From dc28ebd3496dca63890d8d363f8c170a02066ae8 Mon Sep 17 00:00:00 2001
From: Apfelwurm <Alexander@volzit.de>
Date: Sat, 6 Dec 2025 02:10:10 +0100
Subject: [PATCH] Implement NC Talk High Performance Backend

---
 .env.sample             |  8 +++++
 README.md               | 36 ++++++++++++++++++---
 abra.sh                 | 10 ++++++
 compose.talk.yml        | 70 +++++++++++++++++++++++++++++++++++++++++
 entrypoint.talk.sh.tmpl | 30 ++++++++++++++++++
 5 files changed, 150 insertions(+), 4 deletions(-)
 create mode 100644 compose.talk.yml
 create mode 100644 entrypoint.talk.sh.tmpl

diff --git a/.env.sample b/.env.sample
index bc5db7e..f7025a0 100644
--- a/.env.sample
+++ b/.env.sample
@@ -15,6 +15,7 @@ COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
 #MAX_DB_CONNECTIONS=500
 
 ADMIN_USER=admin
+TZ=Etc/UTC
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
@@ -86,6 +87,13 @@ DEFAULT_QUOTA="10 GB"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
 #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
 
+#COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
+#TALK_DOMAIN=talk.example.com
+#SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
+
+
 # HSTS Options
 # Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html
 #HSTS_ENABLED=1
diff --git a/README.md b/README.md
index e9b9877..bece002 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,7 @@ Fully automated luxury Nextcloud via docker-swarm.
 ### Onlyoffice Integration
 
 `abra app config <app-name>` 
+
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
@@ -33,12 +34,13 @@ ONLYOFFICE_URL=https://onlyoffice.example.com
 SECRET_ONLYOFFICE_JWT_VERSION=v1
 ```
 
-`abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
-`abra app cmd <app-name> app install_onlyoffice`
+* `abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
+* `abra app cmd <app-name> app install_onlyoffice`
 
 ### BBB Integration
 
 `abra app config <app-name>` 
+
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
@@ -46,8 +48,34 @@ BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 SECRET_BBB_SECRET_VERSION=v1
 ```
 
-`abra app secret insert <app-name> bbb_secret v1 <bbb_secret>`
-`abra app cmd <app-name> app install_bbb`
+* `abra app secret insert <app-name> bbb_secret v1 <bbb_secret>`
+* `abra app cmd <app-name> app install_bbb`
+
+### Nextcloud Talk High performance Backend
+
+Note: at the moment you are limited to run one Nextcloud high performance backend per docker host with this setup.
+
+`abra app config <app-name>` 
+
+Configure the following envs:
+```
+#COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
+#TALK_DOMAIN=talk.example.com
+#SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
+```
+
+* `abra app secret insert <app-name> talk_internal_secret v1 <talk_internal_secret>`
+* `abra app secret insert <app-name> talk_turn_secret v1 <talk_turn_secret>`
+* `abra app secret insert <app-name> talk_signaling_secret v1 <talk_signaling_secret>`
+* `abra app cmd <app-name> app install_talk`
+
+Don't forget to enable the additional env's in your hosts traefik instance:
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud-talk-hpb.yml"
+NEXTCLOUD_TALK_HPB_ENABLED=1
+```
 
 ### Authentik Integration
 
diff --git a/abra.sh b/abra.sh
index 8937200..f4b12f2 100644
--- a/abra.sh
+++ b/abra.sh
@@ -5,6 +5,7 @@ export NGINX_CONF_VERSION=v8
 export MY_CNF_VERSION=v6
 export ENTRYPOINT_VERSION=v3
 export ENTRYPOINT_WHITEBOARD_VERSION=v1
+export ENTRYPOINT_TALK_VERSION=v1
 export CRONTAB_VERSION=v1
 export PG_BACKUP_VERSION=v2
 
