Replace "matrix_coturn" with "coturn"

Signed-off-by: Suguru Hirahara <did🔑z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
3 weeks ago · f4658b61a2
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,13 @@
 # 2026-02-XX

 ## (BC Break) coturn role has been relocated and variable names need adjustments

 The role for coturn has been relocated to the [mother-of-all-self-hosting](https://github.com/mother-of-all-self-hosting) organization.

 Along with the relocation, the `matrix_coturn_` prefix on its variable names has been renamed to `coturn_`, so you need to adjust your `vars.yml` configuration.

 As always, the playbook would let you know about this and point out any variables you may have missed.

 # 2026-02-09

 ## (BC Break) matrix-media-repo datastore IDs are now required in `vars.yml`
@@ -314,7 +324,7 @@ In light of this new information, you have 2 options:
 - Consider closing the STUN/UDP port with the following configuration:

  ```yaml
  matrix_coturn_container_stun_plain_host_bind_port_udp: ""
  coturn_container_stun_plain_host_bind_port_udp: ""
  ```

 - Consider keeping `3478/udp` blocked in your external firewall (if you have one)
@@ -375,11 +385,11 @@ The playbook now **only exposes the Coturn STUN port (`3478`) over TCP by defaul
 If you'd like the Coturn STUN port to be exposed over UDP like before, you can revert to the previous behavior by using the following configuration in your `vars.yml` file:

 ```yaml
 matrix_coturn_container_stun_plain_host_bind_port_udp: "3478"
 coturn_container_stun_plain_host_bind_port_udp: "3478"
 ```

 > [!WARNING]
 > People running Coturn directly on the `host` network (using `matrix_coturn_container_network: host`) will still have the STUN port exposed over UDP, as port exposure is done directly via Coturn and not via Docker. In such cases, the playbook cannot prevent `3478/udp` port exposure and you'd need to do it in another way (separate firewall rule, etc).
 > People running Coturn directly on the `host` network (using `coturn_container_network: host`) will still have the STUN port exposed over UDP, as port exposure is done directly via Coturn and not via Docker. In such cases, the playbook cannot prevent `3478/udp` port exposure and you'd need to do it in another way (separate firewall rule, etc).


 # 2025-02-17
@@ -1722,12 +1732,12 @@ Other roles which aren't strictly related to Matrix are likely to follow this fa

 ## coturn can now use host-networking

 Large coturn deployments (with a huge range of ports specified via `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`) experience a huge slowdown with how Docker publishes all these ports (setting up firewall forwarding rules), which leads to a very slow coturn service startup and shutdown.
 Large coturn deployments (with a huge range of ports specified via `coturn_turn_udp_min_port` and `coturn_turn_udp_max_port`) experience a huge slowdown with how Docker publishes all these ports (setting up firewall forwarding rules), which leads to a very slow coturn service startup and shutdown.

 Such deployments don't need to run coturn within a private container network anymore. coturn can now run with host-networking by using configuration like this:

 ```yaml
 matrix_coturn_container_network: host
 coturn_container_network: host
 ```

 With such a configuration, **Docker no longer needs to configure thousands of firewall forwarding rules** each time coturn starts and stops. This, however, means that **you will need to ensure these ports are open** in your firewall yourself.
@@ -1736,11 +1746,11 @@ Thanks to us [tightening coturn security](#backward-compatibility-tightening-cot

 ## (Backward Compatibility) Tightening coturn security can lead to connectivity issues

 **TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default coturn blocklists. They may need to override `matrix_coturn_denied_peer_ips` and remove some IP ranges from it.
 **TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default coturn blocklists. They may need to override `coturn_denied_peer_ips` and remove some IP ranges from it.

 Inspired by [this security article](https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/), we've decided to make use of coturn's `denied-peer-ip` functionality to prevent relaying network traffic to certain private IP subnets. This ensures that your coturn server won't accidentally try to forward traffic to certain services running on your local networks. We run coturn in a container and in a private container network by default, which should prevent such access anyway, but having additional block layers in place is better.

 If you access your Matrix server from a local network and need coturn to relay to private IP addresses, you may observe that relaying is now blocked due to our new default `denied-peer-ip` lists (specified in `matrix_coturn_denied_peer_ips`). If you experience such connectivity problems, consider overriding this setting in your `vars.yml` file and removing certain networks from it.
 If you access your Matrix server from a local network and need coturn to relay to private IP addresses, you may observe that relaying is now blocked due to our new default `denied-peer-ip` lists (specified in `coturn_denied_peer_ips`). If you experience such connectivity problems, consider overriding this setting in your `vars.yml` file and removing certain networks from it.

 We've also added `no-multicast-peers` to the default coturn configuration, but we don't expect this to cause trouble for most people.

@@ -2526,8 +2536,8 @@ To improve security, we've [removed TLSv1 and TLSv1.1 support](https://github.co
 If you need to support old clients, you can re-enable both (or whichever one you need) with the following configuration:

 ```yaml
 matrix_coturn_tls_v1_enabled: true
 matrix_coturn_tls_v1_1_enabled: true
 coturn_tls_v1_enabled: true
 coturn_tls_v1_1_enabled: true
 ```


@@ -3806,7 +3816,7 @@ Because people like using the playbook's components independently (outside of th
 With the new changes, **all roles are now only dependent on the minimal `matrix-base` role**. They are no longer dependent among themselves.

 In addition, the following components can now be completely disabled (for those who want/need to):
 - `matrix-coturn` by using `matrix_coturn_enabled: false`
 - `matrix-coturn` by using `coturn_enabled: false`
 - `matrix-mailer` by using `matrix_mailer_enabled: false`
 - `matrix-postgres` by using `matrix_postgres_enabled: false`

@@ -4026,7 +4036,7 @@ The following playbook variables were renamed:
 - from `matrix_docker_image_mautrix_telegram` to `matrix_mautrix_telegram_docker_image`
 - from `matrix_docker_image_mautrix_whatsapp` to `matrix_mautrix_whatsapp_docker_image`
 - from `matrix_docker_image_mailer` to `matrix_mailer_docker_image`
 - from `matrix_docker_image_coturn` to `matrix_coturn_docker_image`
 - from `matrix_docker_image_coturn` to `coturn_docker_image`
 - from `matrix_docker_image_goofys` to `matrix_s3_goofys_docker_image`
 - from `matrix_docker_image_riot` to `matrix_riot_web_docker_image`
 - from `matrix_docker_image_nginx` to `matrix_nginx_proxy_docker_image`
--- a/docs/configuring-playbook-turn.md
+++ b/docs/configuring-playbook-turn.md
@@ -26,10 +26,10 @@ In the `hosts` file we explicitly ask for your server's external IP address when
 If you'd rather use a local IP for `ansible_host`, add the following configuration to your `vars.yml` file. Make sure to replace `YOUR_PUBLIC_IP` with the pubic IP used by the server.

 ```yaml
 matrix_coturn_turn_external_ip_address: "YOUR_PUBLIC_IP"
 coturn_turn_external_ip_address: "YOUR_PUBLIC_IP"
 ```

 If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [echoip](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.
 If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [echoip](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.

