nathanael-h/nextcloud_spreed_signaling_install.sh

## nextcloud_spreed_signaling_install.sh
#!/bin/bash

# Inspired by
# https://github.com/nextcloud/vm/blob/master/apps/talk.sh
# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/

# https://markus-blog.de/index.php/2020/07/30/how-to-install-nextcloud-talk-high-performance-backend-with-stun-turnserver-on-ubuntu/

# By Nathanaël Hannebert

# Needed variables
read -p 'Domain for your Nextcloud server: ' url_nextcloud_server
read -p 'Domain for this Signaling server: ' url_signaling_server
read -p 'Public IP for this Signaling server: ' Public_IP

# Step 1 : Install Firewall and other packages
apt install ufw -y
ufw allow http
ufw allow https
ufw allow ssh
ufw allow 5349/tcp
ufw allow 5349/udp
ufw enable

# Step 2: Install and config stun/turnserver
apt install coturn
sed -i '/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1' /etc/default/coturn
KEY1_turn_key=$(openssl rand -hex 32)

mv /etc/turnserver.conf /etc/turnserver.conf.bak

echo "listening-port=5349
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=$KEY1_turn_key
realm=$url_signaling_server
total-quota=100
bps-capacity=0
stale-nonce
no-loopback-peers
no-multicast-peers
# If the server is behind NAT, you need to specify the external IP address.
# If there is only one external address, specify it like this:
external-ip=$Public_IP
" | tee /etc/turnserver.conf

systemctl restart coturn && systemctl enable coturn

# Step 3: Install and config janus
curl -sL -o /etc/apt/trusted.gpg.d/morph027-janus.asc https://packaging.gitlab.io/janus/gpg.key
. /etc/lsb-release
echo "deb [arch=amd64] https://packaging.gitlab.io/janus/$DISTRIB_CODENAME $DISTRIB_CODENAME main" | tee /etc/apt/sources.list.d/morph027-janus.list

apt update
apt install janus

KEY2_api_key=$(openssl rand -base64 16)

echo "stun_server = \"$url_signaling_server\"
stun_port = 5349
full_trickle = true
turn_server = \"$url_signaling_server\"
turn_port = 5349
turn_type = \"udp\"
turn_rest_api_key = \"$KEY2_api_key\"
certificates: {
# cert_pem = \„/etc/ssl/certs/ssl-cert-snakeoil.pem\“
# cert_key = \„/etc/ssl/private/ssl-cert-snakeoil.key\“
#cert_pwd = \„secretpassphrase\“
}" | tee /etc/janus/janus.conf

sed -i 's/After=.*/After=coturn.service/'  /lib/systemd/system/janus.service

systemctl daemon-reload && systemctl restart janus && systemctl enable janus

# Step 4 Running or Install NATS Server

curl -sSL https://get.docker.com/ | CHANNEL=stable sh
systemctl enable docker.service
systemctl start docker.service

docker run --restart=always --name=NATSSERVER -d -p 4222:4222 -ti --restart=always nats:latest

# Step 5: Install nextcloud-spreed-signaling Server

apt install git automake golang build-essential python3 -y
cd /opt
git clone https://github.com/strukturag/nextcloud-spreed-signaling.git
cd nextcloud-spreed-signaling/
make build

cp bin/signaling /usr/bin/

useradd --system --shell /usr/sbin/nologin --comment "Standalone signaling server for Nextcloud Talk." signaling

mkdir /etc/signaling/
touch /etc/signaling/server.conf
chown signaling: /etc/signaling/server.conf
chmod 600 /etc/signaling/server.conf

cp dist/init/systemd/signaling.service /etc/systemd/system/signaling.service


sed -i 's/After=.*/After=janus.service/'  /etc/systemd/system/signaling.service

systemctl daemon-reload
systemctl enable signaling

KEY3_nextcloud_secret_key=$(openssl rand -hex 16)
KEY4_block_key=$(openssl rand -hex 16)
KEY5_hash_key=$(openssl rand -hex 16)

echo "[http]
listen = 127.0.0.1:8080
[app]
debug = false

[sessions]
hashkey = $KEY5_hash_key
blockkey = $KEY4_block_key

[backend]
backends = backend-1 #here you can add more backends commaseparated backend-1, backend-2, backend-3
allowall = false
timeout = 10
connectionsperhost = 8

[backend-1]
url = https://$url_nextcloud_server
secret = $KEY3_nextcloud_secret_key

#[backend-2]
#url = https://nextcloud2.example.com
#secret = openssl rand -hex 16

#[backend-3]
#url = https://nextcloud3.example.com
#secret = openssl rand -hex 16


