Last active
January 20, 2021 22:21
-
-
Save nathanael-h/c027dd6e6381694862a8b28fd55dee6d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Inspired by | |
# https://github.com/nextcloud/vm/blob/master/apps/talk.sh | |
# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ | |
# https://markus-blog.de/index.php/2020/07/30/how-to-install-nextcloud-talk-high-performance-backend-with-stun-turnserver-on-ubuntu/ | |
# By Nathanaël Hannebert | |
# Needed variables | |
read -p 'Domain for your Nextcloud server: ' url_nextcloud_server | |
read -p 'Domain for this Signaling server: ' url_signaling_server | |
read -p 'Public IP for this Signaling server: ' Public_IP | |
# Step 1 : Install Firewall and other packages | |
apt install ufw -y | |
ufw allow http | |
ufw allow https | |
ufw allow ssh | |
ufw allow 5349/tcp | |
ufw allow 5349/udp | |
ufw enable | |
# Step 2: Install and config stun/turnserver | |
apt install coturn | |
sed -i '/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1' /etc/default/coturn | |
KEY1_turn_key=$(openssl rand -hex 32) | |
mv /etc/turnserver.conf /etc/turnserver.conf.bak | |
echo "listening-port=5349 | |
fingerprint | |
lt-cred-mech | |
use-auth-secret | |
static-auth-secret=$KEY1_turn_key | |
realm=$url_signaling_server | |
total-quota=100 | |
bps-capacity=0 | |
stale-nonce | |
no-loopback-peers | |
no-multicast-peers | |
# If the server is behind NAT, you need to specify the external IP address. | |
# If there is only one external address, specify it like this: | |
external-ip=$Public_IP | |
" | tee /etc/turnserver.conf | |
systemctl restart coturn && systemctl enable coturn | |
# Step 3: Install and config janus | |
curl -sL -o /etc/apt/trusted.gpg.d/morph027-janus.asc https://packaging.gitlab.io/janus/gpg.key | |
. /etc/lsb-release | |
echo "deb [arch=amd64] https://packaging.gitlab.io/janus/$DISTRIB_CODENAME $DISTRIB_CODENAME main" | tee /etc/apt/sources.list.d/morph027-janus.list | |
apt update | |
apt install janus | |
KEY2_api_key=$(openssl rand -base64 16) | |
echo "stun_server = \"$url_signaling_server\" | |
stun_port = 5349 | |
full_trickle = true | |
turn_server = \"$url_signaling_server\" | |
turn_port = 5349 | |
turn_type = \"udp\" | |
turn_rest_api_key = \"$KEY2_api_key\" | |
certificates: { | |
# cert_pem = \„/etc/ssl/certs/ssl-cert-snakeoil.pem\“ | |
# cert_key = \„/etc/ssl/private/ssl-cert-snakeoil.key\“ | |
#cert_pwd = \„secretpassphrase\“ | |
}" | tee /etc/janus/janus.conf | |
sed -i 's/After=.*/After=coturn.service/' /lib/systemd/system/janus.service | |
systemctl daemon-reload && systemctl restart janus && systemctl enable janus | |
# Step 4 Running or Install NATS Server | |
curl -sSL https://get.docker.com/ | CHANNEL=stable sh | |
systemctl enable docker.service | |
systemctl start docker.service | |
docker run --restart=always --name=NATSSERVER -d -p 4222:4222 -ti --restart=always nats:latest | |
# Step 5: Install nextcloud-spreed-signaling Server | |
apt install git automake golang build-essential python3 -y | |
cd /opt | |
git clone https://github.com/strukturag/nextcloud-spreed-signaling.git | |
cd nextcloud-spreed-signaling/ | |
make build | |
cp bin/signaling /usr/bin/ | |
useradd --system --shell /usr/sbin/nologin --comment "Standalone signaling server for Nextcloud Talk." signaling | |
mkdir /etc/signaling/ | |
touch /etc/signaling/server.conf | |
chown signaling: /etc/signaling/server.conf | |
chmod 600 /etc/signaling/server.conf | |
cp dist/init/systemd/signaling.service /etc/systemd/system/signaling.service | |
sed -i 's/After=.*/After=janus.service/' /etc/systemd/system/signaling.service | |
systemctl daemon-reload | |
systemctl enable signaling | |
