diff --git a/addons/deSEC/collabora_docker_desec.sh b/addons/deSEC/collabora_docker_desec.sh
new file mode 100644
index 0000000000..5ba79d3ae4
--- /dev/null
+++ b/addons/deSEC/collabora_docker_desec.sh
@@ -0,0 +1,241 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2022, https://www.hanssonit.se/
+
+true
+SCRIPT_NAME="Collabora (Docker)"
+SCRIPT_EXPLAINER="This script will install the Collabora Office Server bundled with Docker"
+# shellcheck source=lib.sh
+source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+# To work with https://github.com/nextcloud/richdocuments/pull/2235
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Check if root
+root_check
+
+# Test RAM size (2GB min) + CPUs (min 2)
+ram_check 2 Collabora
+cpu_check 2 Collabora
+
+# Check if Collabora is already installed
+print_text_in_color "$ICyan" "Checking if Collabora is already installed..."
+if ! does_this_docker_exist 'collabora/code'
+then
+ # Ask for installing
+ install_popup "$SCRIPT_NAME"
+else
+ # Ask for removal or reinstallation
+ reinstall_remove_menu "$SCRIPT_NAME"
+ # Removal
+ remove_collabora_docker
+ # Remove config.php value set when install was successful
+ nextcloud_occ config:system:delete allow_local_remote_servers
+ # Show successful uninstall if applicable
+ removal_popup "$SCRIPT_NAME"
+fi
+
+# Check if OnlyOffice is previously installed
+# If yes, then stop and prune the docker container
+if does_this_docker_exist 'onlyoffice/documentserver'
+then
+ # Removal
+ remove_onlyoffice_docker
+fi
+
+# Remove all office apps
+remove_all_office_apps
+
+# Install certbot (Let's Encrypt)
+install_certbot
+
+# Generate certs and auto-configure if successful
+export SUBDOMAIN=collabora
+if run_script DESEC desec_subdomain
+then
+ SUBDOMAIN="$(grep collabora -m 1 $SCRIPTS/deSEC/.subdomain | cut -d '=' -f2)"
+ # Curl the library another time to get the correct DHPARAMS
+ # shellcheck source=lib.sh
+ source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+ # Generate DHparams cipher
+ if [ ! -f "$DHPARAMS_SUB" ]
+ then
+ openssl dhparam -out "$DHPARAMS_SUB" 2048
+ fi
+ print_text_in_color "$IGreen" "Certs are generated!"
+ # Install Collabora App
+ install_and_enable_app richdocuments
+else
+ last_fail_tls "$SCRIPTS"/apps/collabora.sh
+ exit 1
+fi
+
+# Install Apache2
+install_if_not apache2
+
+# Enable Apache2 module's
+a2enmod proxy
+a2enmod proxy_wstunnel
+a2enmod proxy_http
+a2enmod ssl
+a2enmod headers
+
+# Only add TLS 1.3 on Ubuntu later than 20.04
+if version 20.04 "$DISTRO" 22.04.10
+then
+ TLS13="+TLSv1.3"
+fi
+
+if [ -f "$HTTPS_CONF" ]
+then
+ a2dissite "$SUBDOMAIN.conf"
+ rm -f "$HTTPS_CONF"
+fi
+
+# Create Vhost for Collabora online in Apache2
+if [ ! -f "$HTTPS_CONF" ];
+then
+ cat << HTTPS_CREATE > "$HTTPS_CONF"
+
+ ServerName $SUBDOMAIN:443
+
+
+ Options -Indexes
+
+
+ # TLS configuration, you may want to take the easy route instead and use Lets Encrypt!
+ SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem
+ SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem
+ SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem
+ SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB
+
+ # Intermediate configuration
+ SSLEngine on
+ SSLCompression off
+ SSLProtocol -all +TLSv1.2 $TLS13
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
+ ServerSignature off
+
+ # Logs
+ LogLevel warn
+ CustomLog \${APACHE_LOG_DIR}/access.log combined
+ ErrorLog \${APACHE_LOG_DIR}/error.log
+
+ # Encoded slashes need to be allowed
+ AllowEncodedSlashes NoDecode
+
+ # Container uses a unique non-signed certificate
+ SSLProxyEngine On
+ SSLProxyVerify None
+ SSLProxyCheckPeerCN Off
+ SSLProxyCheckPeerName Off
+
+ # Improve security settings
+ Header set X-XSS-Protection "1; mode=block"
+ Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+ Header set X-Content-Type-Options nosniff
+ Header set Content-Security-Policy "frame-ancestors 'self' $NCDOMAIN"
+
+ # keep the host
+ ProxyPreserveHost On
+
+ # static html, js, images, etc. served from coolwsd
+ # browser is the client part of LibreOffice Online
+ ProxyPass /browser https://127.0.0.1:9980/browser retry=0
+ ProxyPassReverse /browser https://127.0.0.1:9980/browser
+
+ # WOPI discovery URL
+ ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
+ ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery
+
+ # Endpoint with information about availability of various features
+ ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
+ ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
+
+ # Main websocket
+ ProxyPassMatch "/cool/(.*)/ws$" wss://127.0.0.1:9980/cool/\$1/ws nocanon
+
+ # Admin Console websocket
+ ProxyPass /cool/adminws wss://127.0.0.1:9980/cool/adminws
+
+ # Download as, Fullscreen presentation and Image upload operations
+ ProxyPass /cool https://127.0.0.1:9980/cool
+ ProxyPassReverse /cool https://127.0.0.1:9980/cool
+
+HTTPS_CREATE
+
+ if [ -f "$HTTPS_CONF" ];
+ then
+ print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created."
