services:
  coturn:
    image: {{ coturn_image }}
    container_name: {{ coturn_service_name }}
    restart: always
    network_mode: host
    volumes:
      - {{ coturn_cert_dir }}:/certs:ro
    command:
      - --use-auth-secret
      - --static-auth-secret={{ coturn_static_auth_secret }}
      - --realm={{ coturn_realm }}
      - --fingerprint
      - --no-multicast-peers
      - --no-cli
      - --listening-ip={{ coturn_listening_ip }}
      - --listening-port={{ coturn_listening_port }}
      - --tls-listening-port={{ coturn_tls_listening_port }}
      - --min-port={{ coturn_min_relay_port }}
      - --max-port={{ coturn_max_relay_port }}
      - --cert=/certs/{{ coturn_cert_file }}
      - --pkey=/certs/{{ coturn_key_file }}
      - --external-ip={{ coturn_external_ip }}
{% for arg in coturn_extra_args %}
      - {{ arg }}
{% endfor %}

{% if coturn_cert_mode == 'acme' %}
  acme:
    image: {{ coturn_acme_image }}
    container_name: acme-{{ coturn_service_name }}
    restart: always
    environment:
      NSUPDATE_SERVER: "{{ coturn_acme_nsupdate_server }}"
      NSUPDATE_KEY: "/acme.sh/nsupdate.key"
      ACME_DIRECTORY: "{{ coturn_acme_directory }}"
      NSUPDATE_ZONE: "{{ coturn_acme_nsupdate_zone }}"
{% if coturn_acme_nsupdate_server_ip | length > 0 %}
    extra_hosts:
      - "{{ coturn_acme_nsupdate_server }}:{{ coturn_acme_nsupdate_server_ip }}"
{% endif %}
    volumes:
      - {{ coturn_cert_dir }}:/certs
      - /var/run/docker.sock:/var/run/docker.sock
      - {{ coturn_docker_compose_dir }}/nsupdate.key:/acme.sh/nsupdate.key:ro
      - {{ coturn_acme_data_dir }}:/acme.sh
    entrypoint:
      - /bin/sh
      - -c
      - |
        set -eu
        acme.sh --set-default-ca --server "$$ACME_DIRECTORY"
        acme.sh --register-account -m {{ coturn_acme_email }} || true
        set +e
        acme.sh --issue \
{% for san in _coturn_challenge_aliases %}
          -d {{ san.name }} \
          --challenge-alias {{ san.alias }} \
{% endfor %}
          --dns dns_nsupdate \
          --keylength {{ coturn_acme_keylength }} \
          --dnssleep {{ coturn_acme_dnssleep }}
        rc=$$?
        set -e
        if [ "$$rc" -eq 0 ]; then
          echo "Issue: success"
        elif [ "$$rc" -eq 2 ]; then
          echo "Issue: not due, continuing"
        else
          echo "Issue: failed with rc=$$rc"
          exit "$$rc"
        fi
        acme.sh --install-cert -d {{ coturn_realm }} --ecc \
          --fullchain-file /certs/{{ coturn_cert_file }} \
          --key-file /certs/{{ coturn_key_file }} \
          --reloadcmd 'curl --fail --silent --show-error --unix-socket /var/run/docker.sock -X POST http://localhost/v1.41/containers/{{ coturn_service_name }}/restart' || true
        exec crond -f
{% endif %}