From aeae72f5ba24d186d0e9b83ecc1e3e4387163949 Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Sat, 24 Jun 2023 17:54:12 +0200
Subject: [PATCH 1/4] move to eturnal

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Containers/talk/Dockerfile       | 34 ++++++++--------
 Containers/talk/start.sh         | 67 +++++++++++++++++---------------
 Containers/talk/supervisord.conf |  4 +-
 3 files changed, 53 insertions(+), 52 deletions(-)

diff --git a/Containers/talk/Dockerfile b/Containers/talk/Dockerfile
index e2f2e7a2cf6..9581d2dae91 100644
--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@@ -1,4 +1,5 @@
 FROM nats:2.9.21-scratch as nats
+FROM eturnal/eturnal:1.11.1 AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:1.1.3 as signaling
 FROM alpine:3.18.3 as janus
 
@@ -32,8 +33,15 @@ RUN set -ex; \
     make configs; \
     rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
 
-FROM coturn/coturn:4.6.2-alpine3.18
-USER root
+FROM alpine:3.18.2
+
+COPY --from=janus     /usr/local                          /usr/local
+COPY --from=eturnal   /opt/eturnal                        /opt/eturnal
+COPY --from=nats      /nats-server                        /usr/local/bin/nats-server
+COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
+
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=664 supervisord.conf /supervisord.conf
 
 RUN set -ex; \
     apk add --no-cache \
@@ -57,7 +65,7 @@ RUN set -ex; \
         libwebsockets \
         \
         shadow; \
-    useradd --system talk; \
+    useradd --system eturnal; \
     apk del --no-cache \
         shadow; \
     \
@@ -74,32 +82,22 @@ RUN set -ex; \
         /var/log/supervisord \
         /var/run/supervisord \
         /usr/local/lib/janus/loggers; \
-    chown talk:talk -R \
+    chown eturnal:eturnal -R \
         /usr \
+        /opt/eturnal \
         /etc/nats.conf \
-        /var/lib/turn \
         /var/log/supervisord \
         /var/run/supervisord; \
     chmod 777 -R \
         /tmp \
         /conf \
+        /opt/eturnal \
         /var/run/supervisord \
-        /var/lib/turn \
         /var/log/supervisord;
 
-COPY --from=janus /usr/local /usr/local
-COPY --from=nats /nats-server /usr/local/bin/nats-server
-COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
-
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=664 supervisord.conf /supervisord.conf
-
-# Set default talk port https://github.com/nextcloud/all-in-one/issues/1011
-ENV TALK_PORT=3478
-
-USER talk
+USER eturnal
 ENTRYPOINT ["/start.sh"]
 CMD ["supervisord", "-c", "/supervisord.conf"]
 
-HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT") || exit 1
+HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT" && eturnalctl status) || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false"
diff --git a/Containers/talk/start.sh b/Containers/talk/start.sh
index f06d7c3a735..920e63dcdd5 100644
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@@ -4,6 +4,9 @@
 if [ -z "$NC_DOMAIN" ]; then
     echo "You need to provide the NC_DOMAIN."
     exit 1
+elif [ -z "$TALK_PORT" ]; then
+    echo "You need to provide the TALK_PORT."
+    exit 1
 elif [ -z "$TURN_SECRET" ]; then
     echo "You need to provide the TURN_SECRET."
     exit 1
@@ -16,43 +19,43 @@ elif [ -z "$INTERNAL_SECRET" ]; then
 fi
 
 set -x
-IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short)"
+IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short | grep -E "^[0-9.]+$" | sort | head -n1)"
+IPv6_ADDRESS_TALK="$(dig nextcloud-aio-talk AAAA +short | grep -E "^[0-9a-f:]+$" | sort | head -n1)"
+
+IPv4_ADDRESS_NC="$(dig "$NC_DOMAIN" A +short +https +tls-ca=/etc/ssl/certs/ca-certificates.crt @1.1.1.1 | grep "^[0-9.]\+$" | sort | head -n1)"
+IPv6_ADDRESS_NC="$(dig "$NC_DOMAIN" AAAA +short +https +tls-ca=/etc/ssl/certs/ca-certificates.crt @1.1.1.1 | grep "^[0-9a-f:]\+$" | sort | head -n1)"
+#if [ -z "$IPv4_ADDRESS_NC" ] && [ -z "$IPv6_ADDRESS_NC" ]; then
+#    export STUN_SERVICE="stun.nextcloud.com 443"
+#fi
 set +x
 
