1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
|
#!/bin/bash
# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/
# shellcheck disable=2034,2059
true
SCRIPT_NAME="Talk with Signaling Server"
# shellcheck source=lib.sh
NC_UPDATE=1 && TURN_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
unset NC_UPDATE
unset TURN_INSTALL
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Must be root
root_check
# Must be 20.04
if ! version 20.04 "$DISTRO" 20.04.6
then
msg_box "Your current Ubuntu version is $DISTRO but must be between 20.04 - 20.04.6 to install Talk"
msg_box "Please contact us to get support for upgrading your server:
https://www.hanssonit.se/#contact
https://shop.hanssonit.se/"
exit
fi
# Nextcloud 13 is required.
lowest_compatible_nc 19
####################### TALK (COTURN)
# Check if Nextcloud is installed with TLS
check_nextcloud_https "Nextclod Talk"
# Check if talk/spreed is already installed
print_text_in_color "$ICyan" "Checking if Talk is already installed..."
if [ -n "$(occ_command_no_check config:app:get spreed turn_servers | sed 's/\[\]//')" ] || is_this_installed coturn
then
choice=$(whiptail --title "$TITLE" --menu "It seems like 'Nextcloud Talk' is already installed.\nChoose what you want to do." "$WT_HEIGHT" "$WT_WIDTH" 4 \
"Reinstall Nextcloud Talk" "" \
"Uninstall Nextcloud Talk" "" 3>&1 1>&2 2>&3)
case "$choice" in
"Uninstall Nextcloud Talk")
print_text_in_color "$ICyan" "Uninstalling Nextcloud Talk and resetting all settings..."
occ_command_no_check config:app:delete spreed stun_servers
occ_command_no_check config:app:delete spreed turn_servers
occ_command_no_check config:app:delete spreed signaling_servers
occ_command_no_check app:remove spreed
rm -rf \
"$TURN_CONF" \
"$SIGNALING_SERVER_CONF" \
/etc/nats \
/etc/janus \
/etc/apt/trusted.gpg.d/morph027-janus.asc \
/etc/apt/trusted.gpg.d/morph027-nats-server.asc \
/etc/apt/trusted.gpg.d/morph027-nextcloud-spreed-signaling.asc \
/etc/apt/sources.list.d/morph027-nextcloud-spreed-signaling.list\
/etc/apt/sources.list.d/morph027-janus.list \
/etc/apt/sources.list.d/morph027-nats-server.list \
$VMLOGS/talk_apache_error.log \
$VMLOGS/talk_apache_access.log \
$VMLOGS/turnserver.log \
/var/www/html/error
apt-get purge coturn -y
apt-get purge nats-server -y
apt-get purge janus -y
apt-get purge nextcloud-spreed-signaling -y
apt autoremove -y
msg_box "Nextcloud Talk was successfully uninstalled and all settings were reverted."
exit
;;
"Reinstall Nextcloud Talk")
print_text_in_color "$ICyan" "Reinstalling Nextcloud Talk..."
occ_command_no_check config:app:delete spreed stun_servers
occ_command_no_check config:app:delete spreed turn_servers
occ_command_no_check config:app:delete spreed signaling_servers
occ_command_no_check app:remove spreed
rm -rf \
"$TURN_CONF" \
"$SIGNALING_SERVER_CONF" \
/etc/nats \
/etc/janus \
/etc/apt/trusted.gpg.d/morph027-janus.asc \
/etc/apt/trusted.gpg.d/morph027-nats-server.asc \
/etc/apt/trusted.gpg.d/morph027-nextcloud-spreed-signaling.asc \
/etc/apt/sources.list.d/morph027-nextcloud-spreed-signaling.list\
/etc/apt/sources.list.d/morph027-janus.list \
/etc/apt/sources.list.d/morph027-nats-server.list
apt-get purge coturn -y
apt-get purge nats-server -y
apt-get purge janus -y
apt-get purge nextcloud-spreed-signaling -y
apt autoremove -y
;;
*)
;;
esac
else
print_text_in_color "$ICyan" "Installing Nextcloud Talk..."
fi
# Let the user choose port. TURN_PORT in msg_box is taken from lib.sh and later changed if user decides to.
NONO_PORTS=(22 25 53 80 443 1024 3012 3306 5178 5179 5432 7983 8983 10000 8081)
msg_box "The default port for Talk used in this script is port $TURN_PORT.