 >[!NOTE]
 > You can self-host the echoip service by using the [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/echoip.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview.
@@ -37,8 +37,8 @@ If you'd like to rely on external IP address auto-detection (not recommended unl
 If your server has multiple external IP addresses, the coturn role offers a different variable for specifying them:

 ```yaml
 # Note: matrix_coturn_turn_external_ip_addresses is different than matrix_coturn_turn_external_ip_address
 matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']
 # Note: coturn_turn_external_ip_addresses is different than coturn_turn_external_ip_address
 coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']
 ```

 ### Change the authentication mechanism (optional)
@@ -48,7 +48,7 @@ The playbook uses the [`auth-secret` authentication method](https://github.com/c
 To do so, add the following configuration to your `vars.yml` file:

 ```yaml
 matrix_coturn_authentication_method: lt-cred-mech
 coturn_authentication_method: lt-cred-mech
 ```

 Regardless of the selected authentication method, the playbook generates secrets automatically and passes them to the homeserver and coturn.
@@ -62,7 +62,7 @@ By default, Coturn uses the same hostname as your Matrix homeserver (the value o
 If you'd like to use a custom subdomain for Coturn (e.g., `turn.example.com` or `t.matrix.example.com`), add the following configuration to your `vars.yml` file:

 ```yaml
 matrix_coturn_hostname: turn.example.com
 coturn_hostname: turn.example.com
 ```

 The playbook will automatically:
@@ -78,7 +78,7 @@ If you'd like to use another TURN server (be it coturn or some other one), add t

 ```yaml
 # Disable integrated coturn server
 matrix_coturn_enabled: false
 coturn_enabled: false

 # Point Synapse to your other coturn server
 matrix_synapse_turn_uris:
@@ -99,15 +99,15 @@ You can put multiple host/port combinations if you'd like to.

 ### Edit the reloading schedule (optional)

 By default the service is reloaded on 6:30 a.m. every day based on the `matrix_coturn_reload_schedule` variable so that new SSL certificates can kick in. It is defined in the format of systemd timer calendar.
 By default the service is reloaded on 6:30 a.m. every day based on the `coturn_reload_schedule` variable so that new SSL certificates can kick in. It is defined in the format of systemd timer calendar.

 To edit the schedule, add the following configuration to your `vars.yml` file (adapt to your needs):

 ```yaml
 matrix_coturn_reload_schedule: "*-*-* 06:30:00"
 coturn_reload_schedule: "*-*-* 06:30:00"
 ```

 **Note**: the actual job may run with a delay. See `matrix_coturn_reload_schedule_randomized_delay_sec` for its default value.
 **Note**: the actual job may run with a delay. See `coturn_reload_schedule_randomized_delay_sec` for its default value.

 ### Extending the configuration

@@ -122,7 +122,7 @@ Take a look at:
 If, for some reason, you'd like for the playbook to not install coturn (or to uninstall it if it was previously installed), add the following configuration to your `vars.yml` file:

 ```yaml
 matrix_coturn_enabled: false
 coturn_enabled: false
 ```

 In that case, Synapse would not point to any coturn servers and audio/video call functionality may fail.
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -313,7 +313,7 @@ exim_relay_enabled: false

 # You can also disable this to save more RAM,
 # at the expense of audio/video calls being unreliable.
 matrix_coturn_enabled: false
 coturn_enabled: false

 # This makes Synapse not keep track of who is online/offline.
 #
--- a/docs/howto-srv-server-delegation.md
+++ b/docs/howto-srv-server-delegation.md
@@ -104,10 +104,10 @@ This should not happen again afterwards as Traefik will renew certificates well

 ```yaml
 # Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
 matrix_coturn_systemd_required_services_list: ['docker.service']
 coturn_systemd_required_services_list: ['docker.service']

 # This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
 matrix_coturn_container_additional_volumes: |
 coturn_container_additional_volumes: |
  {{
    (
      [
@@ -121,7 +121,7 @@ matrix_coturn_container_additional_volumes: |
         'dst': '/privatekey.key',
         'options': 'ro',
       },
      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and coturn_tls_enabled else []
    )
  }}
 ```
@@ -165,10 +165,10 @@ traefik_environment_variables: |
  LEGO_DISABLE_CNAME_SUPPORT=true

 # Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
 matrix_coturn_systemd_required_services_list: ['docker.service']
 coturn_systemd_required_services_list: ['docker.service']

 # This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
 matrix_coturn_container_additional_volumes: |
 coturn_container_additional_volumes: |
  {{
    (
      [
@@ -182,7 +182,7 @@ matrix_coturn_container_additional_volumes: |
         'dst': '/privatekey.key',
         'options': 'ro',
       },
      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and coturn_tls_enabled else []
    )
  }}
 ```
--- a/examples/hosts
+++ b/examples/hosts
@@ -1,5 +1,5 @@
 # We explicitly ask for your server's external IP address, because the same value is used for configuring coturn.
 # If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`.
 # If you'd rather use a local IP here, make sure to set up `coturn_turn_external_ip_address`.
 #
 # To connect using a non-root user (and elevate to root with sudo later),
 # replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username ansible_become=true ansible_become_user=root`.
--- a/examples/vars.yml
+++ b/examples/vars.yml
@@ -61,10 +61,10 @@ postgres_connection_password: ''
 # 2. Uncomment and adjust the line below to specify an IP address manually
 #
 # By default, auto-detection will be attempted using the `https://ifconfig.co/json` API.
 # Default values for this are specified in `matrix_coturn_turn_external_ip_address_auto_detection_*` variables in the coturn role
 # Default values for this are specified in `coturn_turn_external_ip_address_auto_detection_*` variables in the coturn role
 # (see `roles/custom/matrix-coturn/defaults/main.yml`).
 #
 # If your server has multiple IP addresses, you may define them in another variable which allows a list of addresses.
 # Example: `matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']`
 # Example: `coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']`
 #
 # matrix_coturn_turn_external_ip_address: ''
 # coturn_turn_external_ip_address: ''
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -354,13 +354,13 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-corporal.service', 'priority': 1500, 'groups': ['matrix', 'corporal']}] if matrix_corporal_enabled else [])
    +
    ([{'name': 'matrix-coturn.service', 'priority': (1500 if devture_systemd_service_manager_service_restart_mode == 'one-by-one' else 900), 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else [])
    ([{'name': 'matrix-coturn.service', 'priority': (1500 if devture_systemd_service_manager_service_restart_mode == 'one-by-one' else 900), 'groups': ['matrix', 'coturn']}] if coturn_enabled else [])
    +
    ([{'name': 'matrix-matrixto.service', 'priority': 4000, 'groups': ['matrix', 'matrixto']}] if matrix_matrixto_enabled else [])
    +
    ([{'name': 'matrix-rageshake.service', 'priority': 4000, 'groups': ['matrix', 'rageshake']}] if matrix_rageshake_enabled else [])
    +
    ([{'name': 'matrix-coturn-reload.timer', 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else [])
    ([{'name': 'matrix-coturn-reload.timer', 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (coturn_enabled and coturn_tls_enabled) else [])
    +
    ([{'name': 'matrix-dimension.service', 'priority': 4000, 'groups': ['matrix', 'integration-managers', 'dimension']}] if matrix_dimension_enabled else [])
    +
@@ -3097,27 +3097,27 @@ matrix_rageshake_container_labels_traefik_tls_certResolver: "{{ traefik_certReso
 #
 ######################################################################

 matrix_coturn_enabled: true
 coturn_enabled: true

 matrix_coturn_hostname: "{{ matrix_server_fqn_matrix }}"
 coturn_hostname: "{{ matrix_server_fqn_matrix }}"

 matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_coturn_docker_image_registry_prefix_upstream_default }}"
 coturn_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else coturn_docker_image_registry_prefix_upstream_default }}"

 matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
 coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"