+ sleep 1
+ a2ensite "$SUBDOMAIN.conf"
+ restart_webserver
+ else
+ print_text_in_color "$IRed" "Unable to create vhost, exiting..."
+ print_text_in_color "$IRed" "Please report this issue here $ISSUES"
+ exit 1
+ fi
+fi
+
+# Nextcloud Main Domain
+NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||')
+
+# Curl the library another time to get the correct https_conf
+# shellcheck source=lib.sh
+source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+
+# Get all needed variables from the library
+nc_update
+
+# Get the latest packages
+apt-get update -q4 & spinner_loading
+
+# Check if Nextcloud is installed
+print_text_in_color "$ICyan" "Checking if Nextcloud is installed..."
+if ! curl -s https://"$NCDOMAIN"/status.php | grep -q 'installed":true'
+then
+ msg_box "It seems like Nextcloud is not installed or that you don't use https on:
+$NCDOMAIN.
+Please install Nextcloud and make sure your domain is reachable, or activate TLS
+on your domain to be able to run this script.
+
+If you use the Nextcloud VM you can use the Let's Encrypt script to get TLS and activate your Nextcloud domain.
+When TLS is activated, run these commands from your CLI:
+sudo curl -sLO $APP/collabora.sh
+sudo bash collabora.sh"
+ exit 1
+fi
+
+# Check if Nextcloud is installed with TLS
+check_nextcloud_https "Collabora (Docker)"
+
+# Install Docker
+install_docker
+
+# Install Collabora docker
+docker pull collabora/code:latest
+docker run -t -d -p 127.0.0.1:9980:9980 -e "aliasgroup1=https://$NCDOMAIN:443" --restart always --name code --cap-add MKNOD collabora/code
+
+
+# Set config for RichDocuments (Collabora App)
+if is_app_installed richdocuments
+then
+ nextcloud_occ config:app:set richdocuments wopi_url --value=https://"$SUBDOMAIN"
+ chown -R www-data:www-data "$NC_APPS_PATH"
+ # Appending the new domain to trusted domains
+ add_to_trusted_domains "$SUBDOMAIN"
+ # Allow remote servers with local addresses e.g. in federated shares, webcal services and more
+ nextcloud_occ config:system:set allow_local_remote_servers --value="true"
+ # Add prune command
+ add_dockerprune
+ print_text_in_color "$ICyan" "Restarting Docker..."
+ docker restart code
+ msg_box "Collabora Docker is now successfully installed.
+Please be aware that the container is currently starting which can take a few minutes."
+fi
diff --git a/addons/deSEC/onlyoffice_docker_desec.sh b/addons/deSEC/onlyoffice_docker_desec.sh
new file mode 100644
index 0000000000..fcb1e5e0ca
--- /dev/null
+++ b/addons/deSEC/onlyoffice_docker_desec.sh
@@ -0,0 +1,240 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
+
+true
+SCRIPT_NAME="OnlyOffice (Docker)"
+SCRIPT_EXPLAINER="This script will install the OnlyOffice Document Server bundled with Docker"
+# shellcheck source=lib.sh
+source /var/scripts/fetch_lib.sh
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Check if root
+root_check
+
+# Test RAM size (2GB min) + CPUs (min 2)
+ram_check 2 OnlyOffice
+cpu_check 2 OnlyOffice
+
+# Check if onlyoffice is already installed
+if ! does_this_docker_exist 'onlyoffice/documentserver'
+then
+ # Ask for installing
+ install_popup "$SCRIPT_NAME"
+else
+ # Ask for removal or reinstallation
+ reinstall_remove_menu "$SCRIPT_NAME"
+ # Removal
+ remove_onlyoffice_docker
+ # Remove config.php value set when install was successful
+ nextcloud_occ config:system:delete allow_local_remote_servers
+ nextcloud_occ config:system:delete onlyoffice
+ # Show successful uninstall if applicable
+ removal_popup "$SCRIPT_NAME"
+fi
+
+# Check if collabora is installed and remove every trace of it
+if does_this_docker_exist 'collabora/code'
+then
+ # Removal
+ remove_collabora_docker
+fi
+
+# Remove all office apps
+remove_all_office_apps
+
+# Install certbot (Let's Encrypt)
+install_certbot
+
+# Generate certs and auto-configure if successful
+export SUBDOMAIN=onlyoffice
+if run_script DESEC desec_subdomain
+then
+ SUBDOMAIN="$(grep onlyoffice -m 1 $SCRIPTS/deSEC/.subdomain | cut -d '=' -f2)"
+ # Curl the library another time to get the correct DHPARAMS
+ # shellcheck source=lib.sh
+ source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+ # Generate DHparams cipher
+ if [ ! -f "$DHPARAMS_SUB" ]
+ then
+ openssl dhparam -out "$DHPARAMS_SUB" 2048
+ fi
+ print_text_in_color "$IGreen" "Certs are generated!"
