# coturn host_vars (collocated layout: same host runs HPB)
# Place secrets at:
#   playbooks/secrets/turn/coturn_static_auth_secret   (mode 0600)
#   playbooks/secrets/turn/nsupdate.key                 (mode 0600)

coturn_realm: "stun.digitalboard.ch"
coturn_internal_realm: "stun.int.digitalboard.ch"

# Ports use IANA defaults (3478/5349) so the local backend Traefik can
# keep using 443 for the signaling routes on the same host.
# Override to 443/443 if this host is dedicated to TURN and you need
# to punch through restrictive firewalls.
# coturn_listening_port: 443
# coturn_tls_listening_port: 443

# Public IP that media is reached on. Format: PUBLIC[/PRIVATE]
coturn_external_ip: "193.43.183.74/172.18.0.2"  # adjust per environment

# Let's Encrypt via RFC2136 / nsupdate (acme.sh sidecar)
coturn_cert_mode: "acme"
coturn_acme_email: "admin@digitalboard.ch"
coturn_acme_nsupdate_server: "ns1.digitalboard.ch"
coturn_acme_nsupdate_server_ip: "172.16.9.169"
coturn_acme_nsupdate_zone: "digitalboard._acme.digitalboard.ch"
coturn_acme_challenge_aliases:
  - name: stun.digitalboard.ch
    alias: stun.digitalboard._acme.digitalboard.ch
  - name: stun.int.digitalboard.ch
    alias: stun.int.digitalboard._acme.digitalboard.ch