 # Turn
-cat << TURN_CONF > "/conf/turnserver.conf"
-listening-port=$TALK_PORT
-fingerprint
-use-auth-secret
-static-auth-secret=$TURN_SECRET
-realm=$NC_DOMAIN
-total-quota=0
-bps-capacity=0
-stale-nonce
-no-multicast-peers
-simple-log
-pidfile=/var/tmp/turnserver.pid
-no-tls
-no-dtls
-userdb=/var/lib/turn/turndb
-# Based on https://nextcloud-talk.readthedocs.io/en/latest/TURN/#turn-server-and-internal-networks
-allowed-peer-ip=$IPv4_ADDRESS_TALK
-denied-peer-ip=0.0.0.0-0.255.255.255
-denied-peer-ip=10.0.0.0-10.255.255.255
-denied-peer-ip=100.64.0.0-100.127.255.255
-denied-peer-ip=127.0.0.0-127.255.255.255
-denied-peer-ip=169.254.0.0-169.254.255.255
-denied-peer-ip=172.16.0.0-172.31.255.255
-denied-peer-ip=192.0.0.0-192.0.0.255
-denied-peer-ip=192.0.2.0-192.0.2.255
-denied-peer-ip=192.88.99.0-192.88.99.255
-denied-peer-ip=192.168.0.0-192.168.255.255
-denied-peer-ip=198.18.0.0-198.19.255.255
-denied-peer-ip=198.51.100.0-198.51.100.255
-denied-peer-ip=203.0.113.0-203.0.113.255
-denied-peer-ip=240.0.0.0-255.255.255.255
+cat << TURN_CONF > "/opt/eturnal/etc/eturnal.yml"
+eturnal:
+  listen:
+    - ip: "::"
+      port: $TALK_PORT
+      transport: udp
+    - ip: "::"
+      port: $TALK_PORT
+      transport: tcp
+  log_dir: stdout
+  log_level: warning
+  secret: "$TURN_SECRET"
+  relay_ipv4_addr: "$IPv4_ADDRESS_NC"
+  relay_ipv6_addr: "$IPv6_ADDRESS_NC"
+  blacklist:
+  - recommended
+  whitelist:
+  - 127.0.0.1
+  - ::1
+  - "$IPv4_ADDRESS_TALK"
+  - "$IPv6_ADDRESS_TALK"
 TURN_CONF
 
+# Remove empty lines so that the config is not invalid
+sed -i '/""/d' /opt/eturnal/etc/eturnal.yml
+
 # Signling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
diff --git a/Containers/talk/supervisord.conf b/Containers/talk/supervisord.conf
index 216a9568e7e..89287db55f0 100644
--- a/Containers/talk/supervisord.conf
+++ b/Containers/talk/supervisord.conf
@@ -7,12 +7,12 @@ logfile_maxbytes=50MB
 logfile_backups=10                              
 loglevel=error
 
-[program:turnserver]
+[program:eturnal]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=turnserver -c /conf/turnserver.conf
+command=eturnalctl foreground
 
 [program:nats-server]
 stdout_logfile=/dev/stdout

From 9d154557f837dc4b2507c9dbab06e04238c3d46f Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Mon, 7 Aug 2023 13:15:41 +0200
Subject: [PATCH 2/4] enable stun auto detection

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Containers/talk/Dockerfile |  4 +++-
 Containers/talk/start.sh   | 11 ++++-------
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/Containers/talk/Dockerfile b/Containers/talk/Dockerfile
index 9581d2dae91..67d709bd761 100644
--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@@ -34,9 +34,11 @@ RUN set -ex; \
     rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
 
 FROM alpine:3.18.2
-
+ENV STUN_SERVICE="stun.nextcloud.com 443"
 COPY --from=janus     /usr/local                          /usr/local
 COPY --from=eturnal   /opt/eturnal                        /opt/eturnal
+COPY --from=eturnal   /usr/local/bin/stun                 /usr/local/bin/stun
+COPY --from=eturnal   /usr/local/bin/eturnalctl           /usr/local/bin/eturnalctl
 COPY --from=nats      /nats-server                        /usr/local/bin/nats-server
 COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
 
diff --git a/Containers/talk/start.sh b/Containers/talk/start.sh
index 920e63dcdd5..b76b029e7a1 100644
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@@ -19,14 +19,11 @@ elif [ -z "$INTERNAL_SECRET" ]; then
 fi
 
 set -x
-IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short | grep -E "^[0-9.]+$" | sort | head -n1)"
-IPv6_ADDRESS_TALK="$(dig nextcloud-aio-talk AAAA +short | grep -E "^[0-9a-f:]+$" | sort | head -n1)"
+IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk IN A +short | grep '^[0-9.]\+$' | sort | head -n1)"
+IPv6_ADDRESS_TALK="$(dig nextcloud-aio-talk AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)"
 
