#SPDX-License-Identifier: MIT-0
---
# defaults file for coturn

# Base directories (inherited from base role)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data

# Service-specific paths
coturn_service_name: coturn
coturn_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ coturn_service_name }}"
coturn_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ coturn_service_name }}"

# Container images (pin per host_vars in production)
coturn_image: "coturn/coturn:4.6.2-r5-alpine"
coturn_acme_image: "neilpang/acme.sh:3.1.0"

# Public DNS name used for the realm and the public certificate
coturn_realm: "stun.example.test"
# Optional second DNS name issued on the same certificate (for split-horizon "internal" name)
coturn_internal_realm: ""  # e.g. "stun.int.example.test"

# Ports
# Defaults follow IANA standards (3478/TURN, 5349/TURNS) so coturn can
# co-exist with a Traefik instance on the same host. Override to 443/443
# in restrictive-network environments where punching through firewalls matters.
coturn_listening_port: 3478      # TURN / STUN (TCP+UDP)
coturn_tls_listening_port: 5349  # TURNS (TCP+UDP)
coturn_min_relay_port: 49160
coturn_max_relay_port: 49200

# IP advertisement: must be set in host_vars for production
# Format follows coturn's --external-ip: "PUBLIC_IP" or "PUBLIC_IP/PRIVATE_IP"
coturn_external_ip: ""           # e.g. "203.0.113.10/172.18.0.2"
coturn_listening_ip: "0.0.0.0"

# Shared secret used by HPB to mint short-lived TURN credentials.
# Loaded by default from a plain file in playbooks/secrets/{host}/coturn_static_auth_secret
# Override per host_vars if you want to use a vault or different lookup.
coturn_static_auth_secret: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/coturn_static_auth_secret') }}"

# Additional CLI flags (list of strings, appended verbatim to command:)
coturn_extra_args: []

# --- TLS certificate ---
# 'acme'        : run an acme.sh sidecar that issues + renews via RFC2136 / nsupdate, restarts coturn
# 'file'        : assume a certificate already lives at {{ coturn_cert_dir }}/{{ coturn_cert_file }} on the host (you manage it)
# 'selfsigned'  : generate a selfsigned cert on first run (for vagrant/dev only)
coturn_cert_mode: "file"

coturn_cert_dir: "{{ docker_volume_base_dir }}/acme/certs"
coturn_cert_file: "fullchain.cer"
coturn_key_file: "{{ coturn_realm }}.key"

# --- acme.sh sidecar (only used when coturn_cert_mode == 'acme') ---
coturn_acme_email: "admin@example.test"
coturn_acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
# Stage URL for testing: "https://acme-staging-v02.api.letsencrypt.org/directory"
coturn_acme_keylength: "ec-256"
coturn_acme_dnssleep: 60
coturn_acme_data_dir: "{{ docker_volume_base_dir }}/acme/acme"

# DNS-01 RFC2136 / nsupdate configuration
coturn_acme_nsupdate_server: ""        # e.g. "ns1.example.test"
coturn_acme_nsupdate_server_ip: ""     # optional extra_hosts pin (string IP) for the server
coturn_acme_nsupdate_zone: ""          # e.g. "example._acme.example.test"
# Per-name challenge alias zones (one entry per SAN)
# When empty (default), built automatically as "{{ realm }}._acme.{{ zone-tail }}"
coturn_acme_challenge_aliases: []
# Example:
#   - name: stun.example.test
#     alias: stun.example._acme.example.test
#   - name: stun.int.example.test
#     alias: stun.int.example._acme.example.test

# Path of the TSIG key file inside the container (mounted from secrets)
coturn_acme_nsupdate_key_src: "{{ playbook_dir }}/secrets/{{ inventory_hostname }}/nsupdate.key"