0.1 8188 || exit 1
+nc -z 127.0.0.1 4222 || exit 1
+nc -z 127.0.0.1 "$TALK_PORT" || exit 1
+eturnalctl status || exit 1

nextcloud-aio/Containers/talk/server.conf.in

@@ -0,0 +1,342 @@
+[http]
+# IP and port to listen on for HTTP requests.
+# Comment line to disable the listener.
+#listen = 127.0.0.1:8080
+
+# HTTP socket read timeout in seconds.
+#readtimeout = 15
+
+# HTTP socket write timeout in seconds.
+#writetimeout = 30
+
+[https]
+# IP and port to listen on for HTTPS requests.
+# Comment line to disable the listener.
+#listen = 127.0.0.1:8443
+
+# HTTPS socket read timeout in seconds.
+#readtimeout = 15
+
+# HTTPS socket write timeout in seconds.
+#writetimeout = 30
+
+# Certificate / private key to use for the HTTPS server.
+certificate = /etc/nginx/ssl/server.crt
+key = /etc/nginx/ssl/server.key
+
+[app]
+# Set to "true" to install pprof debug handlers.
+# See "https://golang.org/pkg/net/http/pprof/" for further information.
+debug = false
+
+# Set to "true" to allow subscribing any streams. This is insecure and should
+# only be enabled for testing. By default only streams of users in the same
+# room and call can be subscribed.
+#allowsubscribeany = false
+
+# Comma separated list of trusted proxies (IPs or CIDR networks) that may set
+# the "X-Real-Ip" or "X-Forwarded-For" headers. If both are provided, the
+# "X-Real-Ip" header will take precedence (if valid).
+# Leave empty to allow loopback and local addresses.
+#trustedproxies =
+
+[sessions]
+# Secret value used to generate checksums of sessions. This should be a random
+# string of 32 or 64 bytes.
+hashkey = the-secret-for-session-checksums
+
+# Optional key for encrypting data in the sessions. Must be either 16, 24 or
+# 32 bytes.
+# If no key is specified, data will not be encrypted (not recommended).
+blockkey = -encryption-key-
+
+[clients]
+# Shared secret for connections from internal clients. This must be the same
+# value as configured in the respective internal services.
+internalsecret = the-shared-secret-for-internal-clients
+
+[federation]
+# If set to "true", certificate validation of federation targets will be skipped.
+# This should only be enabled during development, e.g. to work with self-signed
+# certificates.
+#skipverify = false
+
+# Timeout in seconds for requests to federation targets.
+#timeout = 10
+
+[backend]
+# Type of backend configuration.
+# Defaults to "static".
+#
+# Possible values:
+# - static: A comma-separated list of backends is given in the "backends" option.
+# - etcd: Backends are retrieved from an etcd cluster.
+#backendtype = static
+
+# For backend type "static":
+# Comma-separated list of backend ids from which clients are allowed to connect
+# from. Each backend will have isolated rooms, i.e. clients connecting to room
+# "abc12345" on backend 1 will be in a different room than clients connected to
+# a room with the same name on backend 2. Also sessions connected from different
+# backends will not be able to communicate with each other.
+#backends = backend-id, another-backend
+
+# For backend type "etcd":
+# Key prefix of backend entries. All keys below will be watched and assumed to
+# contain a JSON document with the following entries:
+# - "urls": List of urls of the Nextcloud instance.
+# - "url": Url of the Nextcloud instance (deprecated).
+# - "secret": Shared secret for requests from and to the backend servers.
+#
+# Additional optional entries:
+# - "maxstreambitrate": Maximum bitrate per publishing stream (in bits per second).
+# - "maxscreenbitrate": Maximum bitrate per screensharing stream (in bits per second).
+# - "sessionlimit": Number of sessions that are allowed to connect.
+#
+# Example:
+# "/signaling/backend/one" -> {"urls": ["https://nextcloud.domain1.invalid"], ...}
+# "/signaling/backend/two" -> {"urls": ["https://domain2.invalid/nextcloud"], ...}
+#backendprefix = /signaling/backend
+
+# Allow any hostname as backend endpoint. This is extremely insecure and should
+# only be used while running the benchmark client against the server.
+allowall = false
+
+# Common shared secret for requests from and to the backend servers. Used if
+# "allowall" is enabled or as fallback for individual backends that don't have
+# their own secret set.
+# This must be the same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret-for-allowall
+
+# Timeout in seconds for requests to the backend.
+timeout = 10
+
+# Maximum number of concurrent backend connections per host.
