Git initial commit

LICENSE

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) <year> <copyright holders>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,3 @@
+# cloud-nextcloud-signaling
+
+Ansible role to provide an high-performance signaling server for nextcloud.

defaults/main.yml

@@ -0,0 +1,30 @@
+---
+cloud_apps: /opt
+cloud_storage: /opt/storage
+cloud_stage: prod
+cloud_update: false
+
+ncloud_coturn_pass: SomeRandomString
+ncloud_coturn_port: 5349
+ncloud_domain:
+  - my_domain.tld
+
+signaling_janus_deb_target: "http://ftp.de.debian.org/debian/pool/main/j/janus/janus_1.0.0-4~bpo11+1_amd64.deb"
+
+signaling_janus_api_key: MyVeryCoolApiKeyInBase64
+signaling_hash_key: VeryCoolHashKeyForSignaling
+signaling_block_key: VeryCoolBlockKeyForSignaling
+signaling_ncloud_secret_key: VerySecretKeyForNextCloud
+
+signaling_listen_host: 127.0.0.1
+signaling_listen_port: 8080
+signaling_backend_name: cloudbackend
+
+signaling_janus_host: "{{ signaling_listen_host }}"
+signaling_janus_port: 8188
+
+signaling_janus_configs:
+  - 'stun_server = "{{ ncloud_domain[0] }}"'
+  - 'stun_port = {{ ncloud_coturn_port }}'
+  - 'full_trickle = true'
+  - 'turn_rest_api_key = "{{ signaling_janus_api_key }}"'

handlers/main.yml

@@ -0,0 +1,11 @@
+---
+- name: restart janus
+  systemd:
+    name: janus
+    state: restarted
+
+- name: restart signaling
+  systemd:
+    name: signaling
+    state: restarted
+    daemon_reload: yes    

meta/main.yml

@@ -0,0 +1,17 @@
+---
+galaxy_info:
+  role_name: signaling
+  namespace: hahn-cloud
+  author: Lars Hahn
+  company: OpenDevChain
+  license: MIT
+  description: Role to setup a Signaling Server for NextCloud
+  min_ansible_version: 2.7
+  platforms:
+    - name: Debian
+      versions:
+        - 11
+  galaxy_tags:
+    - signaling
+dependencies:
+  - docker

tasks/janus.yml

@@ -0,0 +1,31 @@
+---
+- name: install janus from deb file
+  apt:
+    deb: "{{ signaling_janus_deb_target }}"
+    state: "{% if cloud_update | bool %}latest{% else %}present{% endif %}"
+    install_recommends: yes
+
+- name: configure janus server
+  lineinfile:
+    path: "/etc/janus/janus.jcfg"
+    regexp: '^\s*#?{{ configline.split("=")[0] }}{% if configline.split("=") | length > 1 %}={% endif %}'
+    line: "        {{ configline }}"
+  loop: "{{ signaling_janus_configs }}"
+  loop_control:
+    loop_var: configline
+    label: '{{ configline.split("=")[0] }}'
+  notify: restart janus
+
+- name: configure janus network
+  lineinfile:
+    path: "/etc/janus/janus.transport.http.jcfg"
+    regexp: '^\s*#?interface ='
+    line: '        interface = "lo"'
+  notify: restart janus
+
+- name: configure janus network
+  lineinfile:
+    path: "/etc/janus/janus.transport.websockets.jcfg"
+    regexp: '^\s*#?ws_interface ='
+    line: '        ws_interface = "lo"'
+  notify: restart janus

tasks/main.yml

@@ -0,0 +1,63 @@
+---
+- name: setup signaling group
+  group:
+    name: "{{ sggrp }}"
+    state: "present"
+
+- name: setup signaling user
+  user:
+    name: "{{ sgusr }}"
+    group: "{{ sggrp }}"
+    groups:
+      - "{{ sggrp }}"
+    comment: Virtual Signaling User
+    shell: /sbin/nologin
+    state: present
+
+- name: install requirements for signaling
+  apt:
+    update_cache: yes
+    state: "{% if cloud_update | bool %}latest{% else %}present{% endif %}"
+    install_recommends: yes
+    pkg:
+      - make
+      - golang-go
+      - libsrtp2-1
+
+- name: clone signaling server
+  git:
+    repo: https://github.com/strukturag/nextcloud-spreed-signaling.git
+    dest: "{{ cloud_apps }}/signaling-server"
+  notify: restart signaling
+  register: clone_signaling
+
+- name: build signaling server
+  make:
+    chdir: "{{ cloud_apps }}/signaling-server"
+    target: build
+  when: clone_signaling.changed
+
+- name: configure signaling server
+  template:
+    src: "app/signaling-server/server.conf.j2"
+    dest: "{{ cloud_apps }}/signaling-server/server.conf"
+    owner: "{{ sgusr }}"
+    group: "{{ sggrp }}"
+    mode: "o="
+  notify: restart signaling
+
+- include_tasks: janus.yml
+
+- include_tasks: nats.yml
+
+- name: setup signaling systemd service unit
+  template:
+    src: "etc/systemd/system/signaling.service.j2"
+    dest: "/etc/systemd/system/signaling.service"
+
+- name: enable signaling systemd unit
+  systemd:
+    name: signaling
+    enabled: yes
+    daemon_reload: yes
+    state: started

