Deploy Talk HPB/client push and document rollout steps

Add compose/nginx/env changes for Talk HPB + notify_push integration, and document deployment + hardening commands in README.

Co-Authored-By: Oz <oz-agent@warp.dev>

README.md

@@ -25,12 +25,16 @@ The stack now includes:
 - Redis service for transactional file locking and distributed cache
 - Floating app image tag enabled: `nextcloud:apache` (major upgrades supported with staged path)
 - Setup warning remediation integrated (missing indices, mimetype migrations, log-noise cleanup)
+- Nextcloud Talk high-performance backend service (`talk-hpb`) with signaling endpoint
+- Nextcloud desktop client push via `notify_push` app and `notify-push` service
 
 ## Current baseline (Apr 2026)
 - App image: `nextcloud:apache`
 - DB image: `mariadb:11.4`
 - Cache/locking: `redis:7-alpine`
 - Nextcloud version at last validation: `33.0.2`
+- Talk HPB: `ghcr.io/nextcloud-releases/aio-talk:latest` via `/standalone-signaling/`
+- Client push: `notify_push` app + `nextcloud-notify-push` service via `/push/`
 
 ## Prerequisites
 - Ubuntu host with Docker + Docker Compose plugin (or `docker-compose`)
@@ -142,6 +146,52 @@ If you want AppAPI external apps later:
 - re-enable app: `docker exec --user www-data nextcloud-app php occ app:enable app_api`
 - configure a reachable deploy daemon from Settings > AppAPI
 
+## Deploy Talk HPB and client push
+This deployment includes Talk HPB and desktop client push support in Docker Compose.
+
+Required secrets in `.env` (already templated in `.env.example`):
+- `TALK_TURN_SECRET`
+- `TALK_SIGNALING_SECRET`
+- `TALK_INTERNAL_SECRET`
+
+1. Start/update services:
+```bash
+docker compose up -d app talk-hpb notify-push web
+```
+
+2. Configure Talk signaling/STUN/TURN in Nextcloud:
+```bash
+set -a; source .env; set +a
+docker exec --user www-data nextcloud-app php occ talk:signaling:add --verify https://nxt.bhatfamily.in:8446/standalone-signaling "$TALK_SIGNALING_SECRET"
+docker exec --user www-data nextcloud-app php occ talk:stun:add nxt.bhatfamily.in:3478
+docker exec --user www-data nextcloud-app php occ talk:turn:add --secret="$TALK_TURN_SECRET" turn nxt.bhatfamily.in:3478 udp,tcp
+```
+
+3. Configure Client Push (`notify_push`):
+```bash
+docker exec --user www-data nextcloud-app php occ app:install notify_push
+docker exec --user www-data nextcloud-app php occ notify_push:setup https://nxt.bhatfamily.in:8446/push
+docker exec --user www-data nextcloud-app php occ notify_push:self-test
+```
+If `notify_push` is already installed, skip `app:install` and run `notify_push:setup` + `self-test`.
+
+4. Verify endpoints and setup checks:
+```bash
+curl -k https://nxt.bhatfamily.in:8446/standalone-signaling/api/v1/welcome
+docker exec --user www-data nextcloud-app php occ setupchecks
+```
+
+## One-time setup/security hardening commands
+These commands were used to clear remaining setup/security notices in this deployment:
+
+```bash
+docker exec --user www-data nextcloud-app php occ twofactorauth:enforce --on
+docker exec --user www-data nextcloud-app php occ config:system:set default_phone_region --value=IN
+docker exec --user www-data nextcloud-app php occ config:system:set serverid --type=integer --value=1
+docker exec --user www-data nextcloud-app php occ config:system:set mail_smtpmode --value=null
+```
+Adjust `default_phone_region` to your country code as needed.
+
 ## Move Nextcloud data directory to external storage
 Use the migration helper to move existing data to a host path and switch the app to a bind mount.