+connectionsperhost = 8
+
+# If set to "true", certificate validation of backend endpoints will be skipped.
+# This should only be enabled during development, e.g. to work with self-signed
+# certificates.
+#skipverify = false
+
+# For backendtype "static":
+# Backend configurations as defined in the "[backend]" section above. The
+# section names must match the ids used in "backends" above.
+#[backend-id]
+# Comma-separated list of urls of the Nextcloud instance
+#urls = https://cloud.domain.invalid
+
+# Shared secret for requests from and to the backend servers. Leave empty to use
+# the common shared secret from above.
+# This must be the same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+# Limit the number of sessions that are allowed to connect to this backend.
+# Omit or set to 0 to not limit the number of sessions.
+#sessionlimit = 10
+
+# The maximum bitrate per publishing stream (in bits per second).
+# Defaults to the maximum bitrate configured for the proxy / MCU.
+#maxstreambitrate = 1048576
+
+# The maximum bitrate per screensharing stream (in bits per second).
+# Defaults to the maximum bitrate configured for the proxy / MCU.
+#maxscreenbitrate = 2097152
+
+#[another-backend]
+# Comma-separated list of urls of the Nextcloud instance
+#urls = https://cloud.otherdomain.invalid
+
+# Shared secret for requests from and to the backend servers. Leave empty to use
+# the common shared secret from above.
+# This must be the same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+[nats]
+# Url of NATS backend to use. This can also be a list of URLs to connect to
+# multiple backends. For local development, this can be set to "nats://loopback"
+# to process NATS messages internally instead of sending them through an
+# external NATS backend.
+#url = nats://localhost:4222
+
+[mcu]
+# The type of the MCU to use. Currently only "janus" and "proxy" are supported.
+# Leave empty to disable MCU functionality.
+#type =
+
+# For type "janus": the URL to the websocket endpoint of the MCU server.
+# For type "proxy": a space-separated list of proxy URLs to connect to.
+#url =
+
+# The maximum bitrate per publishing stream (in bits per second).
+# Defaults to 1 mbit/sec.
+# For type "proxy": will be capped to the maximum bitrate configured at the
+# proxy server that is used.
+#maxstreambitrate = 1048576
+
+# The maximum bitrate per screensharing stream (in bits per second).
+# Default is 2 mbit/sec.
+# For type "proxy": will be capped to the maximum bitrate configured at the
+# proxy server that is used.
+#maxscreenbitrate = 2097152
+
+# List of IP addresses / subnets that are allowed to be used by clients in
+# candidates. The allowed list has preference over the blocked list below.
+#allowedcandidates = 10.0.0.0/8
+
+# List of IP addresses / subnets to filter from candidates received by clients.
+#blockedcandidates = 1.2.3.0/24
+
+# For type "proxy": timeout in seconds for requests to the proxy server.
+#proxytimeout = 2
+
+# For type "proxy": type of URL configuration for proxy servers.
+# Defaults to "static".
+#
+# Possible values:
+# - static: A space-separated list of proxy URLs is given in the "url" option.
+# - etcd: Proxy URLs are retrieved from an etcd cluster (see below).
+#urltype = static
+
+# If set to "true", certificate validation of proxy servers will be skipped.
+# This should only be enabled during development, e.g. to work with self-signed
+# certificates.
+#skipverify = false
+
+# For type "proxy": the id of the token to use when connecting to proxy servers.
+#token_id = server1
+
+# For type "proxy": the private key for the configured token id to use when
+# connecting to proxy servers.
+#token_key = privkey.pem
+
+# For url type "static": Enable DNS discovery on hostname of configured URL.
+# If the hostname resolves to multiple IP addresses, a connection is established
+# to each of them.
+# Changes to the DNS are monitored regularly and proxy connections are created
+# or deleted as necessary.
+#dnsdiscovery = true
+
+# For url type "etcd": Key prefix of MCU proxy entries. All keys below will be
+# watched and assumed to contain a JSON document. The entry "address" from this
+# document will be used as proxy URL, other contents in the document will be
+# ignored.
+#
+# Example:
+# "/signaling/proxy/server/one" -> {"address": "https://proxy1.domain.invalid"}
+# "/signaling/proxy/server/two" -> {"address": "https://proxy2.domain.invalid"}
+#keyprefix = /signaling/proxy/server
+
+[turn]
+# API key that the MCU will need to send when requesting TURN credentials.
+#apikey = the-api-key-for-the-rest-service
+
+# The shared secret to use for generating TURN credentials. This must be the
+# same as on the TURN server.
