Remove roles/custom/matrix-coturn

Signed-off-by: Suguru Hirahara <did🔑z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
пре 3 недеља · 439acc69c5
--- a/roles/custom/matrix-coturn/defaults/main.yml
+++ b/roles/custom/matrix-coturn/defaults/main.yml
@@ -1,235 +0,0 @@
 # SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2019 Stuart Mumford
 # SPDX-FileCopyrightText: 2019 Sylvia van Os
 # SPDX-FileCopyrightText: 2020 - 2021 Dan Arnfield
 # SPDX-FileCopyrightText: 2020 Horvath Gergely
 # SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
 # SPDX-FileCopyrightText: 2021 Ahmad Haghighi
 # SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi
 # SPDX-FileCopyrightText: 2022 Hefty Zauk
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 # SPDX-FileCopyrightText: 2023 Samuel Meenzen
 # SPDX-FileCopyrightText: 2025 Suguru Hirahara
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---
 # Project source code URL: https://github.com/coturn/coturn

 coturn_enabled: true

 coturn_hostname: ""

 coturn_container_image_self_build: false
 coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
 coturn_container_image_self_build_repo_version: "docker/{{ coturn_version }}"
 coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"

 # renovate: datasource=docker depName=coturn/coturn versioning=loose
 coturn_version: 4.8.0
 coturn_container_image: "{{ coturn_container_image_registry_prefix }}coturn/coturn:{{ coturn_version }}-alpine"
 coturn_container_image_registry_prefix_upstream: "{{ coturn_container_image_registry_prefix_upstream_default }}"
 coturn_container_image_registry_prefix_upstream_default: docker.io/
 coturn_container_image_force_pull: "{{ coturn_container_image.endswith(':latest') }}"

 # The Docker network that coturn would be put into.
 #
 # Because coturn relays traffic to unvalidated IP addresses,
 # using a dedicated network, isolated from other Docker (and local) services is preferable.
 #
 # Setting up deny/allow rules with `coturn_allowed_peer_ips`/`coturn_denied_peer_ips` is also
 # possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
 #
 # Setting `coturn_container_network` to 'host' will run the container with host networking,
 # which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.
 # Running with host networking can be dangerous, as it potentially exposes your local network and its services to coturn peers.
 # Regardless of the networking mode, we apply a deny list which via `coturn_denied_peer_ips`,
 # which hopefully prevents access to such private network ranges.
 # When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.
 coturn_container_network: "matrix-coturn"

 coturn_container_additional_networks: "{{ coturn_container_additional_networks_auto + coturn_container_additional_networks_custom }}"
 coturn_container_additional_networks_auto: []
 coturn_container_additional_networks_custom: []

 coturn_docker_src_files_path: "{{ coturn_base_path }}/docker-src"
 coturn_config_path: "{{ coturn_base_path }}/turnserver.conf"

 # List of systemd services that matrix-coturn.service depends on
 coturn_systemd_required_services_list: "{{ coturn_systemd_required_services_list_default + coturn_systemd_required_services_list_auto + coturn_systemd_required_services_list_custom }}"
 coturn_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
 coturn_systemd_required_services_list_auto: []
 coturn_systemd_required_services_list_custom: []

 # A list of additional "volumes" to mount in the container.
 # This list gets populated dynamically at runtime. You can provide a different default value,
 # if you wish to mount your own files into the container.
 # Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.
 # See the `--mount` documentation for the `docker run` command.
 coturn_container_additional_volumes: []

 # A list of extra arguments to pass to the container
 coturn_container_extra_arguments: []

 # Controls whether the coturn container exposes its plain STUN port (tcp/3478 in the container) over TCP.
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
 coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if coturn_container_network != 'host' else '' }}"