KEY3_nextcloud_secret_key=$(openssl rand -hex 16) | |
KEY4_block_key=$(openssl rand -hex 16) | |
KEY5_hash_key=$(openssl rand -hex 16) | |
echo "[http] | |
listen = 127.0.0.1:8080 | |
[app] | |
debug = false | |
[sessions] | |
hashkey = $KEY5_hash_key | |
blockkey = $KEY4_block_key | |
[backend] | |
backends = backend-1 #here you can add more backends commaseparated backend-1, backend-2, backend-3 | |
allowall = false | |
timeout = 10 | |
connectionsperhost = 8 | |
[backend-1] | |
url = https://$url_nextcloud_server | |
secret = $KEY3_nextcloud_secret_key | |
#[backend-2] | |
#url = https://nextcloud2.example.com | |
#secret = openssl rand -hex 16 | |
#[backend-3] | |
#url = https://nextcloud3.example.com | |
#secret = openssl rand -hex 16 | |
[nats] | |
url = nats://localhost:4222 | |
[mcu] | |
type = janus | |
url = ws://127.0.0.1:8188 | |
[turn] | |
apikey = $KEY2_api_key | |
secret = $KEY1_turn_key | |
servers = turn:$url_signaling_server:5349?transport=udp,turn:$url_signaling_server:5349?transport=tcp | |
" | tee /etc/signaling/server.conf | |
systemctl start signaling | |
systemctl status signaling | |
netstat -tulpen | grep 8080 | |
# Step 6: Install nginx and create vHost for signaling server | |
apt install nginx python3-certbot-nginx -y | |
echo "server { | |
listen 80; | |
server_name $url_signaling_server; | |
}" | tee /etc/nginx/sites-available/signaling | |
ln -s /etc/nginx/sites-available/signaling /etc/nginx/sites-enabled/signaling | |
nginx -t | |
systemctl reload nginx | |
certbot --authenticator standalone --installer nginx -d $url_signaling_server --pre-hook "service nginx stop" --post-hook "service nginx start" | |
mv /etc/nginx/sites-available/signaling /tmp/signaling.bak | |
echo "upstream signaling { | |
server 127.0.0.1:8080; | |
} | |
server { | |
server_name $url_signaling_server; | |
listen 443 ssl; # managed by Certbot | |
ssl_certificate /etc/letsencrypt/live/$url_signaling_server/fullchain.pem; # managed by Certbot | |
ssl_certificate_key /etc/letsencrypt/live/$url_signaling_server/privkey.pem; # managed by Certbot | |
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |
add_header Strict-Transport-Security \"max-age=63072000; includeSubdomains; preload\"; | |
location /standalone-signaling/ { | |
proxy_pass http://signaling/; | |
proxy_http_version 1.1; | |
proxy_set_header Host \$host; | |
proxy_set_header X-Real-IP \$remote_addr; | |
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; | |
} | |
location /standalone-signaling/spreed { | |
proxy_pass http://signaling/spreed; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade \$http_upgrade; | |
proxy_set_header Connection \"Upgrade\"; | |
proxy_set_header Host \$host; | |
proxy_set_header X-Real-IP \$remote_addr; | |
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; | |
} | |
} | |
server { | |
if (\$host = $url_signaling_server) { | |
return 301 https://\$host\$request_uri; | |
} # managed by Certbot | |
listen 80; | |
server_name $url_signaling_server; | |
return 404; # managed by Certbot | |
} | |
" | tee /etc/nginx/sites-available/signaling | |
nginx -t | |
systemctl reload nginx | |
#Step 7: Configure nextcloud to use stun/turn and signaling server | |
echo "Now we are ready to add turn/stun- and signaling-server to our Nextcloud | |
Go to Settings, Talk and enter the following: | |
Add this in Stun Server: | |
$url_signaling_server:5349 | |
Add this in Turn servers | |
$url_signaling_server:5349 | |
The key is : $KEY1_turn_key | |
UDP and TCP | |
Add this in Signaling servers: | |
https://$url_signaling_server/standalone-signaling/ | |
The Shared secret is: $KEY3_nextcloud_secret_key | |
" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment