From 4f62c7ba5b722a33779b4106a62495da4b38ce40 Mon Sep 17 00:00:00 2001
From: rnsrk <robert@nasarek.org>
Date: Mon, 30 Mar 2026 12:22:16 +0200
Subject: [PATCH] add nextcloud

---
 override/nextcloud.example.env | 8 ++++++++
 scripts/secure-ssh-vpn.sh      | 4 ++++
 2 files changed, 12 insertions(+)

diff --git a/override/nextcloud.example.env b/override/nextcloud.example.env
index 8185f55..f1c0f25 100644
--- a/override/nextcloud.example.env
+++ b/override/nextcloud.example.env
@@ -13,3 +13,11 @@ ONLYOFFICE_JWT_SECRET=
 COLLABORA_DOMAIN=
 COLLABORA_USERNAME=admin
 COLLABORA_PASSWORD=
+
+# Nextcloud Talk High Performance Backend (HPB)
+# Subdomain for the signaling server (e.g. signal.yourdomain.tld)
+TALK_DOMAIN=
+# Generate each secret with: openssl rand -hex 32
+TALK_TURN_SECRET=
+TALK_SIGNALING_SECRET=
+TALK_INTERNAL_SECRET=
diff --git a/scripts/secure-ssh-vpn.sh b/scripts/secure-ssh-vpn.sh
index 66e059f..7e917a2 100644
--- a/scripts/secure-ssh-vpn.sh
+++ b/scripts/secure-ssh-vpn.sh
@@ -64,6 +64,10 @@ run ufw allow 443/tcp            comment 'HTTPS (Traefik)'
 run ufw allow 2424/tcp           comment 'GitLab SSH (Traefik)'
 run ufw allow "$WG_UDP_PORT/udp" comment 'WireGuard VPN'
 
+# ── Nextcloud Talk HPB (STUN/TURN) ────────────────────────────────────────
+run ufw allow 3478/tcp           comment 'Nextcloud Talk STUN/TURN (TCP)'
+run ufw allow 3478/udp           comment 'Nextcloud Talk STUN/TURN (UDP)'
+
 # ── SSH — VPN clients only ────────────────────────────────────────────────
 # Deny rule is added first (gets higher rule number), then the VPN allow is
 # inserted at position 1 so it always takes priority over the deny.