From 7cd2ac1bbd13133fa8002dacc717527b859f505c Mon Sep 17 00:00:00 2001
From: michnovka <16553087+michnovka@users.noreply.github.com>
Date: Tue, 3 Mar 2026 00:06:22 +0100
Subject: [PATCH 1/3] feat(talk): trust custom CA certificates via
 NEXTCLOUD_TRUSTED_CACERTS_DIR

When NEXTCLOUD_TRUSTED_CACERTS_DIR is set on the mastercontainer,
the custom CA certificates are now also mounted into the Talk container.

Since the Talk container runs with a read-only root filesystem,
update-ca-certificates cannot be used. Instead, the startup script
copies the system CA bundle to /tmp (tmpfs), appends any custom
certificates from /usr/local/share/ca-certificates/, and sets
SSL_CERT_FILE to point Go's TLS stack at the extended bundle.

This allows the signaling server to verify TLS connections to
Nextcloud instances that use private/internal CA certificates,
without requiring skipverify=true.

Signed-off-by: Tomas <16553087+michnovka@users.noreply.github.com>
---
 Containers/talk/start.sh | 15 +++++++++++++++
 php/containers.json      |  7 +++++++
 2 files changed, 22 insertions(+)

diff --git a/Containers/talk/start.sh b/Containers/talk/start.sh
index f89949f3..003e9a89 100644
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@@ -18,6 +18,21 @@ elif [ -z "$INTERNAL_SECRET" ]; then
     exit 1
 fi
 
+# Trust additional CA certificates, if the user provided NEXTCLOUD_TRUSTED_CACERTS_DIR
+# The container is read-only, so we build a custom bundle in /tmp (tmpfs) and
+# point Go's TLS stack to it via SSL_CERT_FILE.
+if [ -n "$(find /usr/local/share/ca-certificates -name '*.crt' -type f 2>/dev/null)" ]; then
+    echo "Trusting additional CA certificates..."
+    cp /etc/ssl/certs/ca-certificates.crt /tmp/ca-certificates.crt
+    for cert in /usr/local/share/ca-certificates/*.crt; do
+        if [ -f "$cert" ]; then
+            cat "$cert" >> /tmp/ca-certificates.crt
+            echo "  Added: $(basename "$cert")"
+        fi
+    done
+    export SSL_CERT_FILE=/tmp/ca-certificates.crt
+fi
+
 set -x
 IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)"
 # shellcheck disable=SC2153
diff --git a/php/containers.json b/php/containers.json
index a72d19a2..2e1923c0 100644
--- a/php/containers.json
+++ b/php/containers.json
@@ -437,6 +437,13 @@
         "8081"
       ],
       "internal_port": "%TALK_PORT%",
+      "volumes": [
+        {
+          "source": "%NEXTCLOUD_TRUSTED_CACERTS_DIR%",
+          "destination": "/usr/local/share/ca-certificates",
+          "writeable": false
+        }
+      ],
       "environment": [
         "NC_DOMAIN=%NC_DOMAIN%",
         "TALK_HOST=nextcloud-aio-talk",

From 909ef967480a4d5572099f9dbf284349b033a06c Mon Sep 17 00:00:00 2001
From: Tomas <16553087+michnovka@users.noreply.github.com>
Date: Fri, 6 Mar 2026 14:42:35 +0100
Subject: [PATCH 2/3] Use mountpoint check and add util-linux-misc dependency

Address review feedback: use `mountpoint -q` instead of find to
detect mounted CA directory, add set -x/+x for debug logging,
broaden glob to accept any file extension, and add util-linux-misc
package to Dockerfile for the mountpoint command.

Signed-off-by: Tomas <16553087+michnovka@users.noreply.github.com>
---
 Containers/talk/Dockerfile | 3 ++-
 Containers/talk/start.sh   | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/Containers/talk/Dockerfile b/Containers/talk/Dockerfile
index 6a3b227e..404326dc 100644
--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@@ -70,7 +70,8 @@ RUN set -ex; \
         libwebsockets \
         \
         shadow \
-        grep; \
+        grep \
+        util-linux-misc; \
     useradd --system -u 1000 eturnal; \
     apk del --no-cache \
         shadow; \
diff --git a/Containers/talk/start.sh b/Containers/talk/start.sh
index 003e9a89..04e2b9ff 100644
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@@ -21,16 +21,18 @@ fi
 # Trust additional CA certificates, if the user provided NEXTCLOUD_TRUSTED_CACERTS_DIR
 # The container is read-only, so we build a custom bundle in /tmp (tmpfs) and
 # point Go's TLS stack to it via SSL_CERT_FILE.
-if [ -n "$(find /usr/local/share/ca-certificates -name '*.crt' -type f 2>/dev/null)" ]; then
+if mountpoint -q /usr/local/share/ca-certificates; then
     echo "Trusting additional CA certificates..."
+    set -x
     cp /etc/ssl/certs/ca-certificates.crt /tmp/ca-certificates.crt
-    for cert in /usr/local/share/ca-certificates/*.crt; do
+    for cert in /usr/local/share/ca-certificates/*; do
         if [ -f "$cert" ]; then
             cat "$cert" >> /tmp/ca-certificates.crt
             echo "  Added: $(basename "$cert")"
         fi
     done
     export SSL_CERT_FILE=/tmp/ca-certificates.crt
+    set +x
 fi
 
 set -x

From dd103fa0f13d09a8e106850b68c04bcc37a8513b Mon Sep 17 00:00:00 2001
From: michnovka <16553087+michnovka@users.noreply.github.com>
Date: Fri, 6 Mar 2026 14:58:08 +0100
Subject: [PATCH 3/3] Update Containers/talk/start.sh

Co-authored-by: Simon L. <szaimen@e.mail.de>
Signed-off-by: michnovka <16553087+michnovka@users.noreply.github.com>
---
 Containers/talk/start.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Containers/talk/start.sh b/Containers/talk/start.sh
index 04e2b9ff..57344ee0 100644
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@@ -28,7 +28,6 @@ if mountpoint -q /usr/local/share/ca-certificates; then
     for cert in /usr/local/share/ca-certificates/*; do
         if [ -f "$cert" ]; then
             cat "$cert" >> /tmp/ca-certificates.crt
-            echo "  Added: $(basename "$cert")"
         fi
     done
     export SSL_CERT_FILE=/tmp/ca-certificates.crt