 # We make the assumption that `ansible_host` points to an external IP address, which may not always be the case.
 # Users are free to set `matrix_coturn_turn_external_ip_address` to an empty string
 # Users are free to set `coturn_turn_external_ip_address` to an empty string
 # to allow auto-detection (via an echoip service) to happen at runtime.
 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
 coturn_turn_external_ip_address: "{{ ansible_host }}"

 matrix_coturn_turn_static_auth_secret: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.sas') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'auth-secret' else '' }}"
 coturn_turn_static_auth_secret: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.sas') | hash('sha512') | to_uuid) if coturn_authentication_method == 'auth-secret' else '' }}"

 matrix_coturn_lt_cred_mech_username: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.user') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'lt-cred-mech' else '' }}"
 matrix_coturn_lt_cred_mech_password: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.pass') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'lt-cred-mech' else '' }}"
 coturn_lt_cred_mech_username: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.user') | hash('sha512') | to_uuid) if coturn_authentication_method == 'lt-cred-mech' else '' }}"
 coturn_lt_cred_mech_password: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.pass') | hash('sha512') | to_uuid) if coturn_authentication_method == 'lt-cred-mech' else '' }}"

 matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_enabled }}"
 coturn_tls_enabled: "{{ matrix_playbook_ssl_enabled }}"

 matrix_coturn_tls_cert_path: |-
 coturn_tls_cert_path: |-
  {{
    {
      'playbook-managed-traefik': ('/certificate.crt' if traefik_certs_dumper_enabled else ''),
@@ -3126,7 +3126,7 @@ matrix_coturn_tls_cert_path: |-
    }[matrix_playbook_reverse_proxy_type]
  }}

 matrix_coturn_tls_key_path: |-
 coturn_tls_key_path: |-
  {{
    {
      'playbook-managed-traefik': ('/privatekey.key' if traefik_certs_dumper_enabled else ''),
@@ -3135,27 +3135,27 @@ matrix_coturn_tls_key_path: |-
    }[matrix_playbook_reverse_proxy_type]
  }}

 matrix_coturn_container_additional_volumes: |
 coturn_container_additional_volumes: |
  {{
    (
      [
       {
         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + matrix_coturn_hostname + '/certificate.crt'),
         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + coturn_hostname + '/certificate.crt'),
         'dst': '/certificate.crt',
         'options': 'ro',
       },
       {
         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + matrix_coturn_hostname + '/privatekey.key'),
         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + coturn_hostname + '/privatekey.key'),
         'dst': '/privatekey.key',
         'options': 'ro',
       },
      ] if (matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled and (matrix_coturn_tls_cert_path and matrix_coturn_tls_key_path)) else []
      ] if (matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and coturn_tls_enabled and (coturn_tls_cert_path and coturn_tls_key_path)) else []
    )
  }}

 matrix_coturn_systemd_required_services_list_auto: |
 coturn_systemd_required_services_list_auto: |
  {{
    ([traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_coturn_hostname + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [])
    ([traefik_certs_dumper_identifier + '-wait-for-domain@' + coturn_hostname + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and coturn_tls_enabled else [])
  }}

 ######################################################################
@@ -3382,7 +3382,7 @@ jitsi_web_stun_servers: |
      'stun:' + matrix_server_fqn_matrix + ':5349',
      'stun:' + matrix_server_fqn_matrix + ':3478',
    ]
    if matrix_coturn_enabled
    if coturn_enabled
    else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443']
  }}

@@ -3391,11 +3391,11 @@ jitsi_web_framing_enabled: true

 # Jitsi (Prosody) only seems to support authenticating with coturn using `auth-secret`, not `lt-cred-mech`.
 # See: https://prosody.im/doc/coturn
 jitsi_turn_credentials: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
 jitsi_turn_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}"
 jitsi_turns_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}"
 jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port_tcp.split(':')[-1] if matrix_coturn_enabled else '' }}"
 jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port_tcp.split(':')[-1] if matrix_coturn_enabled else '' }}"
 jitsi_turn_credentials: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
 jitsi_turn_host: "{{ ('turn.' + matrix_server_fqn_matrix) if coturn_enabled else '' }}"
 jitsi_turns_host: "{{ ('turn.' + matrix_server_fqn_matrix) if coturn_enabled else '' }}"
 jitsi_turn_port: "{{ coturn_container_stun_plain_host_bind_port_tcp.split(':')[-1] if coturn_enabled else '' }}"
 jitsi_turns_port: "{{ coturn_container_stun_tls_host_bind_port_tcp.split(':')[-1] if coturn_enabled else '' }}"

 # If the self-hosted Etherpad instance is available, it will also show up in Jitsi conferences,
 # unless explicitly disabled by setting `jitsi_etherpad_enabled` to false.
@@ -4376,10 +4376,10 @@ matrix_synapse_email_smtp_port: 8025
 matrix_synapse_email_smtp_require_transport_security: false
 matrix_synapse_email_notif_from: "Matrix <{{ exim_relay_sender_address }}>"

 matrix_synapse_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
 matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
 matrix_synapse_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_synapse_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_synapse_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
 matrix_synapse_turn_shared_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
 matrix_synapse_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_synapse_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"

 matrix_synapse_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"

@@ -4396,7 +4396,7 @@ matrix_synapse_systemd_required_services_list_auto: |

 matrix_synapse_systemd_wanted_services_list_auto: |
  {{
    (['matrix-coturn.service'] if matrix_coturn_enabled else [])
    (['matrix-coturn.service'] if coturn_enabled else [])
    +
    ([exim_relay_identifier ~ '.service'] if exim_relay_enabled else [])
  }}
@@ -5233,10 +5233,10 @@ matrix_dendrite_database_hostname: "{{ postgres_connection_hostname if postgres_

 matrix_dendrite_database_password: "{{ (matrix_homeserver_generic_secret_key + ':dendrite.db') | hash('sha512') | to_uuid }}"

 matrix_dendrite_client_api_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
 matrix_dendrite_client_api_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
 matrix_dendrite_client_api_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_dendrite_client_api_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_dendrite_client_api_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
 matrix_dendrite_client_api_turn_shared_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
 matrix_dendrite_client_api_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_dendrite_client_api_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"

 matrix_dendrite_disable_tls_validation: "{{ not matrix_playbook_ssl_enabled }}"

@@ -5253,7 +5253,7 @@ matrix_dendrite_systemd_required_services_list_auto: |

 matrix_dendrite_systemd_wanted_services_list_auto: |
  {{
    (['matrix-coturn.service'] if matrix_coturn_enabled else [])
    (['matrix-coturn.service'] if coturn_enabled else [])
  }}

 matrix_dendrite_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}"
@@ -5304,10 +5304,10 @@ matrix_conduit_container_labels_public_federation_api_traefik_tls: "{{ matrix_fe
 matrix_conduit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
 matrix_conduit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"

 matrix_conduit_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
 matrix_conduit_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
 matrix_conduit_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_conduit_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_conduit_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
 matrix_conduit_turn_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
 matrix_conduit_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_conduit_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"