-IPv4_ADDRESS_NC="$(dig "$NC_DOMAIN" A +short +https +tls-ca=/etc/ssl/certs/ca-certificates.crt @1.1.1.1 | grep "^[0-9.]\+$" | sort | head -n1)"
-IPv6_ADDRESS_NC="$(dig "$NC_DOMAIN" AAAA +short +https +tls-ca=/etc/ssl/certs/ca-certificates.crt @1.1.1.1 | grep "^[0-9a-f:]\+$" | sort | head -n1)"
-#if [ -z "$IPv4_ADDRESS_NC" ] && [ -z "$IPv6_ADDRESS_NC" ]; then
-#    export STUN_SERVICE="stun.nextcloud.com 443"
-#fi
+IPv4_ADDRESS_NC="$(dig "$NC_DOMAIN" IN A +short +https +tls-ca=/etc/ssl/certs/ca-certificates.crt @1.1.1.1 | grep '^[0-9.]\+$' | sort | head -n1)"
+IPv6_ADDRESS_NC="$(dig "$NC_DOMAIN" IN AAAA +short +https +tls-ca=/etc/ssl/certs/ca-certificates.crt @1.1.1.1 | grep '^[0-9a-f:]\+$' | sort | head -n1)"
 set +x
 
 # Turn

From 96beb00bb24c2ecedf6f0b60b042f375117600de Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Wed, 9 Aug 2023 21:51:10 +0200
Subject: [PATCH 3/4] change eturnal.yml path

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Containers/talk/Dockerfile | 2 ++
 Containers/talk/start.sh   | 2 +-
 php/containers.json        | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/Containers/talk/Dockerfile b/Containers/talk/Dockerfile
index 67d709bd761..f01ff0ebe2a 100644
--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@@ -35,6 +35,7 @@ RUN set -ex; \
 
 FROM alpine:3.18.2
 ENV STUN_SERVICE="stun.nextcloud.com 443"
+ENV ETURNAL_ETC_DIR="/conf"
 COPY --from=janus     /usr/local                          /usr/local
 COPY --from=eturnal   /opt/eturnal                        /opt/eturnal
 COPY --from=eturnal   /usr/local/bin/stun                 /usr/local/bin/stun
@@ -76,6 +77,7 @@ RUN set -ex; \
     \
     touch \
         /etc/nats.conf; \
+        /etc/eturnal.yml; \
     echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
     mkdir -p \
         /var/tmp \
diff --git a/Containers/talk/start.sh b/Containers/talk/start.sh
index b76b029e7a1..9bcfcf629a4 100644
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@@ -27,7 +27,7 @@ IPv6_ADDRESS_NC="$(dig "$NC_DOMAIN" IN AAAA +short +https +tls-ca=/etc/ssl/certs
 set +x
 
 # Turn
-cat << TURN_CONF > "/opt/eturnal/etc/eturnal.yml"
+cat << TURN_CONF > "/conf/eturnal.yml"
 eturnal:
   listen:
     - ip: "::"
diff --git a/php/containers.json b/php/containers.json
index 1ca7fa86a69..0558e2a7e91 100644
--- a/php/containers.json
+++ b/php/containers.json
@@ -352,8 +352,8 @@
       "tmpfs": [
         "/var/log/supervisord",
         "/var/run/supervisord",
+        "/opt/eturnal/run",
         "/conf",
-        "/var/lib/turn",
         "/tmp"
       ]
     },

From d89d0ce161d65a57a58889c2a7e9e8f8afdd5ad3 Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Thu, 10 Aug 2023 09:16:43 +0200
Subject: [PATCH 4/4] fix sed

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Containers/talk/start.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Containers/talk/start.sh b/Containers/talk/start.sh
index 9bcfcf629a4..3e744b6221c 100644
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@@ -51,7 +51,7 @@ eturnal:
 TURN_CONF
 
 # Remove empty lines so that the config is not invalid
-sed -i '/""/d' /opt/eturnal/etc/eturnal.yml
+sed -i '/""/d' /conf/eturnal.yml
 
 # Signling
 cat << SIGNALING_CONF > "/conf/signaling.conf"