feat(talk/turn/signaling/hpb): add role for Talk with backend services

2026-05-22 01:07:39 +02:00 · 2026-05-22 01:07:39 +02:00 · 6ebd5dc9ab
commit 6ebd5dc9ab
parent 1ddd5d9eb9
8 changed files with 204 additions and 6 deletions
--- a/inventories/demo-gymburgdorf/host_vars/turn/coturn.yml
+++ b/inventories/demo-gymburgdorf/host_vars/turn/coturn.yml
@ -0,0 +1,29 @@
+# coturn host_vars (collocated layout: same host runs HPB)
+# Place secrets at:
+#   playbooks/secrets/turn/coturn_static_auth_secret   (mode 0600)
+#   playbooks/secrets/turn/nsupdate.key                 (mode 0600)
+
+coturn_realm: "stun.digitalboard.ch"
+coturn_internal_realm: "stun.int.digitalboard.ch"
+
+# Ports use IANA defaults (3478/5349) so the local backend Traefik can
+# keep using 443 for the signaling routes on the same host.
+# Override to 443/443 if this host is dedicated to TURN and you need
+# to punch through restrictive firewalls.
+# coturn_listening_port: 443
+# coturn_tls_listening_port: 443
+
+# Public IP that media is reached on. Format: PUBLIC[/PRIVATE]
+coturn_external_ip: "193.43.183.74/172.18.0.2"  # adjust per environment
+
+# Let's Encrypt via RFC2136 / nsupdate (acme.sh sidecar)
+coturn_cert_mode: "acme"
+coturn_acme_email: "admin@digitalboard.ch"
+coturn_acme_nsupdate_server: "ns1.digitalboard.ch"
+coturn_acme_nsupdate_server_ip: "172.16.9.169"
+coturn_acme_nsupdate_zone: "digitalboard._acme.digitalboard.ch"
+coturn_acme_challenge_aliases:
+  - name: stun.digitalboard.ch
+    alias: stun.digitalboard._acme.digitalboard.ch
+  - name: stun.int.digitalboard.ch
+    alias: stun.int.digitalboard._acme.digitalboard.ch