+ # Install OnlyOffice App
+ install_and_enable_app onlyoffice
+else
+ last_fail_tls "$SCRIPTS"/apps/onlyoffice_docker.sh
+ exit 1
+fi
+
+# Install apache2
+install_if_not apache2
+
+# Enable Apache2 module's
+a2enmod proxy
+a2enmod proxy_wstunnel
+a2enmod proxy_http
+a2enmod ssl
+a2enmod headers
+
+# Only add TLS 1.3 on Ubuntu later than 20.04
+if version 20.04 "$DISTRO" 22.04.10
+then
+ TLS13="+TLSv1.3"
+fi
+
+if [ -f "$HTTPS_CONF" ]
+then
+ a2dissite "$SUBDOMAIN.conf"
+ rm -f "$HTTPS_CONF"
+fi
+
+# Create Vhost for OnlyOffice Docker online in Apache2
+if [ ! -f "$HTTPS_CONF" ];
+then
+ cat << HTTPS_CREATE > "$HTTPS_CONF"
+
+ ServerName $SUBDOMAIN:443
+
+ SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem
+ SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem
+ SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem
+ SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB
+
+ # Intermediate configuration
+ SSLEngine on
+ SSLCompression off
+ SSLProtocol -all +TLSv1.2 $TLS13
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
+ ServerSignature off
+
+ # Logs
+ LogLevel warn
+ CustomLog \${APACHE_LOG_DIR}/access.log combined
+ ErrorLog \${APACHE_LOG_DIR}/error.log
+
+ # Just in case - see below
+ SSLProxyEngine On
+ SSLProxyVerify None
+ SSLProxyCheckPeerCN Off
+ SSLProxyCheckPeerName Off
+
+ # Improve security settings
+ Header set X-XSS-Protection "1; mode=block"
+ Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+ Header set X-Content-Type-Options nosniff
+ Header set Content-Security-Policy "frame-ancestors 'self' $NCDOMAIN"
+
+ # contra mixed content warnings
+ RequestHeader set X-Forwarded-Proto "https"
+
+ # basic proxy settings
+ ProxyRequests off
+
+ ProxyPassMatch (.*)(\/websocket)$ "ws://127.0.0.3:9090/\$1\$2"
+ ProxyPass / "http://127.0.0.3:9090/"
+ ProxyPassReverse / "http://127.0.0.3:9090/"
+
+
+ ProxyPassReverse /
+
+
+HTTPS_CREATE
+
+ if [ -f "$HTTPS_CONF" ];
+ then
+ print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created."
+ a2ensite "$SUBDOMAIN.conf"
+ restart_webserver
+ sleep 1
+ else
+ print_text_in_color "$IRed" "Unable to create vhost, exiting..."
+ print_text_in_color "$IRed" "Please report this issue here $ISSUES"
+ exit 1
+ fi
+fi
+
+# Check if apache2 evasive-mod is enabled and disable it because of compatibility issues
+if [ "$(apache2ctl -M | grep evasive)" != "" ]
+then
+ msg_box "We noticed that 'mod_evasive' is installed which is the DDOS protection for webservices. \
+It has compatibility issues with OnlyOffice and you can now choose to disable it."
+ if ! yesno_box_yes "Do you want to disable DDOS protection?"
+ then
+ print_text_in_color "$ICyan" "Keeping mod_evasive active."
+ else
+ a2dismod evasive
+ # a2dismod mod-evasive # not needed, but existing in the Extra Security script.
+ apt-get purge libapache2-mod-evasive -y
+ systemctl restart apache2
+ fi
+fi
+
+# Nextcloud Main Domain
+NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||')
+
+true
+# shellcheck source=lib.sh
+source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+
+# Get all needed variables from the library
+nc_update
+
+# Get the latest packages
+apt-get update -q4 & spinner_loading
+
+# Check if Nextcloud is installed
+print_text_in_color "$ICyan" "Checking if Nextcloud is installed..."
+if ! curl -s https://"$NCDOMAIN"/status.php | grep -q 'installed":true'
+then
+ msg_box "It seems like Nextcloud is not installed or that you don't use https on:
+$NCDOMAIN.