 # Controls whether the coturn container exposes its plain STUN port (udp/3478 in the container) over UDP.
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
 #
 # Ideally, we'd like to set this to "" to avoid exposing this port and decrease the risk of DDoS amplification attacks.
 # See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit
 # In practice, old Element clients only support talking to the STUN port over UDP, not TCP, so we need to keep this enabled for now.
 coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if coturn_container_network != 'host' else '' }}"

 # Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP.
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
 coturn_container_stun_tls_host_bind_port_tcp: "{{ '5349' if coturn_container_network != 'host' else '' }}"

 # Controls whether the coturn container exposes its TLS STUN port (udp/5349 in the container) over UDP.
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
 #
 # This is enabled by default, unlike `coturn_container_stun_plain_host_bind_port_udp`,
 # because the risk of DDoS amplification attacks is lower for TLS
 # due to the handshake requiring two-way authentication and being generally more expensive.
 coturn_container_stun_tls_host_bind_port_udp: "{{ '5349' if coturn_container_network != 'host' else '' }}"

 # Controls whether the coturn container exposes its TURN UDP port range and which interface to do it on.
 #
 # Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.
 # Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
 #
 # The UDP port-range itself is specified using `coturn_turn_udp_min_port` and `coturn_turn_udp_max_port`.
 coturn_container_turn_range_listen_interface: "{{ '' if coturn_container_network != 'host' else 'none' }}"

 # UDP port-range to use for TURN
 coturn_turn_udp_min_port: 49152
 coturn_turn_udp_max_port: 49172

 # Controls the `realm` configuration option
 coturn_realm: "turn.{{ coturn_hostname }}"

 # Controls which authentication method to enable.
 #
 # lt-cred-mech likely provides better compatibility,
 # as described here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3191
 # but those claims are unverified.
 #
 # For now, we still default to `auth-secret` like we've always done.
 #
 # Known values: auth-secret, lt-cred-mech
 coturn_authentication_method: auth-secret

 # A shared secret used for authentication when `coturn_authentication_method` is `auth-secret`.
 # You can put any string here, but generating a strong one is preferred. You can create one with a command like `pwgen -s 64 1`.
 coturn_turn_static_auth_secret: ""

 # A username used authentication when `coturn_authentication_method` is `lt-cred-mech`.
 coturn_lt_cred_mech_username: ""
 # A password used authentication when `coturn_authentication_method` is `lt-cred-mech`.
 coturn_lt_cred_mech_password: ""

 # The external IP address of the machine where coturn is.
 # If do not define an IP address here or in `coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.
 # See `coturn_turn_external_ip_address_auto_detection_enabled`
 coturn_turn_external_ip_address: ""
 coturn_turn_external_ip_addresses: "{{ [coturn_turn_external_ip_address] if coturn_turn_external_ip_address != '' else [] }}"

 # Controls whether external IP address auto-detection should be attempted.
 # We try to do this if there is no external IP address explicitly configured and if an EchoIP service URL is specified.
 # See coturn_turn_external_ip_address_auto_detection_echoip_service_url
 coturn_turn_external_ip_address_auto_detection_enabled: "{{ coturn_turn_external_ip_addresses | length == 0 and coturn_turn_external_ip_address_auto_detection_echoip_service_url != '' }}"

 # Specifies the address of the EchoIP service (https://github.com/mpolden/echoip) to use for detecting the external IP address.
 # Example: https://ifconfig.co/json
 coturn_turn_external_ip_address_auto_detection_echoip_service_url: ""

 # Controls whether SSL certificates will be validated when contacting the EchoIP service (coturn_turn_external_ip_address_auto_detection_echoip_service_url)
 coturn_turn_external_ip_address_auto_detection_echoip_validate_certs: true

 coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count: "{{ devture_playbook_help_geturl_retries_count }}"
 coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay: "{{ devture_playbook_help_geturl_retries_delay }}"

 coturn_allowed_peer_ips: []

