Deploy Talk HPB/client push and document rollout steps

Add compose/nginx/env changes for Talk HPB + notify_push integration, and document deployment + hardening commands in README. Co-Authored-By: Oz <oz-agent@warp.dev>
2026-04-17 12:47:01 +05:30
parent 59e92de8f4
commit c79a25e34d
4 changed files with 126 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@ -7,3 +7,6 @@ NEXTCLOUD_DB_ROOT_PASSWORD=change-me
 # Nextcloud admin
 NEXTCLOUD_ADMIN_USER=admin
 NEXTCLOUD_ADMIN_PASSWORD=change-me
+TALK_TURN_SECRET=change-me
+TALK_SIGNALING_SECRET=change-me
+TALK_INTERNAL_SECRET=change-me
--- a/README.md
+++ b/README.md
@ -25,12 +25,16 @@ The stack now includes:
 - Redis service for transactional file locking and distributed cache
 - Floating app image tag enabled: `nextcloud:apache` (major upgrades supported with staged path)
 - Setup warning remediation integrated (missing indices, mimetype migrations, log-noise cleanup)
+- Nextcloud Talk high-performance backend service (`talk-hpb`) with signaling endpoint
+- Nextcloud desktop client push via `notify_push` app and `notify-push` service

 ## Current baseline (Apr 2026)
 - App image: `nextcloud:apache`
 - DB image: `mariadb:11.4`
 - Cache/locking: `redis:7-alpine`
 - Nextcloud version at last validation: `33.0.2`
+- Talk HPB: `ghcr.io/nextcloud-releases/aio-talk:latest` via `/standalone-signaling/`
+- Client push: `notify_push` app + `nextcloud-notify-push` service via `/push/`

 ## Prerequisites
 - Ubuntu host with Docker + Docker Compose plugin (or `docker-compose`)
@ -142,6 +146,52 @@ If you want AppAPI external apps later:
 - re-enable app: `docker exec --user www-data nextcloud-app php occ app:enable app_api`
 - configure a reachable deploy daemon from Settings > AppAPI

+## Deploy Talk HPB and client push
+This deployment includes Talk HPB and desktop client push support in Docker Compose.
+
+Required secrets in `.env` (already templated in `.env.example`):
+- `TALK_TURN_SECRET`
+- `TALK_SIGNALING_SECRET`
+- `TALK_INTERNAL_SECRET`
+
+1. Start/update services:
+```bash
+docker compose up -d app talk-hpb notify-push web
+```
+
+2. Configure Talk signaling/STUN/TURN in Nextcloud:
+```bash
+set -a; source .env; set +a
+docker exec --user www-data nextcloud-app php occ talk:signaling:add --verify https://nxt.bhatfamily.in:8446/standalone-signaling "$TALK_SIGNALING_SECRET"
+docker exec --user www-data nextcloud-app php occ talk:stun:add nxt.bhatfamily.in:3478
+docker exec --user www-data nextcloud-app php occ talk:turn:add --secret="$TALK_TURN_SECRET" turn nxt.bhatfamily.in:3478 udp,tcp
+```
+
+3. Configure Client Push (`notify_push`):
+```bash
+docker exec --user www-data nextcloud-app php occ app:install notify_push
+docker exec --user www-data nextcloud-app php occ notify_push:setup https://nxt.bhatfamily.in:8446/push
+docker exec --user www-data nextcloud-app php occ notify_push:self-test
+```
+If `notify_push` is already installed, skip `app:install` and run `notify_push:setup` + `self-test`.
+
+4. Verify endpoints and setup checks:
+```bash
+curl -k https://nxt.bhatfamily.in:8446/standalone-signaling/api/v1/welcome
+docker exec --user www-data nextcloud-app php occ setupchecks
+```
+
+## One-time setup/security hardening commands
+These commands were used to clear remaining setup/security notices in this deployment:
+
+```bash
+docker exec --user www-data nextcloud-app php occ twofactorauth:enforce --on
+docker exec --user www-data nextcloud-app php occ config:system:set default_phone_region --value=IN
+docker exec --user www-data nextcloud-app php occ config:system:set serverid --type=integer --value=1
+docker exec --user www-data nextcloud-app php occ config:system:set mail_smtpmode --value=null
+```
+Adjust `default_phone_region` to your country code as needed.
+
 ## Move Nextcloud data directory to external storage
 Use the migration helper to move existing data to a host path and switch the app to a bind mount.

--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -74,6 +74,45 @@ services:
    networks:
      - nextcloud-net

+  talk-hpb:
+    image: ghcr.io/nextcloud-releases/aio-talk:latest
+    container_name: nextcloud-talk-hpb
+    restart: unless-stopped
+    environment:
+      - NC_DOMAIN=nxt.bhatfamily.in:8446
+      - TALK_HOST=nxt.bhatfamily.in
+      - TALK_PORT=3478
+      - TURN_SECRET=${TALK_TURN_SECRET}
+      - SIGNALING_SECRET=${TALK_SIGNALING_SECRET}
+      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
+      - TZ=UTC
+    ports:
+      - "3478:3478/tcp"
+      - "3478:3478/udp"
+    networks:
+      - nextcloud-net
+
+  notify-push:
+    image: nextcloud:apache
+    container_name: nextcloud-notify-push
+    restart: unless-stopped
+    user: "www-data"
+    command:
+      - /bin/sh
+      - -c
+      - |
+        exec /var/www/html/custom_apps/notify_push/bin/$(uname -m)/notify_push /var/www/html/config/config.php
+    environment:
+      - NEXTCLOUD_URL=http://nextcloud-app
+    depends_on:
+      - app
+      - redis
+    volumes:
+      - nextcloud_data:/var/www/html
+      - /media/rbhat/DATA/nextcloud/NextCloudData:/var/www/html/data
+    networks:
+      - nextcloud-net
+
  web:
    image: nginx:1.25-alpine
    container_name: nextcloud-web
@ -87,6 +126,8 @@ services:
      - nextcloud_data:/var/www/html:ro
    depends_on:
      - app
+      - talk-hpb
+      - notify-push
    networks:
      - nextcloud-net

--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -29,9 +29,41 @@ server {
    client_max_body_size 10240M;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

+    location /push/ {
+        proxy_pass http://nextcloud-notify-push:7867/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port 8446;
+        proxy_read_timeout 3600;
+        proxy_send_timeout 3600;
+    }
+
+    location /standalone-signaling/ {
+        proxy_pass http://nextcloud-talk-hpb:8081/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port 8446;
+        proxy_read_timeout 3600;
+        proxy_send_timeout 3600;
+    }
+
    location / {
        proxy_pass http://nextcloud-app:80;
        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;