tasks/nats.yml

@@ -0,0 +1,14 @@
+---
+- name: pull nats docker image
+  docker_image:
+    name: "nats:latest"
+    source: pull
+
+- name: run docker container
+  docker_container:
+    name: NATSSERVER
+    image: "nats:latest"
+    state: started
+    ports:
+      - 4222:4222
+    restart_policy: always

templates/app/signaling-server/server.conf.j2

@@ -0,0 +1,227 @@
+[http]
+# IP and port to listen on for HTTP requests.
+# Comment line to disable the listener.
+listen = {{ signaling_listen_host }}:{{ signaling_listen_port }}
+
+# HTTP socket read timeout in seconds.
+#readtimeout = 15
+
+# HTTP socket write timeout in seconds.
+#writetimeout = 15
+
+#[https]
+# IP and port to listen on for HTTPS requests.
+# Comment line to disable the listener.
+#listen = 127.0.0.1:8443
+
+# HTTPS socket read timeout in seconds.
+#readtimeout = 15
+
+# HTTPS socket write timeout in seconds.
+#writetimeout = 15
+
+# Certificate / private key to use for the HTTPS server.
+#certificate = /etc/nginx/ssl/server.crt
+#key = /etc/nginx/ssl/server.key
+
+[app]
+# Set to "true" to install pprof debug handlers.
+# See "https://golang.org/pkg/net/http/pprof/" for further information.
+debug = false
+
+# Set to "true" to allow subscribing any streams. This is insecure and should
+# only be enabled for testing. By default only streams of users in the same
+# room and call can be subscribed.
+#allowsubscribeany = false
+
+[sessions]
+# Secret value used to generate checksums of sessions. This should be a random
+# string of 32 or 64 bytes.
+hashkey = {{ signaling_hash_key }}
+
+# Optional key for encrypting data in the sessions. Must be either 16, 24 or
+# 32 bytes.
+# If no key is specified, data will not be encrypted (not recommended).
+blockkey = {{ signaling_block_key }}
+
+[clients]
+# Shared secret for connections from internal clients. This must be the same
+# value as configured in the respective internal services.
+internalsecret = the-shared-secret-for-internal-clients
+
+[backend]
+# Comma-separated list of backend ids from which clients are allowed to connect
+# from. Each backend will have isolated rooms, i.e. clients connecting to room
+# "abc12345" on backend 1 will be in a different room than clients connected to
+# a room with the same name on backend 2. Also sessions connected from different
+# backends will not be able to communicate with each other.
+backends = {{ signaling_backend_name }}
+
+# Allow any hostname as backend endpoint. This is extremely insecure and should
+# only be used while running the benchmark client against the server.
+allowall = false
+
+# Common shared secret for requests from and to the backend servers if
+# "allowall" is enabled. This must be the same value as configured in the
+# Nextcloud admin ui.
+#secret = the-shared-secret
+
+# Timeout in seconds for requests to the backend.
+timeout = 10
+
+# Maximum number of concurrent backend connections per host.
+connectionsperhost = 8
+
+# If set to "true", certificate validation of backend endpoints will be skipped.
+# This should only be enabled during development, e.g. to work with self-signed
+# certificates.
+#skipverify = false
+
+# Backend configurations as defined in the "[backend]" section above. The
+# section names must match the ids used in "backends" above.
+[{{ signaling_backend_name }}]
+# URL of the Nextcloud instance
+url = https://{{ ncloud_domain[0] }}
+# Shared secret for requests from and to the backend servers. This must be the
+# same value as configured in the Nextcloud admin ui.
+secret = {{ signaling_ncloud_secret_key }}
+
+# Limit the number of sessions that are allowed to connect to this backend.
+# Omit or set to 0 to not limit the number of sessions.
+#sessionlimit = 10
+
+# The maximum bitrate per publishing stream (in bits per second).
+# Defaults to the maximum bitrate configured for the proxy / MCU.
+#maxstreambitrate = 1048576
+
+# The maximum bitrate per screensharing stream (in bits per second).
+# Defaults to the maximum bitrate configured for the proxy / MCU.
+#maxscreenbitrate = 2097152
+
+#[another-backend]
+# URL of the Nextcloud instance
+#url = https://cloud.otherdomain.invalid
+
+# Shared secret for requests from and to the backend servers. This must be the
+# same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+[nats]
+# Url of NATS backend to use. This can also be a list of URLs to connect to
+# multiple backends. For local development, this can be set to ":loopback:"
+# to process NATS messages internally instead of sending them through an
+# external NATS backend.
+#url = nats://localhost:4222
+
+[mcu]
+# The type of the MCU to use. Currently only "janus" and "proxy" are supported.
+# Leave empty to disable MCU functionality.