 ######################################################################
 #
@@ -5354,10 +5354,10 @@ matrix_conduwuit_container_labels_public_federation_api_traefik_tls: "{{ matrix_
 matrix_conduwuit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
 matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"

 matrix_conduwuit_config_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
 matrix_conduwuit_config_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
 matrix_conduwuit_config_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_conduwuit_config_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_conduwuit_config_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
 matrix_conduwuit_config_turn_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
 matrix_conduwuit_config_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_conduwuit_config_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"

 matrix_conduwuit_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"

@@ -5406,10 +5406,10 @@ matrix_continuwuity_container_labels_public_federation_api_traefik_tls: "{{ matr
 matrix_continuwuity_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
 matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"

 matrix_continuwuity_config_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
 matrix_continuwuity_config_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
 matrix_continuwuity_config_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_continuwuity_config_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_continuwuity_config_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
 matrix_continuwuity_config_turn_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
 matrix_continuwuity_config_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
 matrix_continuwuity_config_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"

 matrix_continuwuity_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"

@@ -5668,7 +5668,7 @@ traefik_systemd_required_services_list: |

 traefik_additional_domains_to_obtain_certificates_for_auto: |
  {{
    ([matrix_coturn_hostname] if (matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_coturn_hostname != matrix_server_fqn_matrix) else [])
    ([coturn_hostname] if (coturn_enabled and coturn_tls_enabled and coturn_hostname != matrix_server_fqn_matrix) else [])
  }}

 ########################################################################
--- a/roles/custom/matrix-coturn/defaults/main.yml
+++ b/roles/custom/matrix-coturn/defaults/main.yml
@@ -16,67 +16,67 @@
 ---
 # Project source code URL: https://github.com/coturn/coturn

 matrix_coturn_enabled: true
 coturn_enabled: true

 matrix_coturn_hostname: ""
 coturn_hostname: ""

 matrix_coturn_container_image_self_build: false
 matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
 matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
 coturn_container_image_self_build: false
 coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
 coturn_container_image_self_build_repo_version: "docker/{{ coturn_version }}"
 coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"

 # renovate: datasource=docker depName=coturn/coturn versioning=loose
 matrix_coturn_version: 4.8.0
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_registry_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
 matrix_coturn_docker_image_registry_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_coturn_docker_image_registry_prefix_upstream }}"
 matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_coturn_docker_image_registry_prefix_upstream_default }}"
 matrix_coturn_docker_image_registry_prefix_upstream_default: docker.io/
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
 coturn_version: 4.8.0
 coturn_docker_image: "{{ coturn_docker_image_registry_prefix }}coturn/coturn:{{ coturn_version }}-alpine"
 coturn_docker_image_registry_prefix: "{{ 'localhost/' if coturn_container_image_self_build else coturn_docker_image_registry_prefix_upstream }}"
 coturn_docker_image_registry_prefix_upstream: "{{ coturn_docker_image_registry_prefix_upstream_default }}"
 coturn_docker_image_registry_prefix_upstream_default: docker.io/
 coturn_docker_image_force_pull: "{{ coturn_docker_image.endswith(':latest') }}"

 # The Docker network that coturn would be put into.
 #
 # Because coturn relays traffic to unvalidated IP addresses,
 # using a dedicated network, isolated from other Docker (and local) services is preferable.
 #
 # Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
 # Setting up deny/allow rules with `coturn_allowed_peer_ips`/`coturn_denied_peer_ips` is also
 # possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
 #
 # Setting `matrix_coturn_container_network` to 'host' will run the container with host networking,
 # Setting `coturn_container_network` to 'host' will run the container with host networking,
 # which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.
 # Running with host networking can be dangerous, as it potentially exposes your local network and its services to coturn peers.
 # Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`,
 # Regardless of the networking mode, we apply a deny list which via `coturn_denied_peer_ips`,
 # which hopefully prevents access to such private network ranges.
 # When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.
 matrix_coturn_container_network: "matrix-coturn"
 coturn_container_network: "matrix-coturn"

 matrix_coturn_container_additional_networks: "{{ matrix_coturn_container_additional_networks_auto + matrix_coturn_container_additional_networks_custom }}"
 matrix_coturn_container_additional_networks_auto: []
 matrix_coturn_container_additional_networks_custom: []
 coturn_container_additional_networks: "{{ coturn_container_additional_networks_auto + coturn_container_additional_networks_custom }}"
 coturn_container_additional_networks_auto: []
 coturn_container_additional_networks_custom: []

 matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
 matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src"
 matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
 coturn_base_path: "{{ matrix_base_data_path }}/coturn"
 coturn_docker_src_files_path: "{{ coturn_base_path }}/docker-src"
 coturn_config_path: "{{ coturn_base_path }}/turnserver.conf"

 # List of systemd services that matrix-coturn.service depends on
 matrix_coturn_systemd_required_services_list: "{{ matrix_coturn_systemd_required_services_list_default + matrix_coturn_systemd_required_services_list_auto + matrix_coturn_systemd_required_services_list_custom }}"
 matrix_coturn_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
 matrix_coturn_systemd_required_services_list_auto: []
 matrix_coturn_systemd_required_services_list_custom: []
 coturn_systemd_required_services_list: "{{ coturn_systemd_required_services_list_default + coturn_systemd_required_services_list_auto + coturn_systemd_required_services_list_custom }}"
 coturn_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
 coturn_systemd_required_services_list_auto: []
 coturn_systemd_required_services_list_custom: []

 # A list of additional "volumes" to mount in the container.
 # This list gets populated dynamically at runtime. You can provide a different default value,
 # if you wish to mount your own files into the container.
 # Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.
 # See the `--mount` documentation for the `docker run` command.
 matrix_coturn_container_additional_volumes: []
 coturn_container_additional_volumes: []

 # A list of extra arguments to pass to the container
 matrix_coturn_container_extra_arguments: []
 coturn_container_extra_arguments: []

 # Controls whether the coturn container exposes its plain STUN port (tcp/3478 in the container) over TCP.
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
 matrix_coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"
 coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if coturn_container_network != 'host' else '' }}"

 # Controls whether the coturn container exposes its plain STUN port (udp/3478 in the container) over UDP.
 #
@@ -85,36 +85,36 @@ matrix_coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if matrix_cotu
 # Ideally, we'd like to set this to "" to avoid exposing this port and decrease the risk of DDoS amplification attacks.
 # See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit
 # In practice, old Element clients only support talking to the STUN port over UDP, not TCP, so we need to keep this enabled for now.
 matrix_coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"
 coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if coturn_container_network != 'host' else '' }}"

 # Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP.
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
 matrix_coturn_container_stun_tls_host_bind_port_tcp: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
 coturn_container_stun_tls_host_bind_port_tcp: "{{ '5349' if coturn_container_network != 'host' else '' }}"

 # Controls whether the coturn container exposes its TLS STUN port (udp/5349 in the container) over UDP.
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
 #
 # This is enabled by default, unlike `matrix_coturn_container_stun_plain_host_bind_port_udp`,
 # This is enabled by default, unlike `coturn_container_stun_plain_host_bind_port_udp`,
 # because the risk of DDoS amplification attacks is lower for TLS
 # due to the handshake requiring two-way authentication and being generally more expensive.
 matrix_coturn_container_stun_tls_host_bind_port_udp: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
 coturn_container_stun_tls_host_bind_port_udp: "{{ '5349' if coturn_container_network != 'host' else '' }}"