[nats]
url = nats://localhost:4222

[mcu]
type = janus
url = ws://127.0.0.1:8188

[turn]
apikey = $KEY2_api_key
secret = $KEY1_turn_key
servers = turn:$url_signaling_server:5349?transport=udp,turn:$url_signaling_server:5349?transport=tcp
" | tee /etc/signaling/server.conf

systemctl start signaling
systemctl status signaling
netstat -tulpen | grep 8080

# Step 6: Install nginx and create vHost for signaling server
apt install nginx python3-certbot-nginx -y

echo "server {
    listen 80;
    server_name $url_signaling_server;
    }" | tee /etc/nginx/sites-available/signaling

ln -s /etc/nginx/sites-available/signaling /etc/nginx/sites-enabled/signaling
nginx -t
systemctl reload nginx
certbot --authenticator standalone --installer nginx -d $url_signaling_server --pre-hook "service nginx stop" --post-hook "service nginx start"

mv /etc/nginx/sites-available/signaling /tmp/signaling.bak

echo "upstream signaling {
    server 127.0.0.1:8080;
}

server {
    server_name $url_signaling_server;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/$url_signaling_server/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/$url_signaling_server/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    add_header Strict-Transport-Security \"max-age=63072000; includeSubdomains; preload\";

location /standalone-signaling/ {
        proxy_pass http://signaling/;
        proxy_http_version 1.1;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }

    location /standalone-signaling/spreed {
        proxy_pass http://signaling/spreed;
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection \"Upgrade\";
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }

}
server {
    if (\$host = $url_signaling_server) {
        return 301 https://\$host\$request_uri;
    } # managed by Certbot


    listen 80;
    server_name $url_signaling_server;
    return 404; # managed by Certbot


}
" | tee /etc/nginx/sites-available/signaling
nginx -t
systemctl reload nginx

#Step 7: Configure nextcloud to use stun/turn and signaling server

echo "Now we are ready to add turn/stun- and signaling-server to our Nextcloud

Go to Settings, Talk and enter the following:
Add this in Stun Server:
$url_signaling_server:5349

Add this in Turn servers
$url_signaling_server:5349
The key is : $KEY1_turn_key
UDP and TCP

Add this in Signaling servers:
https://$url_signaling_server/standalone-signaling/
The Shared secret is: $KEY3_nextcloud_secret_key
"
	#!/bin/bash

	# Inspired by
	# https://github.com/nextcloud/vm/blob/master/apps/talk.sh
	# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/

	# https://markus-blog.de/index.php/2020/07/30/how-to-install-nextcloud-talk-high-performance-backend-with-stun-turnserver-on-ubuntu/

	# By Nathanaël Hannebert

	# Needed variables
	read -p 'Domain for your Nextcloud server: ' url_nextcloud_server
	read -p 'Domain for this Signaling server: ' url_signaling_server
	read -p 'Public IP for this Signaling server: ' Public_IP

	# Step 1 : Install Firewall and other packages
	apt install ufw -y
	ufw allow http
	ufw allow https
	ufw allow ssh
	ufw allow 5349/tcp
	ufw allow 5349/udp
	ufw enable

	# Step 2: Install and config stun/turnserver
	apt install coturn
	sed -i '/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1' /etc/default/coturn
	KEY1_turn_key=$(openssl rand -hex 32)

	mv /etc/turnserver.conf /etc/turnserver.conf.bak

	echo "listening-port=5349
	fingerprint
	lt-cred-mech
	use-auth-secret
	static-auth-secret=$KEY1_turn_key
	realm=$url_signaling_server
	total-quota=100
	bps-capacity=0
	stale-nonce
	no-loopback-peers
	no-multicast-peers
	# If the server is behind NAT, you need to specify the external IP address.
	# If there is only one external address, specify it like this:
	external-ip=$Public_IP
	" \| tee /etc/turnserver.conf

	systemctl restart coturn && systemctl enable coturn

	# Step 3: Install and config janus
	curl -sL -o /etc/apt/trusted.gpg.d/morph027-janus.asc https://packaging.gitlab.io/janus/gpg.key
	. /etc/lsb-release
	echo "deb [arch=amd64] https://packaging.gitlab.io/janus/$DISTRIB_CODENAME $DISTRIB_CODENAME main" \| tee /etc/apt/sources.list.d/morph027-janus.list

	apt update
	apt install janus

	KEY2_api_key=$(openssl rand -base64 16)

	echo "stun_server = \"$url_signaling_server\"
	stun_port = 5349
	full_trickle = true
	turn_server = \"$url_signaling_server\"
	turn_port = 5349
	turn_type = \"udp\"
	turn_rest_api_key = \"$KEY2_api_key\"
	certificates: {
	# cert_pem = \„/etc/ssl/certs/ssl-cert-snakeoil.pem\“
	# cert_key = \„/etc/ssl/private/ssl-cert-snakeoil.key\“
	#cert_pwd = \„secretpassphrase\“
	}" \| tee /etc/janus/janus.conf

	sed -i 's/After=.*/After=coturn.service/' /lib/systemd/system/janus.service

	systemctl daemon-reload && systemctl restart janus && systemctl enable janus

	# Step 4 Running or Install NATS Server

	curl -sSL https://get.docker.com/ \| CHANNEL=stable sh
	systemctl enable docker.service
	systemctl start docker.service

	docker run --restart=always --name=NATSSERVER -d -p 4222:4222 -ti --restart=always nats:latest