 # We block loopback interfaces and private networks by default to prevent private resources from being accessible.
 # This is especially important when coturn does not run within a container network (e.g. `coturn_container_network: host`).
 #
 # Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
 #
 # If you're running coturn for local network peers, you may wish to override these rules.
 coturn_denied_peer_ips:
  - 0.0.0.0-0.255.255.255
  - 10.0.0.0-10.255.255.255
  - 100.64.0.0-100.127.255.255
  - 127.0.0.0-127.255.255.255
  - 169.254.0.0-169.254.255.255
  - 172.16.0.0-172.31.255.255
  - 192.0.0.0-192.0.0.255
  - 192.0.2.0-192.0.2.255
  - 192.88.99.0-192.88.99.255
  - 192.168.0.0-192.168.255.255
  - 198.18.0.0-198.19.255.255
  - 198.51.100.0-198.51.100.255
  - 203.0.113.0-203.0.113.255
  - 240.0.0.0-255.255.255.255
  - ::1
  - 64:ff9b::-64:ff9b::ffff:ffff
  - ::ffff:0.0.0.0-::ffff:255.255.255.255
  - 100::-100::ffff:ffff:ffff:ffff
  - 2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
  - 2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  - fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  - fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff

 coturn_user_quota: null
 coturn_total_quota: null

 # Controls whether `no-tcp-relay` is added to the configuration
 # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L419-L422
 coturn_no_tcp_relay_enabled: true

 # Controls whether `no-multicast-peers` is added to the configuration
 # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L629-L632
 coturn_no_multicast_peers_enabled: true

 # Controls whether `no-rfc5780` is added to the configuration
 # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L770-L781
 coturn_no_rfc5780_enabled: true

 # Controls whether `no-stun-backward-compatibility` is added to the configuration
 # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L783-L789
 coturn_no_stun_backward_compatibility_enabled: true

 # Controls whether `response-origin-only-with-rfc5780` is added to the configuration
 # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L791-L796
 coturn_response_origin_only_with_rfc5780_enabled: true

 # Additional configuration to be passed to turnserver.conf
 # Example:
 # coturn_additional_configuration: |
 #   simple-log
 #   aux-server=1.2.3.4
 #   relay-ip=4.3.2.1
 coturn_additional_configuration: ""

 # To enable TLS, you need to provide paths to certificates.
 # Paths defined in `coturn_tls_cert_path` and `coturn_tls_key_path` are in-container paths.
 # Files on the host can be mounted into the container using `coturn_container_additional_volumes`.
 coturn_tls_enabled: false
 coturn_tls_cert_path: ~
 coturn_tls_key_path: ~

 coturn_tls_v1_enabled: false
 coturn_tls_v1_1_enabled: false

 # systemd calendar configuration for the reload job
 # the actual job may run with a delay (see coturn_reload_schedule_randomized_delay_sec)
 coturn_reload_schedule: "*-*-* 06:30:00"
 # the delay with which the systemd timer may run in relation to the `coturn_reload_schedule` schedule
 coturn_reload_schedule_randomized_delay_sec: 1h
--- a/roles/custom/matrix-coturn/tasks/main.yml
+++ b/roles/custom/matrix-coturn/tasks/main.yml
@@ -1,26 +0,0 @@
 # SPDX-FileCopyrightText: 2019 - 2023 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2019 Dan Arnfield
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - tags:
    - setup-all
    - setup-coturn
    - install-all
    - install-coturn
  block:
    - when: coturn_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"

    - when: coturn_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"