 # Controls whether the coturn container exposes its TURN UDP port range and which interface to do it on.
 #
 # Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.
 # Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
 #
 # The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.
 matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_container_network != 'host' else 'none' }}"
 # The UDP port-range itself is specified using `coturn_turn_udp_min_port` and `coturn_turn_udp_max_port`.
 coturn_container_turn_range_listen_interface: "{{ '' if coturn_container_network != 'host' else 'none' }}"

 # UDP port-range to use for TURN
 matrix_coturn_turn_udp_min_port: 49152
 matrix_coturn_turn_udp_max_port: 49172
 coturn_turn_udp_min_port: 49152
 coturn_turn_udp_max_port: 49172

 # Controls the `realm` configuration option
 matrix_coturn_realm: "turn.{{ matrix_coturn_hostname }}"
 coturn_realm: "turn.{{ coturn_hostname }}"

 # Controls which authentication method to enable.
 #
@@ -125,47 +125,47 @@ matrix_coturn_realm: "turn.{{ matrix_coturn_hostname }}"
 # For now, we still default to `auth-secret` like we've always done.
 #
 # Known values: auth-secret, lt-cred-mech
 matrix_coturn_authentication_method: auth-secret
 coturn_authentication_method: auth-secret

 # A shared secret used for authentication when `matrix_coturn_authentication_method` is `auth-secret`.
 # A shared secret used for authentication when `coturn_authentication_method` is `auth-secret`.
 # You can put any string here, but generating a strong one is preferred. You can create one with a command like `pwgen -s 64 1`.
 matrix_coturn_turn_static_auth_secret: ""
 coturn_turn_static_auth_secret: ""

 # A username used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.
 matrix_coturn_lt_cred_mech_username: ""
 # A password used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.
 matrix_coturn_lt_cred_mech_password: ""
 # A username used authentication when `coturn_authentication_method` is `lt-cred-mech`.
 coturn_lt_cred_mech_username: ""
 # A password used authentication when `coturn_authentication_method` is `lt-cred-mech`.
 coturn_lt_cred_mech_password: ""

 # The external IP address of the machine where coturn is.
 # If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.
 # See `matrix_coturn_turn_external_ip_address_auto_detection_enabled`
 matrix_coturn_turn_external_ip_address: ""
 matrix_coturn_turn_external_ip_addresses: "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}"
 # If do not define an IP address here or in `coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.
 # See `coturn_turn_external_ip_address_auto_detection_enabled`
 coturn_turn_external_ip_address: ""
 coturn_turn_external_ip_addresses: "{{ [coturn_turn_external_ip_address] if coturn_turn_external_ip_address != '' else [] }}"

 # Controls whether external IP address auto-detection should be attempted.
 # We try to do this if there is no external IP address explicitly configured and if an EchoIP service URL is specified.
 # See matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url
 matrix_coturn_turn_external_ip_address_auto_detection_enabled: "{{ matrix_coturn_turn_external_ip_addresses | length == 0 and matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url != '' }}"
 # See coturn_turn_external_ip_address_auto_detection_echoip_service_url
 coturn_turn_external_ip_address_auto_detection_enabled: "{{ coturn_turn_external_ip_addresses | length == 0 and coturn_turn_external_ip_address_auto_detection_echoip_service_url != '' }}"

 # Specifies the address of the EchoIP service (https://github.com/mpolden/echoip) to use for detecting the external IP address.
 # By default, we use the official public instance.
 matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url: https://ifconfig.co/json
 coturn_turn_external_ip_address_auto_detection_echoip_service_url: https://ifconfig.co/json

 # Controls whether SSL certificates will be validated when contacting the EchoIP service (matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url)
 matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs: true
 # Controls whether SSL certificates will be validated when contacting the EchoIP service (coturn_turn_external_ip_address_auto_detection_echoip_service_url)
 coturn_turn_external_ip_address_auto_detection_echoip_validate_certs: true

 matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count: "{{ devture_playbook_help_geturl_retries_count }}"
 matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay: "{{ devture_playbook_help_geturl_retries_delay }}"
 coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count: "{{ devture_playbook_help_geturl_retries_count }}"
 coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay: "{{ devture_playbook_help_geturl_retries_delay }}"

 matrix_coturn_allowed_peer_ips: []
 coturn_allowed_peer_ips: []

 # We block loopback interfaces and private networks by default to prevent private resources from being accessible.
 # This is especially important when coturn does not run within a container network (e.g. `matrix_coturn_container_network: host`).
 # This is especially important when coturn does not run within a container network (e.g. `coturn_container_network: host`).
 #
 # Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
 #
 # If you're running coturn for local network peers, you may wish to override these rules.
 matrix_coturn_denied_peer_ips:
 coturn_denied_peer_ips:
  - 0.0.0.0-0.255.255.255
  - 10.0.0.0-10.255.255.255
  - 100.64.0.0-100.127.255.255
@@ -189,49 +189,49 @@ matrix_coturn_denied_peer_ips:
  - fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  - fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff

 matrix_coturn_user_quota: null
 matrix_coturn_total_quota: null
 coturn_user_quota: null
 coturn_total_quota: null

 # Controls whether `no-tcp-relay` is added to the configuration
 # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L419-L422
 matrix_coturn_no_tcp_relay_enabled: true
 coturn_no_tcp_relay_enabled: true

 # Controls whether `no-multicast-peers` is added to the configuration
 # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L629-L632
 matrix_coturn_no_multicast_peers_enabled: true
 coturn_no_multicast_peers_enabled: true

 # Controls whether `no-rfc5780` is added to the configuration
 # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L770-L781
 matrix_coturn_no_rfc5780_enabled: true
 coturn_no_rfc5780_enabled: true

 # Controls whether `no-stun-backward-compatibility` is added to the configuration
 # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L783-L789
 matrix_coturn_no_stun_backward_compatibility_enabled: true
 coturn_no_stun_backward_compatibility_enabled: true

 # Controls whether `response-origin-only-with-rfc5780` is added to the configuration
 # Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L791-L796
 matrix_coturn_response_origin_only_with_rfc5780_enabled: true
 coturn_response_origin_only_with_rfc5780_enabled: true

 # Additional configuration to be passed to turnserver.conf
 # Example:
 # matrix_coturn_additional_configuration: |
 # coturn_additional_configuration: |
 #   simple-log
 #   aux-server=1.2.3.4
 #   relay-ip=4.3.2.1
 matrix_coturn_additional_configuration: ""
 coturn_additional_configuration: ""

 # To enable TLS, you need to provide paths to certificates.
 # Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.
 # Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`.
 matrix_coturn_tls_enabled: false
 matrix_coturn_tls_cert_path: ~
 matrix_coturn_tls_key_path: ~
 # Paths defined in `coturn_tls_cert_path` and `coturn_tls_key_path` are in-container paths.
 # Files on the host can be mounted into the container using `coturn_container_additional_volumes`.
 coturn_tls_enabled: false
 coturn_tls_cert_path: ~
 coturn_tls_key_path: ~

 matrix_coturn_tls_v1_enabled: false
 matrix_coturn_tls_v1_1_enabled: false
 coturn_tls_v1_enabled: false
 coturn_tls_v1_1_enabled: false