+Please install Nextcloud and make sure your domain is reachable, or activate TLS
+on your domain to be able to run this script.
+If you use the Nextcloud VM you can use the Let's Encrypt script to get TLS and activate your Nextcloud domain.
+When TLS is activated, run these commands from your CLI:
+sudo curl -sLO $APP/onlyoffice_docker.sh
+sudo bash onlyoffice_docker.sh"
+ exit 1
+fi
+
+# Check if Nextcloud is installed with TLS
+check_nextcloud_https "OnlyOffice (Docker)"
+
+# Install Docker
+install_docker
+
+ONLYOFFICE_SECRET="$(gen_passwd "$SHUF" "a-zA-Z0-9")"
+
+# Install Onlyoffice docker
+docker pull onlyoffice/documentserver:latest
+docker run -i -t -d -p 127.0.0.3:9090:80 -e JWT_ENABLED=true -e JWT_HEADER=AuthorizationJwt -e JWT_SECRET="$ONLYOFFICE_SECRET" --restart always --name onlyoffice onlyoffice/documentserver
+
+# Set config for OnlyOffice
+if [ -d "$NC_APPS_PATH"/onlyoffice ]
+then
+ nextcloud_occ config:app:set onlyoffice DocumentServerUrl --value=https://"$SUBDOMAIN/"
+ chown -R www-data:www-data "$NC_APPS_PATH"
+ # Appending the new domain to trusted domains
+ add_to_trusted_domains "$SUBDOMAIN"
+ # Allow remote servers with local addresses e.g. in federated shares, webcal services and more
+ nextcloud_occ config:system:set allow_local_remote_servers --value="true"
+ nextcloud_occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
+ nextcloud_occ config:system:set onlyoffice jwt_header --value="AuthorizationJwt"
+ # Add prune command
+ add_dockerprune
+ # Restart Docker
+ print_text_in_color "$ICyan" "Restarting Docker..."
+ docker restart onlyoffice
+ msg_box "OnlyOffice Docker is now successfully installed.
+Please be aware that the container is currently starting which can take a few minutes."
+fi
+
+exit
diff --git a/addons/deSEC/talk_desec.sh b/addons/deSEC/talk_desec.sh
new file mode 100644
index 0000000000..6e42aea2e8
--- /dev/null
+++ b/addons/deSEC/talk_desec.sh
@@ -0,0 +1,457 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2022, https://www.hanssonit.se/
+
+true
+SCRIPT_NAME="Nextcloud Talk"
+SCRIPT_EXPLAINER="This script installs Nextcloud Talk and also offers the possibility \
+to install the so-called High-Performance-Backend, which makes it possible to host more video calls than it would be with the standard Talk app. \
+It's called 'Talk Signaling' and you will be offered to install it as part two of this script."
+# shellcheck source=lib.sh
+source /var/scripts/fetch_lib.sh
+
+# Get all needed variables from the library
+nc_update
+turn_install
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Must be root
+root_check
+
+# Check if talk_signaling is already installed
+if [ -z "$(nextcloud_occ_no_check config:app:get spreed turn_servers | sed 's/\[\]//')" ] \
+&& ! is_this_installed coturn
+then
+ # Ask for installing
+ install_popup "$SCRIPT_NAME"
+else
+ # Ask for removal or reinstallation
+ reinstall_remove_menu "$SCRIPT_NAME"
+ # Removal
+ sed "/# Talk Signaling Server/d" /etc/hosts >/dev/null 2>&1
+ sed "/127.0.1.1 $SUBDOMAIN/d" /etc/hosts >/dev/null 2>&1
+ nextcloud_occ_no_check config:app:delete spreed stun_servers
+ nextcloud_occ_no_check config:app:delete spreed turn_servers
+ nextcloud_occ_no_check config:app:delete spreed signaling_servers
+ nextcloud_occ_no_check app:remove spreed
+ rm -rf \
+ "$TURN_CONF" \
+ "$SIGNALING_SERVER_CONF" \
+ /etc/nats \
+ /etc/janus \
+ /etc/apt/trusted.gpg.d/morph027-janus.asc \
+ /etc/apt/trusted.gpg.d/morph027-nats-server.asc \
+ /etc/apt/trusted.gpg.d/morph027-nextcloud-spreed-signaling.asc \
+ /etc/apt/trusted.gpg.d/morph027-coturn.asc \
+ /etc/apt/keyrings/morph027-coturn.asc
+ /etc/apt/sources.list.d/morph027-nextcloud-spreed-signaling.list\
+ /etc/apt/sources.list.d/morph027-janus.list \
+ /etc/apt/sources.list.d/morph027-nats-server.list \
+ /etc/apt/sources.list.d/morph027-coturn.list \
+ $VMLOGS/talk_apache_error.log \
+ $VMLOGS/talk_apache_access.log \
+ $VMLOGS/turnserver.log \
+ /var/www/html/error
+ APPS=(coturn nats-server janus nextcloud-spreed-signaling)
+ for app in "${APPS[@]}"
+ do
+ if is_this_installed "$app"
+ then
+ apt-get purge "$app" -y
+ fi
+ done
+ apt-get autoremove -y
+ # Show successful uninstall if applicable
+ removal_popup "$SCRIPT_NAME"
+fi
+
+# Must be 22.04
+if ! version 20.04 "$DISTRO" 22.04.10
+then
+ msg_box "Your current Ubuntu version is $DISTRO but must be between 20.04 - 22.04.10 to install Talk"
+ msg_box "Please contact us to get support for upgrading your server:
+https://www.hanssonit.se/#contact
+https://shop.hanssonit.se/"
+exit
+fi
+
+# Nextcloud 19 is required.