You can read more about that port here: https://www.speedguide.net/port.php?port=$TURN_PORT
You will now be given the option to change this port to something of your own.
Please keep in mind NOT to use the following ports as they are likley to be in use already:
${NONO_PORTS[*]}"
if yesno_box_no "Do you want to change port?"
then
while true
do
# Ask for port
TURN_PORT=$(input_box "Please enter the port you will use for Nextcloud Talk")
if yesno_box_yes "Is this correct? $TURN_PORT"
then
break
fi
done
fi
containsElement () {
local e match="$1"
shift
for e; do [[ "$e" == "$match" ]] && return 0; done
return 1
}
if containsElement "$TURN_PORT" "${NONO_PORTS[@]}"
then
msg_box "You have to choose another port. Please start over."
exit 1
fi
# Install TURN
check_command install_if_not coturn
check_command sed -i '/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1' /etc/default/coturn
# Create log for coturn
install -d -m 777 "$VMLOGS"
install -o turnserver -g turnserver -m 660 /dev/null /var/log
# Generate $TURN_CONF
cat << TURN_CREATE > "$TURN_CONF"
listening-port=$TURN_PORT
fingerprint
use-auth-secret
static-auth-secret=$TURN_SECRET
realm=$TURN_DOMAIN
total-quota=100
bps-capacity=0
stale-nonce
no-multicast-peers
no-stdout-log
simple-log
log-file=$VMLOGS/turnserver.log
TURN_CREATE
if [ -f "$TURN_CONF" ];
then
print_text_in_color "$IGreen" "$TURN_CONF was successfully created."
else
print_text_in_color "$IRed" "Unable to create $TURN_CONF, exiting..."
print_text_in_color "$IRed" "Please report this issue here $ISSUES"
exit 1
fi
# Restart the TURN server
check_command systemctl restart coturn.service
# Warn user to open port
msg_box "You have to open $TURN_PORT TCP/UDP in your firewall or your TURN/STUN server won't work!
After you hit OK the script will check for the firewall and eventually exit on failure.
To run again the setup, after fixing your firewall:
sudo -sLO $APP/talk_signaling.sh
sudo bash talk_signaling.sh"
# Check if the port is open
check_open_port "$TURN_PORT" "$TURN_DOMAIN"
# Enable Spreed (Talk)
STUN_SERVERS_STRING="[\"$TURN_DOMAIN:$TURN_PORT\"]"
TURN_SERVERS_STRING="[{\"server\":\"$TURN_DOMAIN:$TURN_PORT\",\"secret\":\"$TURN_SECRET\",\"protocols\":\"udp,tcp\"}]"
if ! is_app_enabled spreed
then
install_and_enable_app spreed
fi
occ_command config:app:set spreed stun_servers --value="$STUN_SERVERS_STRING" --output json
occ_command config:app:set spreed turn_servers --value="$TURN_SERVERS_STRING" --output json
chown -R www-data:www-data "$NC_APPS_PATH"
msg_box "Nextcloud Talk is now installed. For more information about Nextcloud Talk and its mobile apps visit:\nhttps://nextcloud.com/talk/"
####################### SIGNALING
DESCRIPTION="Talk Signaling Server"
msg_box "You will now be presented with the option to install the Talk Signaling (STUN) server.
This aims to give you greater performance and ability to have more users in a call at the same time.
You can read more here:
https://github.com/strukturag/nextcloud-spreed-signaling/blob/master/README.md
We will use apt packages from https://gitlab.com/morph027 which is a trusted contributor to this repository.
