From cb1fbb5899066895a4a1750d696dcf70193d0243 Mon Sep 17 00:00:00 2001
From: Apfelwurm <Alexander@volzit.de>
Date: Wed, 5 Nov 2025 03:26:32 +0100
Subject: [PATCH] begin Talk HPB implementation

---
 .env.sample             |  8 ++++++
 abra.sh                 |  9 ++++++
 compose.talk.yml        | 64 +++++++++++++++++++++++++++++++++++++++++
 entrypoint.talk.sh.tmpl | 30 +++++++++++++++++++
 4 files changed, 111 insertions(+)
 create mode 100644 compose.talk.yml
 create mode 100644 entrypoint.talk.sh.tmpl

diff --git a/.env.sample b/.env.sample
index bc5db7e..f7025a0 100644
--- a/.env.sample
+++ b/.env.sample
@@ -15,6 +15,7 @@ COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
 #MAX_DB_CONNECTIONS=500
 
 ADMIN_USER=admin
+TZ=Etc/UTC
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
@@ -86,6 +87,13 @@ DEFAULT_QUOTA="10 GB"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
 #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
 
+#COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
+#TALK_DOMAIN=talk.example.com
+#SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
+
+
 # HSTS Options
 # Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html
 #HSTS_ENABLED=1
diff --git a/abra.sh b/abra.sh
index 8937200..d5e22c2 100644
--- a/abra.sh
+++ b/abra.sh
@@ -5,6 +5,7 @@ export NGINX_CONF_VERSION=v8
 export MY_CNF_VERSION=v6
 export ENTRYPOINT_VERSION=v3
 export ENTRYPOINT_WHITEBOARD_VERSION=v1
+export ENTRYPOINT_TALK_VERSION=v1
 export CRONTAB_VERSION=v1
 export PG_BACKUP_VERSION=v2
 
@@ -96,6 +97,14 @@ install_whiteboard() {
     set_app_config whiteboard jwt_secret_key "$(cat /run/secrets/whiteboard_jwt)"
 }
 
+install_talk() {
+    install_apps spreed
+    run_occ "talk:signaling:add --verify 'wss://${TALK_DOMAIN}' '$(cat /run/secrets/talk_signaling_secret)'"
+    run_occ "talk:stun:add '${TALK_DOMAIN}:3478'"
+    run_occ "talk:turn:add --secret='$(cat /run/secrets/talk_turn_secret)' turn '${TALK_DOMAIN}:3478' udp,tcp"
+
+}
+
 
 install_fulltextsearch() {
     install_apps fulltextsearch
diff --git a/compose.talk.yml b/compose.talk.yml
new file mode 100644
index 0000000..cf0a91b
--- /dev/null
+++ b/compose.talk.yml
@@ -0,0 +1,64 @@
+version: "3.8"
+
+services:
+  talk:
+    image: "nextcloud/aio-talk:20251031_122139"
+    environment:
+      - NC_DOMAIN=${DOMAIN}
+      - TALK_HOST=${TALK_DOMAIN}
+      - TZ
+      - TALK_PORT=3478
+      - INTERNAL_SECRET_FILE=/run/secrets/talk_internal_secret 
+      - TURN_SECRET_FILE=/run/secrets/talk_turn_secret
+      - SIGNALING_SECRET_FILE=/run/secrets/talk_signaling_secret
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=proxy
+        - traefik.http.services.${STACK_NAME}_talk.loadbalancer.server.port=8081
+        - traefik.http.routers.${STACK_NAME}_talk.rule=Host(`${TALK_DOMAIN}`)
+        - traefik.http.routers.${STACK_NAME}_talk.entrypoints=web-secure
+        - traefik.http.routers.${STACK_NAME}_talk.tls.certresolver=${LETS_ENCRYPT_ENV}
+
+    networks:
+      - proxy
+    configs:
+      - source: entrypoint_talk
+        target: /custom-entrypoint.sh
+        mode: 775
+    entrypoint: /custom-entrypoint.sh
+    secrets:
+      - source: talk_internal_secret
+        uid: "1000"
+        gid: "122"
+        mode: 0600
+      - source: talk_turn_secret
+        uid: "1000"
+        gid: "122"
+        mode: 0600
+      - source: talk_signaling_secret
+        uid: "1000"
+        gid: "122"
+        mode: 0600
+
+  app:
+    secrets:
+      - talk_turn_secret
+      - talk_signaling_secret
+
+secrets:
+  talk_internal_secret:
+    external: true
+    name: ${STACK_NAME}_talk_internal_secret_${SECRET_TALK_INTERNAL_SECRET_VERSION}
+  talk_turn_secret:
+    external: true
+    name: ${STACK_NAME}_talk_turn_secret_${SECRET_TALK_TURN_SECRET_VERSION}
+  talk_signaling_secret:
+    external: true
+    name: ${STACK_NAME}_talk_signaling_secret_${SECRET_TALK_SIGNALING_SECRET_VERSION}
+
+configs:
+  entrypoint_talk:
+    name: ${STACK_NAME}_entrypoint_talk_${ENTRYPOINT_TALK_VERSION}
+    file: entrypoint.talk.sh.tmpl
+    template_driver: golang
\ No newline at end of file
diff --git a/entrypoint.talk.sh.tmpl b/entrypoint.talk.sh.tmpl
new file mode 100644
index 0000000..1e49e07
--- /dev/null
+++ b/entrypoint.talk.sh.tmpl
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "INTERNAL_SECRET"
+file_env "TURN_SECRET"
+file_env "SIGNALING_SECRET"
+
+/start.sh supervisord -c /supervisord.conf
\ No newline at end of file