+lowest_compatible_nc 20
+
+####################### TALK (COTURN)
+
+# Check if Nextcloud is installed with TLS
+check_nextcloud_https "Nextclod Talk"
+
+# Let the user choose port. TURN_PORT in msg_box is taken from lib.sh and later changed if user decides to.
+msg_box "The default port for Talk used in this script is port $TURN_PORT.
+You can read more about that port here: https://www.speedguide.net/port.php?port=$TURN_PORT
+You will now be given the option to change this port to something of your own.
+Please keep in mind NOT to use the following ports as they are likely in use already:
+${NONO_PORTS[*]}"
+
+while :
+do
+ if yesno_box_no "Do you want to change port?"
+ then
+ # Ask for port
+ TURN_PORT=$(input_box_flow "Please enter the port you will use for Nextcloud Talk")
+ fi
+
+ # Check if port is taken and exit if that's the case
+ if check_nono_ports "$TURN_PORT"
+ then
+ break
+ fi
+done
+
+# Install TURN
+if [ "${CODENAME}" == "jammy" ]
+then
+ add_trusted_key_and_repo "gpg.key" \
+ "https://packaging.gitlab.io/coturn" \
+ "https://packaging.gitlab.io/coturn/$CODENAME" \
+ "$CODENAME main" \
+ "morph027-coturn.list"
+fi
+check_command install_if_not coturn
+check_command sed -i '/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1' /etc/default/coturn
+
+# Create log for coturn
+install -d -m 777 "$VMLOGS"
+install -o turnserver -g turnserver -m 660 /dev/null /var/log
+
+# Generate $TURN_CONF
+cat << TURN_CREATE > "$TURN_CONF"
+listening-port=$TURN_PORT
+fingerprint
+use-auth-secret
+static-auth-secret=$TURN_SECRET
+realm=$TURN_DOMAIN
+total-quota=0
+bps-capacity=0
+stale-nonce
+no-loopback-peers
+no-multicast-peers
+no-stdout-log
+simple-log
+log-file=$VMLOGS/turnserver.log
+allowed-peer-ip=127.0.0.1
+# Enable for better security, might disconect calls though (remove the # and restart coturn)
+# denied-peer-ip=0.0.0.0-0.255.255.255
+# denied-peer-ip=10.0.0.0-10.255.255.255
+# denied-peer-ip=100.64.0.0-100.127.255.255
+# denied-peer-ip=127.0.0.0-127.255.255.255
+# denied-peer-ip=169.254.0.0-169.254.255.255
+# denied-peer-ip=172.16.0.0-172.31.255.255
+# denied-peer-ip=192.0.0.0-192.0.0.255
+# denied-peer-ip=192.0.2.0-192.0.2.255
+# denied-peer-ip=192.88.99.0-192.88.99.255
+# denied-peer-ip=192.168.0.0-192.168.255.255
+# denied-peer-ip=198.18.0.0-198.19.255.255
+# denied-peer-ip=198.51.100.0-198.51.100.255
+# denied-peer-ip=203.0.113.0-203.0.113.255
+# denied-peer-ip=240.0.0.0-255.255.255.255
+TURN_CREATE
+if [ -f "$TURN_CONF" ];
+then
+ print_text_in_color "$IGreen" "$TURN_CONF was successfully created."
+else
+ print_text_in_color "$IRed" "Unable to create $TURN_CONF, exiting..."
+ print_text_in_color "$IRed" "Please report this issue here $ISSUES"
+ exit 1
+fi
+
+# Restart the TURN server
+check_command systemctl restart coturn.service
+
+# Warn user to open port
+msg_box "You have to open $TURN_PORT TCP/UDP in your firewall or your TURN/STUN server won't work!
+
+This can be done automatically if you have UPNP enabled in your firewall/router. \
+You will be offered to use UPNP in the next step.
+
+After you hit OK, the script will check if the port is open or not. If it fails \
+and you want to run this script again, just execute this in your CLI:
+sudo bash /var/scripts/menu.sh, and choose 'Talk'."