 # systemd calendar configuration for the reload job
 # the actual job may run with a delay (see matrix_coturn_reload_schedule_randomized_delay_sec)
 matrix_coturn_reload_schedule: "*-*-* 06:30:00"
 # the delay with which the systemd timer may run in relation to the `matrix_coturn_reload_schedule` schedule
 matrix_coturn_reload_schedule_randomized_delay_sec: 1h
 # the actual job may run with a delay (see coturn_reload_schedule_randomized_delay_sec)
 coturn_reload_schedule: "*-*-* 06:30:00"
 # the delay with which the systemd timer may run in relation to the `coturn_reload_schedule` schedule
 coturn_reload_schedule_randomized_delay_sec: 1h
--- a/roles/custom/matrix-coturn/tasks/main.yml
+++ b/roles/custom/matrix-coturn/tasks/main.yml
@@ -12,15 +12,15 @@
    - install-all
    - install-coturn
  block:
    - when: matrix_coturn_enabled | bool
    - when: coturn_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"

    - when: matrix_coturn_enabled | bool
    - when: coturn_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"

 - tags:
    - setup-all
    - setup-coturn
  block:
    - when: not matrix_coturn_enabled | bool
    - when: not coturn_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
--- a/roles/custom/matrix-coturn/tasks/setup_install.yml
+++ b/roles/custom/matrix-coturn/tasks/setup_install.yml
@@ -14,37 +14,37 @@

 ---

 - when: matrix_coturn_turn_external_ip_address_auto_detection_enabled | bool
 - when: coturn_turn_external_ip_address_auto_detection_enabled | bool
  block:
    - name: Fail if enabled, but EchoIP service URL unset
      when: matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url == ''
      when: coturn_turn_external_ip_address_auto_detection_echoip_service_url == ''
      ansible.builtin.fail:
        msg: "To use the external IP address auto-detection feature, you need to set matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url"
        msg: "To use the external IP address auto-detection feature, you need to set coturn_turn_external_ip_address_auto_detection_echoip_service_url"

    # Note:
    # `ansible.builtin.uri` does not provide a way to configure whether IPv4 or IPv6 is used.
    # Luckily, the default instance we use does not define AAAA records for now, so it's always IPv4.
    - name: Fetch IP address information from EchoIP service
      ansible.builtin.uri:
        url: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}"
        url: "{{ coturn_turn_external_ip_address_auto_detection_echoip_service_url }}"
        headers:
          Content-Type: application/json
        follow_redirects: none
        validate_certs: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs }}"
      register: result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response
        validate_certs: "{{ coturn_turn_external_ip_address_auto_detection_echoip_validate_certs }}"
      register: result_coturn_turn_external_ip_address_auto_detection_echoip_response
      ignore_errors: true
      check_mode: false
      retries: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count }}"
      delay: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay }}"
      until: not result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed
      retries: "{{ coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count }}"
      delay: "{{ coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay }}"
      until: not result_coturn_turn_external_ip_address_auto_detection_echoip_response.failed

    - name: Fail if EchoIP service failed
      when: "(result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed or 'json' not in result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response)"
      when: "(result_coturn_turn_external_ip_address_auto_detection_echoip_response.failed or 'json' not in result_coturn_turn_external_ip_address_auto_detection_echoip_response)"
      ansible.builtin.fail:
        msg: "Failed contacting EchoIP service API at `{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}` (controlled by `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url`). Full error: {{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response }}"
        msg: "Failed contacting EchoIP service API at `{{ coturn_turn_external_ip_address_auto_detection_echoip_service_url }}` (controlled by `coturn_turn_external_ip_address_auto_detection_echoip_service_url`). Full error: {{ result_coturn_turn_external_ip_address_auto_detection_echoip_response }}"

    - ansible.builtin.set_fact:
        matrix_coturn_turn_external_ip_address: "{{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.json.ip }}"
        coturn_turn_external_ip_address: "{{ result_coturn_turn_external_ip_address_auto_detection_echoip_response.json.ip }}"

 - name: Ensure Matrix coturn path exists
  ansible.builtin.file:
@@ -54,47 +54,47 @@
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  with_items:
    - {path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
    - {path: "{{ coturn_docker_src_files_path }}", when: "{{ coturn_container_image_self_build }}"}
  when: "item.when | bool"

 - name: Ensure coturn image is pulled
  community.docker.docker_image:
    name: "{{ matrix_coturn_docker_image }}"
    name: "{{ coturn_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}"
  when: "not matrix_coturn_container_image_self_build | bool"
    force_source: "{{ coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else coturn_docker_image_force_pull }}"
  when: "not coturn_container_image_self_build | bool"
  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: result is not failed

 - when: "matrix_coturn_container_image_self_build | bool"
 - when: "coturn_container_image_self_build | bool"
  block:
    - name: Ensure coturn repository is present on self-build
      ansible.builtin.git:
        repo: "{{ matrix_coturn_container_image_self_build_repo }}"
        dest: "{{ matrix_coturn_docker_src_files_path }}"
        version: "{{ matrix_coturn_container_image_self_build_repo_version }}"
        repo: "{{ coturn_container_image_self_build_repo }}"
        dest: "{{ coturn_docker_src_files_path }}"
        version: "{{ coturn_container_image_self_build_repo_version }}"
        force: "yes"
      become: true
      become_user: "{{ matrix_user_name }}"
      register: matrix_coturn_git_pull_results
      register: coturn_git_pull_results

    - name: Ensure coturn Docker image is built
      community.docker.docker_image:
        name: "{{ matrix_coturn_docker_image }}"
        name: "{{ coturn_docker_image }}"
        source: build
        force_source: "{{ matrix_coturn_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_git_pull_results.changed }}"
        force_source: "{{ coturn_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else coturn_git_pull_results.changed }}"
        build:
          dockerfile: "{{ matrix_coturn_container_image_self_build_repo_dockerfile_path }}"
          path: "{{ matrix_coturn_docker_src_files_path }}"
          dockerfile: "{{ coturn_container_image_self_build_repo_dockerfile_path }}"
          path: "{{ coturn_docker_src_files_path }}"
          pull: true

 - name: Ensure coturn configuration path exists
  ansible.builtin.file:
    path: "{{ matrix_coturn_base_path }}"
    path: "{{ coturn_base_path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_name }}"
@@ -103,16 +103,16 @@
 - name: Ensure turnserver.conf installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/turnserver.conf.j2"
    dest: "{{ matrix_coturn_config_path }}"
    dest: "{{ coturn_config_path }}"
    mode: 0644
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"

 - name: Ensure coturn network is created in Docker
  when: matrix_coturn_container_network not in ['', 'host']
  when: coturn_container_network not in ['', 'host']
  community.docker.docker_network:
    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
    name: "{{ matrix_coturn_container_network }}"
    name: "{{ coturn_container_network }}"
    driver: bridge
    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"

@@ -130,7 +130,7 @@
    src: "{{ role_path }}/templates/systemd/{{ item }}.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}"
    mode: 0644
  when: "matrix_coturn_tls_enabled | bool"
  when: "coturn_tls_enabled | bool"
  with_items:
    - matrix-coturn-reload.service
    - matrix-coturn-reload.timer
@@ -140,7 +140,7 @@
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  when: "not matrix_coturn_tls_enabled | bool"
  when: "not coturn_tls_enabled | bool"
  with_items:
    - matrix-coturn-reload.service
    - matrix-coturn-reload.timer
--- a/roles/custom/matrix-coturn/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-coturn/tasks/setup_uninstall.yml
@@ -8,10 +8,10 @@
 - name: Check existence of matrix-coturn service
  ansible.builtin.stat:
    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service"
  register: matrix_coturn_service_stat
  when: "not matrix_coturn_enabled | bool"
  register: coturn_service_stat
  when: "not coturn_enabled | bool"