+#secret = 6d1c17a7-c736-4e22-b02c-e2955b7ecc64
+
+# A comma-separated list of TURN servers to use. Leave empty to disable the
+# TURN REST API.
+#servers = turn:1.2.3.4:9991?transport=udp,turn:1.2.3.4:9991?transport=tcp
+
+[geoip]
+# License key to use when downloading the MaxMind GeoIP database. You can
+# register an account at "https://www.maxmind.com/en/geolite2/signup" for
+# free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/" for further
+# information.
+# You can also get a free GeoIP database from https://db-ip.com/ without
+# registration. Provide the URL below in this case.
+# Leave empty to disable GeoIP lookups.
+#license =
+
+# Optional URL to download a MaxMind GeoIP database from. Will be generated if
+# "license" is provided above. Can be a "file://" url if a local file should
+# be used. Please note that the database must provide a country field when
+# looking up IP addresses.
+#url =
+
+[geoip-overrides]
+# Optional overrides for GeoIP lookups. The key is an IP address / range, the
+# value the associated country code.
+#127.0.0.1 = DE
+#192.168.0.0/24 = DE
+
+[continent-overrides]
+# Optional overrides for continent mappings. The key is a continent code, the
+# value a comma-separated list of continent codes to map the continent to.
+# Use European servers for clients in Africa.
+#AF = EU
+# Use servers in North Africa for clients in South America.
+#SA = NA
+
+[stats]
+# Comma-separated list of IP addresses that are allowed to access the stats
+# endpoint. Leave empty (or commented) to only allow access from "127.0.0.1".
+#allowed_ips =
+
+[etcd]
+# Comma-separated list of static etcd endpoints to connect to.
+#endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379
+
+# Options to perform endpoint discovery through DNS SRV.
+# Only used if no endpoints are configured manually.
+#discoverysrv = example.com
+#discoveryservice = foo
+
+# Path to private key, client certificate and CA certificate if TLS
+# authentication should be used.
+#clientkey = /path/to/etcd-client.key
+#clientcert = /path/to/etcd-client.crt
+#cacert = /path/to/etcd-ca.crt
+
+[grpc]
+# IP and port to listen on for GRPC requests.
+# Comment line to disable the listener.
+#listen = 0.0.0.0:9090
+
+# Certificate / private key to use for the GRPC server.
+# Omit to use unencrypted connections.
+#servercertificate = /path/to/grpc-server.crt
+#serverkey = /path/to/grpc-server.key
+
+# CA certificate that is allowed to issue certificates of GRPC servers.
+# Omit to expect unencrypted connections.
+#serverca = /path/to/grpc-ca.crt
+
+# Certificate / private key to use for the GRPC client.
+# Omit if clients don't need to authenticate on the server.
+#clientcertificate = /path/to/grpc-client.crt
+#clientkey = /path/to/grpc-client.key
+
+# CA certificate that is allowed to issue certificates of GRPC clients.
+# Omit to allow any clients to connect.
+#clientca = /path/to/grpc-ca.crt
+
+# Type of GRPC target configuration.
+# Defaults to "static".
+#
+# Possible values:
+# - static: A comma-separated list of targets is given in the "targets" option.
+# - etcd: Target URLs are retrieved from an etcd cluster.
+#targettype = static
+
+# For target type "static": Comma-separated list of GRPC targets to connect to
+# for clustering mode.
+#targets = 192.168.0.1:9090, 192.168.0.2:9090
+
+# For target type "static": Enable DNS discovery on hostnames of GRPC target.
+# If a hostname resolves to multiple IP addresses, a connection is established
+# to each of them.
+# Changes to the DNS are monitored regularly and GRPC clients are created or
+# deleted as necessary.
+#dnsdiscovery = true
+
+# For target type "etcd": Key prefix of GRPC target entries. All keys below will
+# be watched and assumed to contain a JSON document. The entry "address" from
+# this document will be used as target URL, other contents in the document will
+# be ignored.
+#
+# Example:
+# "/signaling/cluster/grpc/one" -> {"address": "192.168.0.1:9090"}
+# "/signaling/cluster/grpc/two" -> {"address": "192.168.0.2:9090"}
+#targetprefix = /signaling/cluster/grpc

nextcloud-aio/Containers/talk/start.sh

@@ -0,0 +1,116 @@
+#!/bin/bash
+
+# Variables
+if [ -z "$NC_DOMAIN" ]; then
+    echo "You need to provide the NC_DOMAIN."