+
+if yesno_box_no "Do you want to use UPNP to open port $TURN_PORT?"
+then
+ unset FAIL
+ open_port "$TURN_PORT" TCP
+ open_port "$TURN_PORT" UDP
+ cleanup_open_port
+fi
+
+# Check if the port is open
+check_open_port "$TURN_PORT" "$TURN_DOMAIN"
+
+# Enable Spreed (Talk)
+STUN_SERVERS_STRING="[\"$TURN_DOMAIN:$TURN_PORT\"]"
+TURN_SERVERS_STRING="[{\"server\":\"$TURN_DOMAIN:$TURN_PORT\",\"secret\":\"$TURN_SECRET\",\"protocols\":\"udp,tcp\"}]"
+
+if ! is_app_enabled spreed
+then
+ install_and_enable_app spreed
+fi
+
+nextcloud_occ config:app:set spreed stun_servers --value="$STUN_SERVERS_STRING" --output json
+nextcloud_occ config:app:set spreed turn_servers --value="$TURN_SERVERS_STRING" --output json
+chown -R www-data:www-data "$NC_APPS_PATH"
+
+msg_box "Nextcloud Talk is now installed. For more information about \
+Nextcloud Talk and its mobile apps visit:\nhttps://nextcloud.com/talk/"
+
+####################### SIGNALING
+
+SCRIPT_NAME="Talk Signaling Server"
+
+msg_box "You will now be presented with the option to install the Talk Signaling (STUN) server.
+This aims to give you greater performance and ability to have more users in a call at the same time.
+
+You can read more here:
+https://github.com/strukturag/nextcloud-spreed-signaling/blob/master/README.md
+
+We will use apt packages from https://gitlab.com/morph027 which is a trusted contributor to this repository.
+
+The exact sources can be found here:
+https://gitlab.com/packaging/nextcloud-spreed-signaling
+https://gitlab.com/packaging/janus/"
+
+# Ask the user if he/she wants the HPB server as well
+if ! yesno_box_no "Do you want to install the $SCRIPT_NAME? Please note that using basic Talk is usually enough."
+then
+ exit 1
+fi
+
+# curl the lib another time to get the correct https_conf
+# shellcheck source=lib.sh
+source /var/scripts/fetch_lib.sh
+
+# Install certbot (Let's Encrypt)
+install_certbot
+
+# Generate certs and auto-configure if successful
+export SUBDOMAIN=talk
+if run_script DESEC desec_subdomain
+then
+ SUBDOMAIN="$(grep talk -m 1 $SCRIPTS/deSEC/.subdomain | cut -d '=' -f2)"
+ # Curl the library another time to get the correct DHPARAMS
+ # shellcheck source=lib.sh
+ source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+ # Generate DHparams cipher
+ if [ ! -f "$DHPARAMS_SUB" ]
+ then
+ openssl dhparam -out "$DHPARAMS_SUB" 2048
+ fi
+ print_text_in_color "$IGreen" "Certs are generated!"
+else
+ # remove settings to be able to start over again
+ rm -f "$HTTPS_CONF"
+ last_fail_tls "$SCRIPTS"/apps/talk_signaling.sh
+ exit 1
+fi
+
+# Apache Proxy
+# https://github.com/strukturag/nextcloud-spreed-signaling#apache
+
+# Install Apache2
+install_if_not apache2
+
+# Enable Apache2 module's
+a2enmod proxy
+a2enmod proxy_wstunnel
+a2enmod proxy_http
+a2enmod ssl
+a2enmod headers
+a2enmod remoteip
+
+# Allow CustomLog
+touch $VMLOGS/talk_apache_access.log
+touch $VMLOGS/talk_apache_error.log
+chown www-data:www-data $VMLOGS/talk_apache_error.log $VMLOGS/talk_apache_access.log
+
+# Prep the error page
+mkdir -p /var/www/html/error
+echo "Hi there! :) If you see this page, the Apache2 proxy for $SCRIPT_NAME is up and running." > /var/www/html/error/404_proxy.html
+chown -R www-data:www-data /var/www/html/error
+
+# Only add TLS 1.3 on Ubuntu later than 20.04
+if version 20.04 "$DISTRO" 22.04.10
+then
+ TLS13="+TLSv1.3"
+fi
+
+if [ -f "$HTTPS_CONF" ]
+then
+ a2dissite "$SUBDOMAIN.conf"
+ rm -f "$HTTPS_CONF"
+fi
+
+if [ ! -f "$HTTPS_CONF" ];
+then
+ cat << HTTPS_CREATE > "$HTTPS_CONF"
+
+ ServerName $SUBDOMAIN:443
+ SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem
+ SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem
+ SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem
+ SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB
+
+ # Intermediate configuration
+ SSLEngine on
+ SSLCompression off
+ SSLProtocol -all +TLSv1.2 $TLS13
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
+ ServerSignature off
+
+ # Logs
+ LogLevel warn
+ CustomLog \${APACHE_LOG_DIR}/access.log combined
+ ErrorLog \${APACHE_LOG_DIR}/error.log
+
+ # Just in case - see below
+ SSLProxyEngine On
+ SSLProxyVerify None
+ SSLProxyCheckPeerCN Off
+ SSLProxyCheckPeerName Off
+ # contra mixed content warnings
+ RequestHeader set X-Forwarded-Proto "https"
+ # Custom error page
+ ProxyErrorOverride On
+ DocumentRoot "/var/www/html"
+ ProxyPass /error/ !