The exact sources can be found here:
https://gitlab.com/packaging/nextcloud-spreed-signaling
https://gitlab.com/packaging/janus/"
# Ask the user if he/she wants the HPB server as well
if ! yesno_box_yes "Do you want to install the $DESCRIPTION?"
then
exit 1
fi
SUBDOMAIN=$(input_box "Talk Signaling Server subdomain e.g: talk.yourdomain.com\n\nNOTE: This domain must be different than your Nextcloud domain. They can however be hosted on the same server, but would require seperate DNS entries.")
# curl the lib another time to get the correct https_conf
# shellcheck source=lib.sh
. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
# Check if $SUBDOMAIN exists and is reachable
print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..."
domain_check_200 "$SUBDOMAIN"
# Check open ports with NMAP
check_open_port 80 "$SUBDOMAIN"
check_open_port 443 "$SUBDOMAIN"
# NATS
## Pre-Configuration
mkdir -p /etc/nats
echo "listen: 127.0.0.1:4222" > /etc/nats/nats.conf
## Installation
curl -sL -o "/etc/apt/trusted.gpg.d/morph027-nats-server.asc" "https://packaging.gitlab.io/nats-server/gpg.key"
echo "deb [arch=amd64] https://packaging.gitlab.io/nats-server nats main" > /etc/apt/sources.list.d/morph027-nats-server.list
apt update -q4 & spinner_loading
install_if_not nats-server
chown nats:nats /etc/nats/nats.conf
start_if_stopped nats-server
check_command systemctl enable nats-server
# Janus WebRTC Server
## Installation
. /etc/lsb-release
curl -sL -o "/etc/apt/trusted.gpg.d/morph027-janus.asc" "https://packaging.gitlab.io/janus/gpg.key"
echo "deb [arch=amd64] https://packaging.gitlab.io/janus/$DISTRIB_CODENAME $DISTRIB_CODENAME main" > /etc/apt/sources.list.d/morph027-janus.list
apt update -q4 & spinner_loading
install_if_not janus
## Configuration
sed -i "s|#turn_rest_api_key\s*=.*|$JANUS_API_KEY|" /etc/janus/janus.jcfg
sed -i "s|#full_trickle|full_trickle|g" /etc/janus/janus.jcfg
sed -i 's|#interface.*|interface = "lo"|g' /etc/janus/janus.transport.websockets.jcfg
sed -i 's|#ws_interface.*|ws_interface = "lo"|g' /etc/janus/janus.transport.websockets.jcfg
start_if_stopped janus
check_command systemctl enable janus
# HPB
## Installation
curl -sL -o "/etc/apt/trusted.gpg.d/morph027-nextcloud-spreed-signaling.asc" "https://packaging.gitlab.io/nextcloud-spreed-signaling/gpg.key"
echo "deb [arch=amd64] https://packaging.gitlab.io/nextcloud-spreed-signaling signaling main" > /etc/apt/sources.list.d/morph027-nextcloud-spreed-signaling.list
apt update -q4 & spinner_loading
install_if_not nextcloud-spreed-signaling
## Configuration
if [ ! -f "$SIGNALING_SERVER_CONF" ];
then
cat << SIGNALING_CONF_CREATE > "$SIGNALING_SERVER_CONF"
[http]
listen = 127.0.0.1:8081
[app]
debug = false
[sessions]
hashkey = $(openssl rand -hex 16)
blockkey = $(openssl rand -hex 16)
[clients]
internalsecret = $(openssl rand -hex 16)
[backend]
allowed = ${TURN_DOMAIN}
allowall = false
secret = ${NC_SECRET}
timeout = 10
connectionsperhost = 8
[nats]
url = nats://localhost:4222
[mcu]
type = janus
url = ws://127.0.0.1:8188
[turn]
apikey = ${JANUS_API_KEY}
secret = ${TURN_SECRET}
servers = turn:$TURN_DOMAIN:$TURN_PORT?transport=tcp,turn:$TURN_DOMAIN:$TURN_PORT?transport=udp
SIGNALING_CONF_CREATE
fi
start_if_stopped signaling
check_command systemctl enable signaling
# Apache Proxy
# https://github.com/strukturag/nextcloud-spreed-signaling#apache
# Check if $SUBDOMAIN exists and is reachable
print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..."
