From c79a25e34def18219cbef63a1177b8c9c5617b92 Mon Sep 17 00:00:00 2001
From: Raghav <1858838+quantumrag@users.noreply.github.com>
Date: Fri, 17 Apr 2026 12:47:01 +0530
Subject: [PATCH] Deploy Talk HPB/client push and document rollout steps

Add compose/nginx/env changes for Talk HPB + notify_push integration, and document deployment + hardening commands in README.

Co-Authored-By: Oz <oz-agent@warp.dev>
---
 .env.example       |  3 +++
 README.md          | 50 ++++++++++++++++++++++++++++++++++++++++++++++
 docker-compose.yml | 41 +++++++++++++++++++++++++++++++++++++
 nginx/nginx.conf   | 32 +++++++++++++++++++++++++++++
 4 files changed, 126 insertions(+)

diff --git a/.env.example b/.env.example
index 38d104e..f05dca4 100644
--- a/.env.example
+++ b/.env.example
@@ -7,3 +7,6 @@ NEXTCLOUD_DB_ROOT_PASSWORD=change-me
 # Nextcloud admin
 NEXTCLOUD_ADMIN_USER=admin
 NEXTCLOUD_ADMIN_PASSWORD=change-me
+TALK_TURN_SECRET=change-me
+TALK_SIGNALING_SECRET=change-me
+TALK_INTERNAL_SECRET=change-me
diff --git a/README.md b/README.md
index ea11786..6446815 100644
--- a/README.md
+++ b/README.md
@@ -25,12 +25,16 @@ The stack now includes:
 - Redis service for transactional file locking and distributed cache
 - Floating app image tag enabled: `nextcloud:apache` (major upgrades supported with staged path)
 - Setup warning remediation integrated (missing indices, mimetype migrations, log-noise cleanup)
+- Nextcloud Talk high-performance backend service (`talk-hpb`) with signaling endpoint
+- Nextcloud desktop client push via `notify_push` app and `notify-push` service
 
 ## Current baseline (Apr 2026)
 - App image: `nextcloud:apache`
 - DB image: `mariadb:11.4`
 - Cache/locking: `redis:7-alpine`
 - Nextcloud version at last validation: `33.0.2`
+- Talk HPB: `ghcr.io/nextcloud-releases/aio-talk:latest` via `/standalone-signaling/`
+- Client push: `notify_push` app + `nextcloud-notify-push` service via `/push/`
 
 ## Prerequisites
 - Ubuntu host with Docker + Docker Compose plugin (or `docker-compose`)
@@ -142,6 +146,52 @@ If you want AppAPI external apps later:
 - re-enable app: `docker exec --user www-data nextcloud-app php occ app:enable app_api`
 - configure a reachable deploy daemon from Settings > AppAPI
 
+## Deploy Talk HPB and client push
+This deployment includes Talk HPB and desktop client push support in Docker Compose.
+
+Required secrets in `.env` (already templated in `.env.example`):
+- `TALK_TURN_SECRET`
+- `TALK_SIGNALING_SECRET`
+- `TALK_INTERNAL_SECRET`
+
+1. Start/update services:
+```bash
+docker compose up -d app talk-hpb notify-push web
+```
+
+2. Configure Talk signaling/STUN/TURN in Nextcloud:
+```bash
+set -a; source .env; set +a
+docker exec --user www-data nextcloud-app php occ talk:signaling:add --verify https://nxt.bhatfamily.in:8446/standalone-signaling "$TALK_SIGNALING_SECRET"
+docker exec --user www-data nextcloud-app php occ talk:stun:add nxt.bhatfamily.in:3478
+docker exec --user www-data nextcloud-app php occ talk:turn:add --secret="$TALK_TURN_SECRET" turn nxt.bhatfamily.in:3478 udp,tcp
+```
+
+3. Configure Client Push (`notify_push`):
+```bash
+docker exec --user www-data nextcloud-app php occ app:install notify_push
+docker exec --user www-data nextcloud-app php occ notify_push:setup https://nxt.bhatfamily.in:8446/push
+docker exec --user www-data nextcloud-app php occ notify_push:self-test
+```
+If `notify_push` is already installed, skip `app:install` and run `notify_push:setup` + `self-test`.
+
+4. Verify endpoints and setup checks:
+```bash
+curl -k https://nxt.bhatfamily.in:8446/standalone-signaling/api/v1/welcome
+docker exec --user www-data nextcloud-app php occ setupchecks
+```
+
+## One-time setup/security hardening commands
+These commands were used to clear remaining setup/security notices in this deployment:
+
+```bash
+docker exec --user www-data nextcloud-app php occ twofactorauth:enforce --on
+docker exec --user www-data nextcloud-app php occ config:system:set default_phone_region --value=IN
+docker exec --user www-data nextcloud-app php occ config:system:set serverid --type=integer --value=1
+docker exec --user www-data nextcloud-app php occ config:system:set mail_smtpmode --value=null
+```
+Adjust `default_phone_region` to your country code as needed.
+
 ## Move Nextcloud data directory to external storage
 Use the migration helper to move existing data to a host path and switch the app to a bind mount.
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 3c5b968..395b6a1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -74,6 +74,45 @@ services:
     networks:
       - nextcloud-net
 
+  talk-hpb:
+    image: ghcr.io/nextcloud-releases/aio-talk:latest
+    container_name: nextcloud-talk-hpb
+    restart: unless-stopped
+    environment:
+      - NC_DOMAIN=nxt.bhatfamily.in:8446
+      - TALK_HOST=nxt.bhatfamily.in
+      - TALK_PORT=3478
+      - TURN_SECRET=${TALK_TURN_SECRET}
+      - SIGNALING_SECRET=${TALK_SIGNALING_SECRET}
+      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
+      - TZ=UTC
+    ports:
+      - "3478:3478/tcp"
+      - "3478:3478/udp"
+    networks:
+      - nextcloud-net
+
+  notify-push:
+    image: nextcloud:apache
+    container_name: nextcloud-notify-push
+    restart: unless-stopped
+    user: "www-data"
+    command:
+      - /bin/sh
+      - -c
+      - |
+        exec /var/www/html/custom_apps/notify_push/bin/$(uname -m)/notify_push /var/www/html/config/config.php
+    environment:
+      - NEXTCLOUD_URL=http://nextcloud-app
+    depends_on:
+      - app
+      - redis
+    volumes:
+      - nextcloud_data:/var/www/html
+      - /media/rbhat/DATA/nextcloud/NextCloudData:/var/www/html/data
+    networks:
+      - nextcloud-net
+
   web:
     image: nginx:1.25-alpine
     container_name: nextcloud-web
@@ -87,6 +126,8 @@ services:
       - nextcloud_data:/var/www/html:ro
     depends_on:
       - app
+      - talk-hpb
+      - notify-push
     networks:
       - nextcloud-net
 
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index afba31a..f290cd3 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -29,9 +29,41 @@ server {
     client_max_body_size 10240M;
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 
+    location /push/ {
+        proxy_pass http://nextcloud-notify-push:7867/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port 8446;
+        proxy_read_timeout 3600;
+        proxy_send_timeout 3600;
+    }
+
+    location /standalone-signaling/ {
+        proxy_pass http://nextcloud-talk-hpb:8081/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port 8446;
+        proxy_read_timeout 3600;
+        proxy_send_timeout 3600;
+    }
+
     location / {
         proxy_pass http://nextcloud-app:80;
         proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;