 - tags:
    - setup-all
    - setup-coturn
  block:
    - when: not coturn_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
--- a/roles/custom/matrix-coturn/tasks/setup_install.yml
+++ b/roles/custom/matrix-coturn/tasks/setup_install.yml
@@ -1,146 +0,0 @@
 # SPDX-FileCopyrightText: 2018 - 2025 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2019 - 2020 MDAD project contributors
 # SPDX-FileCopyrightText: 2019 Dan Arnfield
 # SPDX-FileCopyrightText: 2020 Béla Becker
 # SPDX-FileCopyrightText: 2020 Chris van Dijk
 # SPDX-FileCopyrightText: 2020 Horvath Gergely
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 # SPDX-FileCopyrightText: 2022 Nikita Chernyi
 # SPDX-FileCopyrightText: 2022 Sebastian Gumprich
 # SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
 # SPDX-FileCopyrightText: 2024 David Mehren
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - when: coturn_turn_external_ip_address_auto_detection_enabled | bool
  block:
    - name: Fail if enabled, but EchoIP service URL unset
      when: coturn_turn_external_ip_address_auto_detection_echoip_service_url == ''
      ansible.builtin.fail:
        msg: "To use the external IP address auto-detection feature, you need to set coturn_turn_external_ip_address_auto_detection_echoip_service_url"

    # Note:
    # `ansible.builtin.uri` does not provide a way to configure whether IPv4 or IPv6 is used.
    # Luckily, the default instance we use does not define AAAA records for now, so it's always IPv4.
    - name: Fetch IP address information from EchoIP service
      ansible.builtin.uri:
        url: "{{ coturn_turn_external_ip_address_auto_detection_echoip_service_url }}"
        headers:
          Content-Type: application/json
        follow_redirects: none
        validate_certs: "{{ coturn_turn_external_ip_address_auto_detection_echoip_validate_certs }}"
      register: result_coturn_turn_external_ip_address_auto_detection_echoip_response
      ignore_errors: true
      check_mode: false
      retries: "{{ coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count }}"
      delay: "{{ coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay }}"
      until: not result_coturn_turn_external_ip_address_auto_detection_echoip_response.failed

    - name: Fail if EchoIP service failed
      when: "(result_coturn_turn_external_ip_address_auto_detection_echoip_response.failed or 'json' not in result_coturn_turn_external_ip_address_auto_detection_echoip_response)"
      ansible.builtin.fail:
        msg: "Failed contacting EchoIP service API at `{{ coturn_turn_external_ip_address_auto_detection_echoip_service_url }}` (controlled by `coturn_turn_external_ip_address_auto_detection_echoip_service_url`). Full error: {{ result_coturn_turn_external_ip_address_auto_detection_echoip_response }}"

    - ansible.builtin.set_fact:
        coturn_turn_external_ip_address: "{{ result_coturn_turn_external_ip_address_auto_detection_echoip_response.json.ip }}"

 - name: Ensure Matrix coturn path exists
  ansible.builtin.file:
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  with_items:
    - {path: "{{ coturn_docker_src_files_path }}", when: "{{ coturn_container_image_self_build }}"}
  when: "item.when | bool"

 - name: Ensure coturn image is pulled
  community.docker.docker_image:
    name: "{{ coturn_container_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ coturn_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else coturn_container_image_force_pull }}"
  when: "not coturn_container_image_self_build | bool"
  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: result is not failed

 - when: "coturn_container_image_self_build | bool"
  block:
    - name: Ensure coturn repository is present on self-build
      ansible.builtin.git:
        repo: "{{ coturn_container_image_self_build_repo }}"
        dest: "{{ coturn_docker_src_files_path }}"
        version: "{{ coturn_container_image_self_build_repo_version }}"
        force: "yes"
      become: true
      become_user: "{{ matrix_user_name }}"
      register: coturn_git_pull_results

    - name: Ensure coturn Docker image is built
      community.docker.docker_image:
        name: "{{ coturn_container_image }}"
        source: build
        force_source: "{{ coturn_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else coturn_git_pull_results.changed }}"
        build:
          dockerfile: "{{ coturn_container_image_self_build_repo_dockerfile_path }}"
          path: "{{ coturn_docker_src_files_path }}"
          pull: true

 - name: Ensure coturn configuration path exists
  ansible.builtin.file:
    path: "{{ coturn_base_path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"