+ ErrorDocument 404 /error/404_proxy.html
+ # Enable proxying Websocket requests to the standalone signaling server.
+ # https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
+ ProxyPass / "http://127.0.0.1:8081/"
+ RewriteEngine on
+ RewriteCond %{HTTP:Upgrade} websocket [NC]
+ RewriteCond %{HTTP:Connection} upgrade [NC]
+ RewriteRule ^/?(.*) "ws://127.0.0.1:8081/\$1" [P,L]
+ # Extra (remote) headers
+ RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+ Header set X-XSS-Protection "1; mode=block"
+ Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+ Header set X-Content-Type-Options nosniff
+ Header set Content-Security-Policy "frame-ancestors 'self'"
+
+HTTPS_CREATE
+
+ if [ -f "$HTTPS_CONF" ];
+ then
+ print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created."
+ a2ensite "$SUBDOMAIN.conf"
+ restart_webserver
+ sleep 1
+ else
+ print_text_in_color "$IRed" "Unable to create vhost, exiting..."
+ print_text_in_color "$IRed" "Please report this issue here $ISSUES"
+ exit 1
+ fi
+fi
+
+# NATS
+## Pre-Configuration
+mkdir -p /etc/nats
+echo "listen: 127.0.0.1:4222" > /etc/nats/nats.conf
+## Installation
+curl -sL -o "/etc/apt/trusted.gpg.d/morph027-nats-server.asc" "https://packaging.gitlab.io/nats-server/gpg.key"
+echo "deb https://packaging.gitlab.io/nats-server nats main" > /etc/apt/sources.list.d/morph027-nats-server.list
+apt-get update -q4 & spinner_loading
+install_if_not nats-server
+chown nats:nats /etc/nats/nats.conf
+start_if_stopped nats-server
+check_command systemctl enable nats-server
+
+# Janus WebRTC Server
+## Installation
+case "${CODENAME}" in
+ "bionic"|"focal")
+ add_trusted_key_and_repo "gpg.key" \
+ "https://packaging.gitlab.io/janus" \
+ "https://packaging.gitlab.io/janus/$CODENAME" \
+ "$CODENAME main" \
+ "morph027-janus.list"
+ ;;
+ *)
+ :
+ ;;
+esac
+install_if_not janus
+## Configuration
+sed -i "s|#turn_rest_api_key.*|turn_rest_api_key = $JANUS_API_KEY|" /etc/janus/janus.jcfg
+sed -i "s|#full_trickle|full_trickle|g" /etc/janus/janus.jcfg
+sed -i 's|#interface.*|interface = "lo"|g' /etc/janus/janus.transport.websockets.jcfg
+sed -i 's|#ws_interface.*|ws_interface = "lo"|g' /etc/janus/janus.transport.websockets.jcfg
+start_if_stopped janus
+check_command systemctl enable janus
+
+# HPB
+## Installation
+add_trusted_key_and_repo "gpg.key" \
+"https://packaging.gitlab.io/nextcloud-spreed-signaling" \
+"https://packaging.gitlab.io/nextcloud-spreed-signaling" \
+"signaling main" \
+"morph027-nextcloud-spreed-signaling.list"
+install_if_not nextcloud-spreed-signaling
+## Configuration
+if [ ! -f "$SIGNALING_SERVER_CONF" ];
+then
+ cat << SIGNALING_CONF_CREATE > "$SIGNALING_SERVER_CONF"
+[http]
+listen = 127.0.0.1:8081
+[app]
+debug = false
+[sessions]
+hashkey = $(openssl rand -hex 16)
+blockkey = $(openssl rand -hex 16)
+[clients]
+internalsecret = $(openssl rand -hex 16)
+[backend]
+allowed = ${TURN_DOMAIN}
+allowall = false
+secret = ${NC_SECRET}
+timeout = 10
+connectionsperhost = 8
+[nats]
+url = nats://localhost:4222
+[mcu]
+type = janus
+url = ws://127.0.0.1:8188
+[turn]
+apikey = ${JANUS_API_KEY}
+secret = ${TURN_SECRET}
+servers = turn:$TURN_DOMAIN:$TURN_PORT?transport=tcp,turn:$TURN_DOMAIN:$TURN_PORT?transport=udp
+SIGNALING_CONF_CREATE
+fi
+start_if_stopped signaling
+check_command systemctl enable signaling
+
+# Set signaling server strings
+SIGNALING_SERVERS_STRING="{\"servers\":[{\"server\":\"https://$SUBDOMAIN/\",\"verify\":true}],\"secret\":\"$NC_SECRET\"}"
+nextcloud_occ config:app:set spreed signaling_servers --value="$SIGNALING_SERVERS_STRING" --output json
+