	# Step 5: Install nextcloud-spreed-signaling Server

	apt install git automake golang build-essential python3 -y
	cd /opt
	git clone https://github.com/strukturag/nextcloud-spreed-signaling.git
	cd nextcloud-spreed-signaling/
	make build

	cp bin/signaling /usr/bin/

	useradd --system --shell /usr/sbin/nologin --comment "Standalone signaling server for Nextcloud Talk." signaling

	mkdir /etc/signaling/
	touch /etc/signaling/server.conf
	chown signaling: /etc/signaling/server.conf
	chmod 600 /etc/signaling/server.conf

	cp dist/init/systemd/signaling.service /etc/systemd/system/signaling.service


	sed -i 's/After=.*/After=janus.service/' /etc/systemd/system/signaling.service

	systemctl daemon-reload
	systemctl enable signaling

	KEY3_nextcloud_secret_key=$(openssl rand -hex 16)
	KEY4_block_key=$(openssl rand -hex 16)
	KEY5_hash_key=$(openssl rand -hex 16)

	echo "[http]
	listen = 127.0.0.1:8080
	[app]
	debug = false

	[sessions]
	hashkey = $KEY5_hash_key
	blockkey = $KEY4_block_key

	[backend]
	backends = backend-1 #here you can add more backends commaseparated backend-1, backend-2, backend-3
	allowall = false
	timeout = 10
	connectionsperhost = 8

	[backend-1]
	url = https://$url_nextcloud_server
	secret = $KEY3_nextcloud_secret_key

	#[backend-2]
	#url = https://nextcloud2.example.com
	#secret = openssl rand -hex 16

	#[backend-3]
	#url = https://nextcloud3.example.com
	#secret = openssl rand -hex 16


	[nats]
	url = nats://localhost:4222

	[mcu]
	type = janus
	url = ws://127.0.0.1:8188

	[turn]
	apikey = $KEY2_api_key
	secret = $KEY1_turn_key
	servers = turn:$url_signaling_server:5349?transport=udp,turn:$url_signaling_server:5349?transport=tcp
	" \| tee /etc/signaling/server.conf

	systemctl start signaling
	systemctl status signaling
	netstat -tulpen \| grep 8080

	# Step 6: Install nginx and create vHost for signaling server
	apt install nginx python3-certbot-nginx -y

	echo "server {
	listen 80;
	server_name $url_signaling_server;
	}" \| tee /etc/nginx/sites-available/signaling

	ln -s /etc/nginx/sites-available/signaling /etc/nginx/sites-enabled/signaling
	nginx -t
	systemctl reload nginx
	certbot --authenticator standalone --installer nginx -d $url_signaling_server --pre-hook "service nginx stop" --post-hook "service nginx start"

	mv /etc/nginx/sites-available/signaling /tmp/signaling.bak

	echo "upstream signaling {
	server 127.0.0.1:8080;
	}

	server {
	server_name $url_signaling_server;

	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/$url_signaling_server/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/$url_signaling_server/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
	add_header Strict-Transport-Security \"max-age=63072000; includeSubdomains; preload\";

	location /standalone-signaling/ {
	proxy_pass http://signaling/;
	proxy_http_version 1.1;
	proxy_set_header Host \$host;
	proxy_set_header X-Real-IP \$remote_addr;
	proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
	}

	location /standalone-signaling/spreed {
	proxy_pass http://signaling/spreed;
	proxy_http_version 1.1;
	proxy_set_header Upgrade \$http_upgrade;
	proxy_set_header Connection \"Upgrade\";
	proxy_set_header Host \$host;
	proxy_set_header X-Real-IP \$remote_addr;
	proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
	}

	}
	server {
	if (\$host = $url_signaling_server) {
	return 301 https://\$host\$request_uri;
	} # managed by Certbot


	listen 80;
	server_name $url_signaling_server;
	return 404; # managed by Certbot


	}
	" \| tee /etc/nginx/sites-available/signaling
	nginx -t
	systemctl reload nginx

	#Step 7: Configure nextcloud to use stun/turn and signaling server

	echo "Now we are ready to add turn/stun- and signaling-server to our Nextcloud

	Go to Settings, Talk and enter the following:
	Add this in Stun Server:
	$url_signaling_server:5349

	Add this in Turn servers
	$url_signaling_server:5349
	The key is : $KEY1_turn_key
	UDP and TCP

	Add this in Signaling servers:
	https://$url_signaling_server/standalone-signaling/
	The Shared secret is: $KEY3_nextcloud_secret_key
	"