+    exit 1
+elif [ -z "$TALK_PORT" ]; then
+    echo "You need to provide the TALK_PORT."
+    exit 1
+elif [ -z "$TURN_SECRET" ]; then
+    echo "You need to provide the TURN_SECRET."
+    exit 1
+elif [ -z "$SIGNALING_SECRET" ]; then
+    echo "You need to provide the SIGNALING_SECRET."
+    exit 1
+elif [ -z "$INTERNAL_SECRET" ]; then
+    echo "You need to provide the INTERNAL_SECRET."
+    exit 1
+fi
+
+set -x
+IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)"
+# shellcheck disable=SC2153
+IPv4_ADDRESS_TALK="$(dig "$TALK_HOST" IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
+# shellcheck disable=SC2153
+IPv6_ADDRESS_TALK="$(dig "$TALK_HOST" AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+set +x
+
+if [ -n "$IPv4_ADDRESS_TALK" ] && [ "$IPv4_ADDRESS_TALK_RELAY" = "$IPv4_ADDRESS_TALK" ]; then
+    IPv4_ADDRESS_TALK=""
+fi
+
+set -x
+IP_BINDING="::"
+if grep -q "1" /sys/module/ipv6/parameters/disable \
+|| grep -q "1" /proc/sys/net/ipv6/conf/all/disable_ipv6 \
+|| grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
+    IP_BINDING="0.0.0.0"
+fi
+set +x
+
+# Turn
+cat << TURN_CONF > "/conf/eturnal.yml"
+eturnal:
+  listen:
+    - ip: "$IP_BINDING"
+      port: $TALK_PORT
+      transport: udp
+    - ip: "$IP_BINDING"
+      port: $TALK_PORT
+      transport: tcp
+  log_dir: stdout
+  log_level: warning
+  secret: "$TURN_SECRET"
+  relay_ipv4_addr: "$IPv4_ADDRESS_TALK_RELAY"
+  relay_ipv6_addr: "$IPv6_ADDRESS_TALK"
+  blacklist_peers:
+  - recommended
+  whitelist_peers:
+  - 127.0.0.1
+  - ::1
+  - "$IPv4_ADDRESS_TALK_RELAY"
+  - "$IPv4_ADDRESS_TALK"
+  - "$IPv6_ADDRESS_TALK"
+TURN_CONF
+
+# Remove empty lines so that the config is not invalid
+sed -i '/""/d' /conf/eturnal.yml
+
+if [ -z "$TALK_MAX_STREAM_BITRATE" ]; then
+    TALK_MAX_STREAM_BITRATE=1048576
+fi
+
+if [ -z "$TALK_MAX_SCREEN_BITRATE" ]; then
+    TALK_MAX_SCREEN_BITRATE=2097152
+fi
+
+# Signling
+cat << SIGNALING_CONF > "/conf/signaling.conf"
+[http]
+listen = 0.0.0.0:8081
+
+[app]
+debug = false
+
+[sessions]
+hashkey = $(openssl rand -hex 16)
+blockkey = $(openssl rand -hex 16)
+
+[clients]
+internalsecret = ${INTERNAL_SECRET}
+
+[backend]
+backends = backend-1
+allowall = false
+timeout = 10
+connectionsperhost = 8
+skipverify = ${SKIP_CERT_VERIFY}
+
+[backend-1]
+urls = https://${NC_DOMAIN}
+secret = ${SIGNALING_SECRET}
+maxstreambitrate = ${TALK_MAX_STREAM_BITRATE}
+maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE}
+
+[nats]
+url = nats://127.0.0.1:4222
+
+[mcu]
+type = janus
+url = ws://127.0.0.1:8188
+maxstreambitrate = ${TALK_MAX_STREAM_BITRATE}
+maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE}
+SIGNALING_CONF
+
+exec "$@"

nextcloud-aio/Containers/talk/supervisord.conf

@@ -0,0 +1,37 @@
+[supervisord]
+nodaemon=true
+logfile=/var/log/supervisord/supervisord.log
+pidfile=/var/run/supervisord/supervisord.pid
+childlogdir=/var/log/supervisord/
+logfile_maxbytes=50MB                           
+logfile_backups=10                              
+loglevel=error
+
+[program:eturnal]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=eturnalctl foreground
+
+[program:nats-server]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=nats-server -c /etc/nats.conf
+
+[program:janus]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+# debug-level 3 means warning
+command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+
+[program:signaling]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=nextcloud-spreed-signaling -config /conf/signaling.conf