+# Add to /etc/hosts
+if ! grep "$SUBDOMAIN" /etc/hosts
+then
+ echo "# Talk Signaling Server" >> /etc/hosts
+ echo "127.0.1.1 $SUBDOMAIN" >> /etc/hosts
+fi
+
+# Check that everything is working
+if ! curl -L https://"$SUBDOMAIN"/api/v1/welcome
+then
+ msg_box "Installation failed. :/\n\nPlease run this script again to uninstall if you want to clean the system, or choose to reinstall if you want to try again.\n\nLogging can be found by typing: journalctl -lfu signaling"
+ exit 1
+else
+ msg_box "Congratulations, everything is working as intended! The installation succeeded.\n\nLogging can be found by typing: journalctl -lfu signaling"
+ exit 0
+fi
diff --git a/apps/talk.sh b/apps/talk.sh
index 4c8c3c7627..3fe2ffe717 100644
--- a/apps/talk.sh
+++ b/apps/talk.sh
@@ -224,7 +224,7 @@ https://gitlab.com/packaging/nextcloud-spreed-signaling
https://gitlab.com/packaging/janus/"
# Ask the user if he/she wants the HPB server as well
-if ! yesno_box_no "Do you want to install the $SCRIPT_NAME? Please note that using basic Talk is usally enough."
+if ! yesno_box_no "Do you want to install the $SCRIPT_NAME? Please note that using basic Talk is usually enough."
then
exit 1
fi
diff --git a/lib.sh b/lib.sh
index 639e64c3ca..f54db31dbd 100644
--- a/lib.sh
+++ b/lib.sh
@@ -864,6 +864,27 @@ to validate them with the $f method. We have exhausted all the methods. Please c
done
}
+# Let the user choose to setup a specific app with either deSEC, or regular TLS.
+# desec_app_tls_menu "DESEC collabora_docker_desec" "APP collabora_docker"
+desec_app_tls_menu() {
+choice=$(whiptail --title "$TITLE" --menu \
+"Choose TLS setup. Please note, to run the deSEC option, deSEC needs to be configured and setup already.\n
+$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \
+"Regular TLS setup" "(If deSEC isn't installed, setup normal TLS)" \
+"deSEC TLS setup" "(If you configured deSEC already. Works with custom port.)" 3>&1 1>&2 2>&3)
+
+case "$choice" in
+ "deSEC TLS setup")
+ run_script "${1}"
+ ;;
+ "Regular TLS setup")
+ run_script "${2}"
+ ;;
+ *)
+ ;;
+esac
+}
+
is_desec_installed() {
# Check if deSEC is installed and add the needed variables if yes
if [ -f "$SCRIPTS"/deSEC/.dedynauth ]
diff --git a/menu/additional_apps.sh b/menu/additional_apps.sh
index 129cafc125..a90719d677 100644
--- a/menu/additional_apps.sh
+++ b/menu/additional_apps.sh
@@ -125,7 +125,7 @@ to finish the setup once this script is done." "$SUBTITLE"
;;&
*"Talk"*)
print_text_in_color "$ICyan" "Downloading the Talk script..."
- run_script APP talk
+ desec_app_tls_menu "DESEC talk_desec" "APP talk"
;;&
*"Webmin"*)
print_text_in_color "$ICyan" "Downloading the Webmin script..."
diff --git a/menu/documentserver.sh b/menu/documentserver.sh
index b9811fee86..c4e4f06bbe 100644
--- a/menu/documentserver.sh
+++ b/menu/documentserver.sh
@@ -27,7 +27,7 @@ $MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \
case "$choice" in
"Collabora (Docker)")
print_text_in_color "$ICyan" "Downloading the Collabora (Docker) script..."
- run_script APP collabora_docker
+ desec_app_tls_menu "DESEC collabora_docker_desec" "APP collabora_docker"
;;
"Collabora (Integrated)")
print_text_in_color "$ICyan" "Downloading the Collabora (Integrated) script..."
@@ -35,7 +35,7 @@ case "$choice" in
;;
"OnlyOffice (Docker)")
print_text_in_color "$ICyan" "Downloading the OnlyOffice (Docker) script..."
- run_script APP onlyoffice_docker
+ desec_app_tls_menu "DESEC onlyoffice_docker_desec" "APP onlyoffice_docker"
;;
"OnlyOffice (Integrated)")
print_text_in_color "$ICyan" "Downloading the OnlyOffice (Integrated) script..."