 - when: matrix_coturn_service_stat.stat.exists | bool
 - when: coturn_service_stat.stat.exists | bool
  block:
    - name: Ensure matrix-coturn is stopped
      ansible.builtin.service:
@@ -39,5 +39,5 @@

    - name: Ensure Matrix coturn paths don't exist
      ansible.builtin.file:
        path: "{{ matrix_coturn_base_path }}"
        path: "{{ coturn_base_path }}"
        state: absent
--- a/roles/custom/matrix-coturn/tasks/validate_config.yml
+++ b/roles/custom/matrix-coturn/tasks/validate_config.yml
@@ -12,16 +12,16 @@
      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
  with_items:
    - {'old': 'matrix_coturn_docker_network', 'new': 'matrix_coturn_container_network'}
    - {'old': 'matrix_coturn_container_stun_plain_host_bind_port', 'new': 'superseded by matrix_coturn_container_stun_plain_host_bind_port_tcp and matrix_coturn_container_stun_plain_host_bind_port_udp'}
    - {'old': 'matrix_coturn_container_stun_tls_host_bind_port', 'new': 'superseded by matrix_coturn_container_stun_tls_host_bind_port_tcp and matrix_coturn_container_stun_tls_host_bind_port_udp'}
    - {'old': 'matrix_coturn_container_image_name_prefix', 'new': 'matrix_coturn_docker_image_registry_prefix'}
    - {'old': 'coturn_docker_network', 'new': 'coturn_container_network'}
    - {'old': 'coturn_container_stun_plain_host_bind_port', 'new': 'superseded by coturn_container_stun_plain_host_bind_port_tcp and coturn_container_stun_plain_host_bind_port_udp'}
    - {'old': 'coturn_container_stun_tls_host_bind_port', 'new': 'superseded by coturn_container_stun_tls_host_bind_port_tcp and coturn_container_stun_tls_host_bind_port_udp'}
    - {'old': 'coturn_container_image_name_prefix', 'new': 'coturn_docker_image_registry_prefix'}

 - name: Fail if matrix_coturn_authentication_method is invalid
 - name: Fail if coturn_authentication_method is invalid
  ansible.builtin.fail:
    msg: >-
      Invalid authentication method specified in `matrix_coturn_authentication_method`
  when: "matrix_coturn_authentication_method not in ['auth-secret', 'lt-cred-mech']"
      Invalid authentication method specified in `coturn_authentication_method`
  when: "coturn_authentication_method not in ['auth-secret', 'lt-cred-mech']"

 - name: Fail if required coturn settings not defined
  ansible.builtin.fail:
@@ -29,7 +29,7 @@
      You need to define a required configuration setting (`{{ item.name }}`).
  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
  with_items:
    - {'name': 'matrix_coturn_hostname', when: true}
    - {'name': 'matrix_coturn_turn_static_auth_secret', when: "{{ matrix_coturn_authentication_method == 'auth-secret' }}"}
    - {'name': 'matrix_coturn_lt_cred_mech_username', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}
    - {'name': 'matrix_coturn_lt_cred_mech_password', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}
    - {'name': 'coturn_hostname', when: true}
    - {'name': 'coturn_turn_static_auth_secret', when: "{{ coturn_authentication_method == 'auth-secret' }}"}
    - {'name': 'coturn_lt_cred_mech_username', when: "{{ coturn_authentication_method == 'lt-cred-mech' }}"}
    - {'name': 'coturn_lt_cred_mech_password', when: "{{ coturn_authentication_method == 'lt-cred-mech' }}"}
--- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
+++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
@@ -11,8 +11,8 @@ Description=Reloads matrix-coturn periodically so that new SSL certificates can

 [Timer]
 Unit=matrix-coturn-reload.service
 OnCalendar={{ matrix_coturn_reload_schedule }}
 RandomizedDelaySec={{ matrix_coturn_reload_schedule_randomized_delay_sec }}
 OnCalendar={{ coturn_reload_schedule }}
 RandomizedDelaySec={{ coturn_reload_schedule_randomized_delay_sec }}

 [Install]
 WantedBy=timers.target
--- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2
+++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2
@@ -1,7 +1,7 @@
 #jinja2: lstrip_blocks: True
 [Unit]
 Description=Matrix coturn server
 {% for service in matrix_coturn_systemd_required_services_list %}
 {% for service in coturn_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
@@ -23,33 +23,33 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--entrypoint=turnserver \
 			--read-only \
 			--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
 			--network={{ matrix_coturn_container_network }} \
 			{% if matrix_coturn_container_stun_plain_host_bind_port_tcp != '' %}
 			-p {{ matrix_coturn_container_stun_plain_host_bind_port_tcp }}:3478 \
 			--network={{ coturn_container_network }} \
 			{% if coturn_container_stun_plain_host_bind_port_tcp != '' %}
 			-p {{ coturn_container_stun_plain_host_bind_port_tcp }}:3478 \
 			{% endif %}
 			{% if matrix_coturn_container_stun_plain_host_bind_port_udp != '' %}
 			-p {{ matrix_coturn_container_stun_plain_host_bind_port_udp }}:3478/udp \
 			{% if coturn_container_stun_plain_host_bind_port_udp != '' %}
 			-p {{ coturn_container_stun_plain_host_bind_port_udp }}:3478/udp \
 			{% endif %}
 			{% if matrix_coturn_container_stun_tls_host_bind_port_tcp != '' %}
 			-p {{ matrix_coturn_container_stun_tls_host_bind_port_tcp }}:5349 \
 			{% if coturn_container_stun_tls_host_bind_port_tcp != '' %}
 			-p {{ coturn_container_stun_tls_host_bind_port_tcp }}:5349 \
 			{% endif %}
 			{% if matrix_coturn_container_stun_tls_host_bind_port_udp != '' %}
 			-p {{ matrix_coturn_container_stun_tls_host_bind_port_udp }}:5349/udp \
 			{% if coturn_container_stun_tls_host_bind_port_udp != '' %}
 			-p {{ coturn_container_stun_tls_host_bind_port_udp }}:5349/udp \
 			{% endif %}
 			{% if matrix_coturn_container_turn_range_listen_interface is not in [none, 'none'] %}
 			-p {{ matrix_coturn_container_turn_range_listen_interface }}{{ ':' if matrix_coturn_container_turn_range_listen_interface else '' }}{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
 			{% if coturn_container_turn_range_listen_interface is not in [none, 'none'] %}
 			-p {{ coturn_container_turn_range_listen_interface }}{{ ':' if coturn_container_turn_range_listen_interface else '' }}{{ coturn_turn_udp_min_port }}-{{ coturn_turn_udp_max_port }}:{{ coturn_turn_udp_min_port }}-{{ coturn_turn_udp_max_port }}/udp \
 			{% endif %}
 			--mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \
 			{% for volume in matrix_coturn_container_additional_volumes %}
 			--mount type=bind,src={{ coturn_config_path }},dst=/turnserver.conf,ro \
 			{% for volume in coturn_container_additional_volumes %}
 			--mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \
 			{% endfor %}
 			{% for arg in matrix_coturn_container_extra_arguments %}
 			{% for arg in coturn_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_coturn_docker_image }} \
 			{{ coturn_docker_image }} \
 			-c /turnserver.conf