@@ -97,6 +98,15 @@ install_whiteboard() {
 }
 
 
+install_talk() {
+    install_apps spreed
+    run_occ "talk:signaling:add --verify 'wss://${TALK_DOMAIN}' '$(cat /run/secrets/talk_signaling_secret)'"
+    run_occ "talk:stun:add '${TALK_DOMAIN}:3478'"
+    run_occ "talk:stun:add '${TALK_DOMAIN}:443'"
+    run_occ "talk:turn:add --secret='$(cat /run/secrets/talk_turn_secret)' turn '${TALK_DOMAIN}:3478' udp,tcp"
+
+}
+
 install_fulltextsearch() {
     install_apps fulltextsearch
     install_apps fulltextsearch_elasticsearch
diff --git a/compose.talk.yml b/compose.talk.yml
new file mode 100644
index 0000000..b724286
--- /dev/null
+++ b/compose.talk.yml
@@ -0,0 +1,70 @@
+version: "3.8"
+
+services:
+  talk:
+    image: "nextcloud/aio-talk:20251128_084214"
+    environment:
+      - NC_DOMAIN=${DOMAIN}
+      - TALK_HOST=${TALK_DOMAIN}
+      - TZ
+      - TALK_PORT=3478
+      - INTERNAL_SECRET_FILE=/run/secrets/talk_internal_secret 
+      - TURN_SECRET_FILE=/run/secrets/talk_turn_secret
+      - SIGNALING_SECRET_FILE=/run/secrets/talk_signaling_secret
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=proxy
+        - traefik.http.services.${STACK_NAME}_talk.loadbalancer.server.port=8081
+        - traefik.http.routers.${STACK_NAME}_talk.rule=Host(`${TALK_DOMAIN}`)
+        - traefik.http.routers.${STACK_NAME}_talk.entrypoints=web-secure
+        - traefik.http.routers.${STACK_NAME}_talk.tls.certresolver=${LETS_ENCRYPT_ENV}
+        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.rule=HostSNI(`*`)
+        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.entrypoints=nextcloud-talk-hpb
+        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.service=${STACK_NAME}_nextcloud-talk-hpb-svc
+        - traefik.tcp.services.${STACK_NAME}_nextcloud-talk-hpb-svc.loadbalancer.server.port=3478
+        - traefik.udp.routers.${STACK_NAME}_nextcloud-talk-hpb-udp.entrypoints=nextcloud-talk-hpb-udp
+        - traefik.udp.routers.${STACK_NAME}_nextcloud-talk-hpb-udp.service=${STACK_NAME}_nextcloud-talk-hpb-udp-svc
+        - traefik.udp.services.${STACK_NAME}_nextcloud-talk-hpb-udp-svc.loadbalancer.server.port=3478
+    networks:
+      - proxy
+    configs:
+      - source: entrypoint_talk
+        target: /custom-entrypoint.sh
+        mode: 775
+    entrypoint: /custom-entrypoint.sh
+    secrets:
+      - source: talk_internal_secret
+        uid: "1000"
+        gid: "122"
+        mode: 0600
+      - source: talk_turn_secret
+        uid: "1000"
+        gid: "122"
+        mode: 0600
+      - source: talk_signaling_secret
+        uid: "1000"
+        gid: "122"
+        mode: 0600
+
+  app:
+    secrets:
+      - talk_turn_secret
+      - talk_signaling_secret
+
+secrets:
+  talk_internal_secret:
+    external: true
+    name: ${STACK_NAME}_talk_internal_secret_${SECRET_TALK_INTERNAL_SECRET_VERSION}
+  talk_turn_secret:
+    external: true
+    name: ${STACK_NAME}_talk_turn_secret_${SECRET_TALK_TURN_SECRET_VERSION}
+  talk_signaling_secret:
+    external: true
+    name: ${STACK_NAME}_talk_signaling_secret_${SECRET_TALK_SIGNALING_SECRET_VERSION}
+
+configs:
+  entrypoint_talk:
+    name: ${STACK_NAME}_entrypoint_talk_${ENTRYPOINT_TALK_VERSION}
+    file: entrypoint.talk.sh.tmpl
+    template_driver: golang
\ No newline at end of file
diff --git a/entrypoint.talk.sh.tmpl b/entrypoint.talk.sh.tmpl
new file mode 100644
index 0000000..1e49e07
--- /dev/null
+++ b/entrypoint.talk.sh.tmpl
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "INTERNAL_SECRET"
+file_env "TURN_SECRET"
+file_env "SIGNALING_SECRET"
+
+/start.sh supervisord -c /supervisord.conf
\ No newline at end of file