 - name: Ensure turnserver.conf installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/turnserver.conf.j2"
    dest: "{{ coturn_config_path }}"
    mode: 0644
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"

 - name: Ensure coturn network is created in Docker
  when: coturn_container_network not in ['', 'host']
  community.docker.docker_network:
    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
    name: "{{ coturn_container_network }}"
    driver: bridge
    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"

 - name: Ensure matrix-coturn.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service"
    mode: 0644

 # This may be unnecessary when more long-lived certificates are used.
 # We optimize for the common use-case though (short-lived Let's Encrypt certificates).
 # Reloading doesn't hurt anyway, so there's no need to make this more flexible.
 - name: Ensure reloading systemd units installed, if necessary
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/{{ item }}.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}"
    mode: 0644
  when: "coturn_tls_enabled | bool"
  with_items:
    - matrix-coturn-reload.service
    - matrix-coturn-reload.timer

 # A similar task exists in `setup_uninstall.yml`
 - name: Ensure reloading systemd units uninstalled, if unnecessary
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  when: "not coturn_tls_enabled | bool"
  with_items:
    - matrix-coturn-reload.service
    - matrix-coturn-reload.timer
--- a/roles/custom/matrix-coturn/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-coturn/tasks/setup_uninstall.yml
@@ -1,43 +0,0 @@
 # SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - name: Check existence of matrix-coturn service
  ansible.builtin.stat:
    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service"
  register: coturn_service_stat
  when: "not coturn_enabled | bool"

 - when: coturn_service_stat.stat.exists | bool
  block:
    - name: Ensure matrix-coturn is stopped
      ansible.builtin.service:
        name: matrix-coturn
        state: stopped
        enabled: false
        daemon_reload: true

    - name: Ensure matrix-coturn-reload.timer is stopped
      ansible.builtin.service:
        name: matrix-coturn
        state: stopped
        enabled: false
        daemon_reload: true
      failed_when: false

    - name: Ensure systemd units don't exist
      ansible.builtin.file:
        path: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}"
        state: absent
      with_items:
        - matrix-coturn.service
        - matrix-coturn-reload.service
        - matrix-coturn-reload.timer

    - name: Ensure Matrix coturn paths don't exist
      ansible.builtin.file:
        path: "{{ coturn_base_path }}"
        state: absent
--- a/roles/custom/matrix-coturn/tasks/validate_config.yml
+++ b/roles/custom/matrix-coturn/tasks/validate_config.yml
@@ -1,35 +0,0 @@
 # SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - name: (Deprecation) Catch and report renamed coturn settings
  ansible.builtin.fail:
    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
  with_items:
    - {'old': 'coturn_docker_network', 'new': 'coturn_container_network'}
    - {'old': 'coturn_container_stun_plain_host_bind_port', 'new': 'superseded by coturn_container_stun_plain_host_bind_port_tcp and coturn_container_stun_plain_host_bind_port_udp'}
    - {'old': 'coturn_container_stun_tls_host_bind_port', 'new': 'superseded by coturn_container_stun_tls_host_bind_port_tcp and coturn_container_stun_tls_host_bind_port_udp'}
    - {'old': 'coturn_container_image_name_prefix', 'new': 'coturn_container_image_registry_prefix'}

 - name: Fail if coturn_authentication_method is invalid
  ansible.builtin.fail:
    msg: >-
      Invalid authentication method specified in `coturn_authentication_method`
  when: "coturn_authentication_method not in ['auth-secret', 'lt-cred-mech']"

 - name: Fail if required coturn settings not defined
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item.name }}`).
  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
  with_items:
    - {'name': 'coturn_hostname', when: true}
    - {'name': 'coturn_turn_static_auth_secret', when: "{{ coturn_authentication_method == 'auth-secret' }}"}
    - {'name': 'coturn_lt_cred_mech_username', when: "{{ coturn_authentication_method == 'lt-cred-mech' }}"}
    - {'name': 'coturn_lt_cred_mech_password', when: "{{ coturn_authentication_method == 'lt-cred-mech' }}"}
--- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2
+++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2
@@ -1,12 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev

 SPDX-License-Identifier: AGPL-3.0-or-later
 #}

 [Unit]
 Description=Reloads matrix-coturn so that new SSL certificates can kick in

 [Service]
 Type=oneshot
 ExecStart={{ devture_systemd_docker_base_host_command_systemctl }} reload matrix-coturn.service
--- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
+++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
@@ -1,18 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
 SPDX-FileCopyrightText: 2021 Hardy Erlinger
 SPDX-FileCopyrightText: 2025 Suguru Hirahara

 SPDX-License-Identifier: AGPL-3.0-or-later
 #}

 [Unit]
 Description=Reloads matrix-coturn periodically so that new SSL certificates can kick in

 [Timer]
 Unit=matrix-coturn-reload.service
 OnCalendar={{ coturn_reload_schedule }}
 RandomizedDelaySec={{ coturn_reload_schedule_randomized_delay_sec }}

 [Install]
 WantedBy=timers.target
--- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2
+++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2
@@ -1,70 +0,0 @@
 #jinja2: lstrip_blocks: True
 [Unit]
 Description=Matrix coturn server
 {% for service in coturn_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 DefaultDependencies=no

 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'

 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--rm \
 			--name=matrix-coturn \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--cap-add=NET_BIND_SERVICE \
 			--entrypoint=turnserver \
 			--read-only \
 			--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
 			--network={{ coturn_container_network }} \
 			{% if coturn_container_stun_plain_host_bind_port_tcp != '' %}
 			-p {{ coturn_container_stun_plain_host_bind_port_tcp }}:3478 \
 			{% endif %}
 			{% if coturn_container_stun_plain_host_bind_port_udp != '' %}
 			-p {{ coturn_container_stun_plain_host_bind_port_udp }}:3478/udp \
 			{% endif %}
 			{% if coturn_container_stun_tls_host_bind_port_tcp != '' %}
 			-p {{ coturn_container_stun_tls_host_bind_port_tcp }}:5349 \
 			{% endif %}
 			{% if coturn_container_stun_tls_host_bind_port_udp != '' %}
 			-p {{ coturn_container_stun_tls_host_bind_port_udp }}:5349/udp \
 			{% endif %}
 			{% if coturn_container_turn_range_listen_interface is not in [none, 'none'] %}
 			-p {{ coturn_container_turn_range_listen_interface }}{{ ':' if coturn_container_turn_range_listen_interface else '' }}{{ coturn_turn_udp_min_port }}-{{ coturn_turn_udp_max_port }}:{{ coturn_turn_udp_min_port }}-{{ coturn_turn_udp_max_port }}/udp \
 			{% endif %}
 			--mount type=bind,src={{ coturn_config_path }},dst=/turnserver.conf,ro \
 			{% for volume in coturn_container_additional_volumes %}
 			--mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \
 			{% endfor %}
 			{% for arg in coturn_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ coturn_container_image }} \
 			-c /turnserver.conf

 {% for network in coturn_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-coturn
 {% endfor %}

 ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-coturn

 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'

 # This only reloads certificates (not other configuration).
 # See: https://github.com/coturn/coturn/pull/236
 ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-coturn kill -USR2 1

 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-coturn

 [Install]
 WantedBy=multi-user.target
--- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2.license
+++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2.license
@@ -1,8 +0,0 @@
 SPDX-FileCopyrightText: 2018 - 2025 Slavi Pantaleev
 SPDX-FileCopyrightText: 2019 Hugues De Keyzer
 SPDX-FileCopyrightText: 2019 Sylvia van Os
 SPDX-FileCopyrightText: 2020 Chris van Dijk
 SPDX-FileCopyrightText: 2021 Dan Arnfield
 SPDX-FileCopyrightText: 2024 Suguru Hirahara