+type = janus
+# For type "janus": the URL to the websocket endpoint of the MCU server.
+# For type "proxy": a space-separated list of proxy URLs to connect to.
+url = ws://{{ signaling_janus_host }}:{{ signaling_janus_port }}
+
+# The maximum bitrate per publishing stream (in bits per second).
+# Defaults to 1 mbit/sec.
+# For type "proxy": will be capped to the maximum bitrate configured at the
+# proxy server that is used.
+#maxstreambitrate = 1048576
+
+# The maximum bitrate per screensharing stream (in bits per second).
+# Default is 2 mbit/sec.
+# For type "proxy": will be capped to the maximum bitrate configured at the
+# proxy server that is used.
+#maxscreenbitrate = 2097152
+
+# For type "proxy": timeout in seconds for requests to the proxy server.
+#proxytimeout = 2
+
+# For type "proxy": type of URL configuration for proxy servers.
+# Defaults to "static".
+#
+# Possible values:
+# - static: A space-separated list of proxy URLs is given in the "url" option.
+# - etcd: Proxy URLs are retrieved from an etcd cluster (see below).
+#urltype = static
+
+# If set to "true", certificate validation of proxy servers will be skipped.
+# This should only be enabled during development, e.g. to work with self-signed
+# certificates.
+#skipverify = false
+
+# For type "proxy": the id of the token to use when connecting to proxy servers.
+#token_id = server1
+
+# For type "proxy": the private key for the configured token id to use when
+# connecting to proxy servers.
+#token_key = privkey.pem
+
+# For url type "etcd": Comma-separated list of static etcd endpoints to
+# connect to.
+#endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379
+
+# For url type "etcd": Options to perform endpoint discovery through DNS SRV.
+# Only used if no endpoints are configured manually.
+#discoverysrv = example.com
+#discoveryservice = foo
+
+# For url type "etcd": Path to private key, client certificate and CA
+# certificate if TLS authentication should be used.
+#clientkey = /path/to/etcd-client.key
+#clientcert = /path/to/etcd-client.crt
+#cacert = /path/to/etcd-ca.crt
+
+# For url type "etcd": Key prefix of MCU proxy entries. All keys below will be
+# watched and assumed to contain a JSON document. The entry "address" from this
+# document will be used as proxy URL, other contents in the document will be
+# ignored.
+#
+# Example:
+# "/signaling/proxy/server/one" -> {"address": "https://proxy1.domain.invalid"}
+# "/signaling/proxy/server/two" -> {"address": "https://proxy2.domain.invalid"}
+#keyprefix = /signaling/proxy/server
+
+[turn]
+# API key that the MCU will need to send when requesting TURN credentials.
+apikey = {{ signaling_janus_api_key }}
+
+# The shared secret to use for generating TURN credentials. This must be the
+# same as on the TURN server.
+secret = {{ ncloud_coturn_pass }}
+
+# A comma-separated list of TURN servers to use. Leave empty to disable the
+# TURN REST API.
+servers = turn:{{ ncloud_domain[0] }}:{{ ncloud_coturn_port }}?transport=udp,turn:{{ ncloud_domain[0] }}:{{ ncloud_coturn_port }}?transport=tcp
+
+[geoip]
+# License key to use when downloading the MaxMind GeoIP database. You can
+# register an account at "https://www.maxmind.com/en/geolite2/signup" for
+# free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/" for further
+# information.
+# Leave empty to disable GeoIP lookups.
+#license =
+
+# Optional URL to download a MaxMind GeoIP database from. Will be generated if
+# "license" is provided above. Can be a "file://" url if a local file should
+# be used. Please note that the database must provide a country field when
+# looking up IP addresses.
+#url =
+
+[geoip-overrides]
+# Optional overrides for GeoIP lookups. The key is an IP address / range, the
+# value the associated country code.
+#127.0.0.1 = DE
+#192.168.0.0/24 = DE
+
+[continent-overrides]
+# Optional overrides for continent mappings. The key is a continent code, the
+# value a comma-separated list of continent codes to map the continent to.
+# Use European servers for clients in Africa.
+#AF = EU
+# Use servers in North Africa for clients in South America.
+#SA = NA
+
+[stats]
+# Comma-separated list of IP addresses that are allowed to access the stats
+# endpoint. Leave empty (or commented) to only allow access from "127.0.0.1".
+#allowed_ips =

templates/etc/systemd/system/signaling.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Nextcloud Talk signaling server
+
+[Service]
+ExecStart={{ cloud_apps }}/signaling-server/bin/signaling --config {{ cloud_apps }}/signaling-server/server.conf
+User={{ sgusr }}
+Group={{ sggrp }}
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

vars/main.yml

@@ -0,0 +1,3 @@
+---
+sgusr: signaling
+sggrp: "{{ sgusr }}"