How to configure a High-performance backend server for Nextcloud Talk on Ubuntu 22.04

In this article, we’ll configure a High-performance backend server for Nextcloud Talk on Ubuntu 22.04.

To build a high-performance backend server for Nextcloud Talk, we’ll install and configure the following components:

• Signaling Server — main part, helps users connect and manage audio/video streams;
  
• Janus — WebRTC server for many users, gives tools to control media streams;
  
• Coturn — helps with NAT and firewalls, lets devices find their public IP, passes traffic if needed;
  
• NATS Server — sends service messages between parts of the system;
  
• NGINX — web server, forwards HTTPS requests to the Signaling Server.
  

We’ll also generate some keys which will be useful to us later:

seq 6 | xargs -I {} openssl rand -hex 16

For example:

# Janus
c278fcea4d2c0e45194cccb245283cff

# Turn Server
c4f84de2fe59c8bc1db0c10d9cf02450

# Hash
08e164de3c2ff5656ef10f115b3d54e3

# Block
e5bef0271402c471ba45e3d97fb3c2ac

# Internal secret
5ba3203091196cfb909af062b2022aae

# Nextcloud secret
f0b088e2cc8e4e175092f8663da498d9

1. Update the repository and install additional utils:

apt update
apt install make protobuf-compiler git python3 zip unzip curl -y

2. Download and install the latest stable release of Docker:

curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh

3. Install Golang:

GO_VER=1.25.0
curl -sLO https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz
rm -rf /usr/local/go && tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
go version

4. Install NATS server:

docker pull nats:latest
docker run -d --name nats-server -p 4222:4222 --restart=always -ti nats:latest

5. Install Janus:

apt install janus -y

6. Edit the Janus config file:
vi /etc/janus/janus.jcfg

full_trickle = true
...
turn_rest_api_key = <Janus Key>

7. Install Coturn:

apt install coturn -y

8. Open the Coturn config file and add it to the bottom:
vi /etc/turnserver.conf

listening-port=3478
fingerprint
use-auth-secret
static-auth-secret=<Turn Server Key>
realm=signaling.example.com
total-quota=100
bps-capacity=0
stale-nonce
no-multicast-peers

9. Restart services:

systemctl restart janus coturn

10. Install Signaling Server:

SIG_VER=2.0.4
wget https://github.com/strukturag/nextcloud-spreed-signaling/archive/refs/tags/v${SIG_VER}.tar.gz
tar -zxf v${SIG_VER}.tar.gz
cd nextcloud-spreed-signaling-${SIG_VER}
make build
cp bin/signaling /usr/bin/
mkdir /etc/signaling
cp server.conf.in /etc/signaling/server.conf
cp dist/init/systemd/signaling.service /etc/systemd/system/signaling.service

11. Edit the Signaling unit file and add it:
vi /etc/systemd/system/signaling.service

[Unit]
...
After=janus.service

12. Create a system user with restricted access:

useradd -r -s /usr/sbin/nologin signaling

13. Reload systemd:

systemctl daemon-reload

14. Edit the Signaling config file:
vi /etc/signaling/server.conf

[http]
listen = 127.0.0.1:8080

[sessions]
hashkey = <Hash Key>
blockkey = <Block Key>

[clients]
internalsecret = <Internal Secret Key>

[backend]
backends = backend-1

[backend-1]
url = https://nextcloud.example.com
secret = <Nextcloud Secret Key>

[nats] 
url = nats://localhost:4222

[mcu] 
type = janus
url = ws://127.0.0.1:8188

[turn] 
apikey = <Janus Key>
secret = <Turn Server Key>
servers = turn:127.0.0.1:3478?transport=udp,turn:127.0.0.1:3478?transport=tcp

15. Enable and start the signaling.service:

systemctl enable --now signaling
systemctl status signaling

16. Test query:

curl -i http://127.0.0.1:8080/api/v1/welcome

17. Finally install NGINX as reverse proxy:

apt install nginx certbot -y
rm -f /etc/nginx/sites-enabled/default

18. Create a virtual host configuration:

server {
    listen       80;
    server_name  signaling.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen       443 ssl;
    server_name  signaling.example.com;

    ssl_certificate     /etc/letsencrypt/live/signaling.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/signaling.example.com/privkey.pem;

    access_log off;
    
    location ~ /.well-known/acme-challenge {
        root /usr/share/nginx/html;
        allow all;
    }
    
    location / {
        proxy_pass          http://127.0.0.1:8080;
        proxy_redirect      off;
        proxy_http_version  1.1;

        proxy_set_header  Host               $host;
        proxy_set_header  Upgrade            $http_upgrade;
        proxy_set_header  Connection         "upgrade";
        proxy_set_header  X-Real-IP          $remote_addr;
        proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto  http;
    }
}

19. Test nginx config and reload:

nginx -t && nginx -s reload
curl -k https://127.0.0.1/api/v1/welcome