 SPDX-License-Identifier: AGPL-3.0-or-later
--- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2
+++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2
@@ -1,78 +0,0 @@
 #jinja2: lstrip_blocks: True

 {% if coturn_authentication_method == 'auth-secret' %}
 use-auth-secret
 static-auth-secret={{ coturn_turn_static_auth_secret }}
 userdb=/var/tmp/turnserver.db
 {% endif %}

 {% if coturn_authentication_method == 'lt-cred-mech' %}
 lt-cred-mech
 user={{ coturn_lt_cred_mech_username }}:{{ coturn_lt_cred_mech_password }}
 {% endif %}

 realm={{ coturn_realm }}

 min-port={{ coturn_turn_udp_min_port }}
 max-port={{ coturn_turn_udp_max_port }}

 {% for ip in coturn_turn_external_ip_addresses %}
 external-ip={{ ip }}
 {% endfor %}

 log-file=stdout
 pidfile=/var/tmp/turnserver.pid

 no-cli

 {% if coturn_tls_enabled %}
 cert={{ coturn_tls_cert_path }}
 pkey={{ coturn_tls_key_path }}
 {% if not coturn_tls_v1_enabled %}
 no-tlsv1
 {% endif %}
 {% if not coturn_tls_v1_1_enabled %}
 no-tlsv1_1
 {% endif %}
 {% else %}
 no-tls
 no-dtls
 {% endif %}

 prod

 {% if coturn_no_tcp_relay_enabled %}
 no-tcp-relay
 {% endif %}

 {% if coturn_no_rfc5780_enabled %}
 no-rfc5780
 {% endif %}

 {% if coturn_no_stun_backward_compatibility_enabled %}
 no-stun-backward-compatibility
 {% endif %}

 {% if coturn_response_origin_only_with_rfc5780_enabled %}
 response-origin-only-with-rfc5780
 {% endif %}

 {% if coturn_user_quota != None %}
 user-quota={{ coturn_user_quota }}
 {% endif %}
 {% if coturn_total_quota != None %}
 total-quota={{ coturn_total_quota }}
 {% endif %}

 {% if coturn_no_multicast_peers_enabled %}
 no-multicast-peers
 {% endif %}

 {% for ip_range in coturn_denied_peer_ips %}
 denied-peer-ip={{ ip_range }}
 {% endfor %}
 {% for ip_range in coturn_allowed_peer_ips %}
 allowed-peer-ip={{ ip_range }}
 {% endfor %}

 {{ coturn_additional_configuration }}
--- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2.license
+++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2.license
@@ -1,6 +0,0 @@
 SPDX-FileCopyrightText: 2018 - 2024 Slavi Pantaleev
 SPDX-FileCopyrightText: 2019 Hugues De Keyzer
 SPDX-FileCopyrightText: 2019 Stuart Mumford
 SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors

 SPDX-License-Identifier: AGPL-3.0-or-later
--- a/roles/custom/matrix-coturn/vars/main.yml
+++ b/roles/custom/matrix-coturn/vars/main.yml
@@ -1,21 +0,0 @@
 # SPDX-FileCopyrightText: 2025 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 coturn_turn_uris: |-
  {{
    ([
      'turns:' + coturn_hostname + '?transport=udp',
      'turns:' + coturn_hostname + '?transport=tcp',
    ] if coturn_tls_enabled else [])
    +
    ([
      'turn:' + coturn_hostname + '?transport=udp',
    ] if (coturn_container_stun_plain_host_bind_port_udp != '' or coturn_container_network == 'host')  else [])
    +
    ([
      'turn:' + coturn_hostname + '?transport=tcp',
    ] if (coturn_container_stun_plain_host_bind_port_tcp != '' or coturn_container_network == 'host')  else [])
  }}