 {% for network in matrix_coturn_container_additional_networks %}
 {% for network in coturn_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-coturn
 {% endfor %}

--- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2
+++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2
@@ -1,22 +1,22 @@
 #jinja2: lstrip_blocks: True

 {% if matrix_coturn_authentication_method == 'auth-secret' %}
 {% if coturn_authentication_method == 'auth-secret' %}
 use-auth-secret
 static-auth-secret={{ matrix_coturn_turn_static_auth_secret }}
 static-auth-secret={{ coturn_turn_static_auth_secret }}
 userdb=/var/tmp/turnserver.db
 {% endif %}

 {% if matrix_coturn_authentication_method == 'lt-cred-mech' %}
 {% if coturn_authentication_method == 'lt-cred-mech' %}
 lt-cred-mech
 user={{ matrix_coturn_lt_cred_mech_username }}:{{ matrix_coturn_lt_cred_mech_password }}
 user={{ coturn_lt_cred_mech_username }}:{{ coturn_lt_cred_mech_password }}
 {% endif %}

 realm={{ matrix_coturn_realm }}
 realm={{ coturn_realm }}

 min-port={{ matrix_coturn_turn_udp_min_port }}
 max-port={{ matrix_coturn_turn_udp_max_port }}
 min-port={{ coturn_turn_udp_min_port }}
 max-port={{ coturn_turn_udp_max_port }}

 {% for ip in matrix_coturn_turn_external_ip_addresses %}
 {% for ip in coturn_turn_external_ip_addresses %}
 external-ip={{ ip }}
 {% endfor %}

@@ -25,13 +25,13 @@ pidfile=/var/tmp/turnserver.pid

 no-cli

 {% if matrix_coturn_tls_enabled %}
 cert={{ matrix_coturn_tls_cert_path }}
 pkey={{ matrix_coturn_tls_key_path }}
 {% if not matrix_coturn_tls_v1_enabled %}
 {% if coturn_tls_enabled %}
 cert={{ coturn_tls_cert_path }}
 pkey={{ coturn_tls_key_path }}
 {% if not coturn_tls_v1_enabled %}
 no-tlsv1
 {% endif %}
 {% if not matrix_coturn_tls_v1_1_enabled %}
 {% if not coturn_tls_v1_1_enabled %}
 no-tlsv1_1
 {% endif %}
 {% else %}
@@ -41,38 +41,38 @@ no-dtls

 prod

 {% if matrix_coturn_no_tcp_relay_enabled %}
 {% if coturn_no_tcp_relay_enabled %}
 no-tcp-relay
 {% endif %}

 {% if matrix_coturn_no_rfc5780_enabled %}
 {% if coturn_no_rfc5780_enabled %}
 no-rfc5780
 {% endif %}

 {% if matrix_coturn_no_stun_backward_compatibility_enabled %}
 {% if coturn_no_stun_backward_compatibility_enabled %}
 no-stun-backward-compatibility
 {% endif %}

 {% if matrix_coturn_response_origin_only_with_rfc5780_enabled %}
 {% if coturn_response_origin_only_with_rfc5780_enabled %}
 response-origin-only-with-rfc5780
 {% endif %}

 {% if matrix_coturn_user_quota != None %}
 user-quota={{ matrix_coturn_user_quota }}
 {% if coturn_user_quota != None %}
 user-quota={{ coturn_user_quota }}
 {% endif %}
 {% if matrix_coturn_total_quota != None %}
 total-quota={{ matrix_coturn_total_quota }}
 {% if coturn_total_quota != None %}
 total-quota={{ coturn_total_quota }}
 {% endif %}

 {% if matrix_coturn_no_multicast_peers_enabled %}
 {% if coturn_no_multicast_peers_enabled %}
 no-multicast-peers
 {% endif %}

 {% for ip_range in matrix_coturn_denied_peer_ips %}
 {% for ip_range in coturn_denied_peer_ips %}
 denied-peer-ip={{ ip_range }}
 {% endfor %}
 {% for ip_range in matrix_coturn_allowed_peer_ips %}
 {% for ip_range in coturn_allowed_peer_ips %}
 allowed-peer-ip={{ ip_range }}
 {% endfor %}

 {{ matrix_coturn_additional_configuration }}
 {{ coturn_additional_configuration }}
--- a/roles/custom/matrix-coturn/vars/main.yml
+++ b/roles/custom/matrix-coturn/vars/main.yml
@@ -4,18 +4,18 @@

 ---

 matrix_coturn_turn_uris: |-
 coturn_turn_uris: |-
  {{
    ([
      'turns:' + matrix_coturn_hostname + '?transport=udp',
      'turns:' + matrix_coturn_hostname + '?transport=tcp',
    ] if matrix_coturn_tls_enabled else [])
      'turns:' + coturn_hostname + '?transport=udp',
      'turns:' + coturn_hostname + '?transport=tcp',
    ] if coturn_tls_enabled else [])
    +
    ([
      'turn:' + matrix_coturn_hostname + '?transport=udp',
    ] if (matrix_coturn_container_stun_plain_host_bind_port_udp != '' or matrix_coturn_container_network == 'host')  else [])
      'turn:' + coturn_hostname + '?transport=udp',
    ] if (coturn_container_stun_plain_host_bind_port_udp != '' or coturn_container_network == 'host')  else [])
    +
    ([
      'turn:' + matrix_coturn_hostname + '?transport=tcp',
    ] if (matrix_coturn_container_stun_plain_host_bind_port_tcp != '' or matrix_coturn_container_network == 'host')  else [])
      'turn:' + coturn_hostname + '?transport=tcp',
    ] if (coturn_container_stun_plain_host_bind_port_tcp != '' or coturn_container_network == 'host')  else [])
  }}
--- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
+++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
@@ -595,6 +595,19 @@
      The following variables in your configuration need to be renamed: {{ lookup('ansible.builtin.varnames', '^matrix_client_cinny_.+', wantlist=True) | join(', ') }}
  when: "lookup('ansible.builtin.varnames', '^matrix_client_cinny_.+', wantlist=True) | length > 0"

 - name: (Deprecation) Catch and report matrix-coturn variables
  ansible.builtin.fail:
    msg: |-
      The matrix-coturn role in the playbook now lives under the MASH organization (https://github.com/mother-of-all-self-hosting/ansible-role-coturn).
      The new role is pretty much the same, but uses differently named variables.

      Please rename all `matrix_coturn_`-prefixed variables (`matrix_coturn_*` -> `coturn_*`) on your configuration file (vars.yml).

      After renaming them, please do not forget to fetch the Ansible role. See docs/maintenance-upgrading-services.md for details about how to do so.

      The following variables in your configuration need to be renamed: {{ lookup('ansible.builtin.varnames', '^matrix_coturn_.+', wantlist=True) | join(', ') }}
  when: "lookup('ansible.builtin.varnames', '^matrix_coturn_.+', wantlist=True) | length > 0"

 - name: (Deprecation) Catch and report matrix-dynamic-dns variables
  ansible.builtin.fail:
    msg: |-