Disable turns when Let's Encrypt is used

Supersedes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1145

group_vars/matrix_servers

@@ -1474,7 +1474,7 @@ matrix_postgres_additional_databases: |
       'username': matrix_prometheus_postgres_exporter_database_username,
       'password': matrix_prometheus_postgres_exporter_database_password,
     }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == 'matrix-postgres') else [])
-   
+
    }}
 
 matrix_postgres_import_roles_to_ignore: |
@@ -1671,16 +1671,23 @@ matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
 
 # Even if TURN doesn't support TLS (it does by default),
 # it doesn't hurt to try a secure connection anyway.
+#
+# When Let's Encrypt certificates are used (the default case),
+# we don't enable `turns` endpoints, because WebRTC in Element can't talk to them.
+# Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1145
 matrix_synapse_turn_uris: |
   {{
+    []
+    +
     [
       'turns:' + matrix_server_fqn_matrix + '?transport=udp',
       'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
+    ] if matrix_coturn_enabled and matrix_ssl_retrieval_method != 'lets-encrypt' else []
+    +
+    [
       'turn:' + matrix_server_fqn_matrix + '?transport=udp',
       'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
-    ]
-    if matrix_coturn_enabled
-    else []
+    ] if matrix_coturn_enabled else []
   }}
 
 matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"