domain_check_200 "$SUBDOMAIN"
# Check open ports with NMAP
check_open_port 80 "$SUBDOMAIN"
check_open_port 443 "$SUBDOMAIN"
# Install Apache2
install_if_not apache2
# Enable Apache2 module's
a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod ssl
a2enmod headers
a2enmod remoteip
# Allow CustomLog
touch $VMLOGS/talk_apache_access.log
touch $VMLOGS/talk_apache_error.log
chown www-data:www-data $VMLOGS/talk_apache_error.log $VMLOGS/talk_apache_access.log
# Prep the error page
mkdir -p /var/www/html/error
echo "Hi there! :) If you see this page, the Apache2 proxy for $DESCRIPTION is up and running." > /var/www/html/error/404_proxy.html
chown -R www-data:www-data /var/www/html/error
if [ -f "$HTTPS_CONF" ]
then
a2dissite "$SUBDOMAIN.conf"
rm -f "$HTTPS_CONF"
fi
if [ ! -f "$HTTPS_CONF" ];
then
cat << HTTPS_CREATE > "$HTTPS_CONF"
<VirtualHost *:443>
ServerName $SUBDOMAIN:443
SSLEngine on
ServerSignature On
SSLHonorCipherOrder on
SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem
SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem
SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem
SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB
SSLProtocol TLSv1.2
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
LogLevel warn
CustomLog $VMLOGS/talk_apache_access.log combined
ErrorLog $VMLOGS/talk_apache_error.log
# Just in case - see below
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# contra mixed content warnings
RequestHeader set X-Forwarded-Proto "https"
# Custom error page
ProxyErrorOverride On
DocumentRoot "/var/www/html"
ProxyPass /error/ !
ErrorDocument 404 /error/404_proxy.html
# Enable proxying Websocket requests to the standalone signaling server.
# https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
ProxyPass / "http://127.0.0.1:8081/"
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "ws://127.0.0.1:8081/\$1" [P,L]
# Extra (remote) headers
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "frame-ancestors 'self'"
</VirtualHost>
HTTPS_CREATE
if [ -f "$HTTPS_CONF" ];
then
print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created."
sleep 1
else
print_text_in_color "$IRed" "Unable to create vhost, exiting..."
print_text_in_color "$IRed" "Please report this issue here $ISSUES"
exit 1
fi
fi
# Install certbot (Let's Encrypt)
install_certbot
# Generate certs and auto-configure if successful
if generate_cert "$SUBDOMAIN"
then
# Generate DHparams chifer
if [ ! -f "$DHPARAMS_SUB" ]
then
openssl dhparam -dsaparam -out "$DHPARAMS_SUB" 4096
fi
print_text_in_color "$IGreen" "Certs are generated!"
a2ensite "$SUBDOMAIN.conf"
restart_webserver
else
# remove settings to be able to start over again
rm -f "$HTTPS_CONF"
last_fail_tls "$SCRIPTS"/apps/talk_signaling.sh
fi
## TODO
# Add to /etc/hosts
# Based on https://help.nextcloud.com/t/nextcloud-talk-signaling-server-now-automated-installation/90567/17?u=enoch85
# echo "127.0.1.1 $SUBDOMAIN" >> /etc/hosts
# Set signaling server strings
SIGNALING_SERVERS_STRING="{\"servers\":[{\"server\":\"https://$SUBDOMAIN/\",\"verify\":true}],\"secret\":\"$NC_SECRET\"}"
occ_command config:app:set spreed signaling_servers --value="$SIGNALING_SERVERS_STRING" --output json
# Check that everything is working
if ! curl -L https://"$SUBDOMAIN"/api/v1/welcome
then
msg_box "Installation failed. :/\n\nPlease run this script again to uninstall if you want to clean the system, or choose to reinstall if you want to try again.\n\nLogging can be found by typing: journalctl -lfu signaling"
exit 1
else
msg_box "Congratulations, everything is working as intended! The installation succeeded.\n\nLogging can be found by typing: journalctl -lfu signaling"
exit 0
fi
|
