bbb: WIP—stabilize env/compose wiring & prep SFU override

Context: debugging mediasoup/WebRTC failures caused by empty/interpolated vars (EXTERNAL_IPv4, etc.).
- Normalize config/main.yml (ip6_enabled flag, enable greenlight/coturn) and tidy formatting.
- Extend vars/main.yml with BBB_* switches (IPv6, Greenlight, Coturn), TURN/Coturn cert paths.
- env.j2: wire secrets & toggles, guard IPv6 via BBB_IP6_ENABLED, switch LDAP/OIDC to role flags, add TURN/STUN, and general cleanup.
- tasks/main.yml: use BBB_* fact names, robust path joins, write docker-compose.override.yml, and notify compose on env/override changes.
- tasks/01_docker-compose.yml: reference new BBB_DOCKER_COMPOSE_* facts.
- Add templates/docker-compose.override.yml.j2 (placeholder for SFU overrides to avoid bad defaults during runs).
Rationale: make Compose brings deterministic (no empty ), paving the way to set MS_WEBRTC_LISTEN_IPS in override without risk.

Chat reference: debugging thread with GPT-5 Thinking on 2025-09-26 https://chatgpt.com/share/68d59d98-4388-800f-a627-07b6a603d0b2.

roles/web-app-bigbluebutton/Setup.md

@@ -1,6 +0,0 @@
-# Setup
-
-## Passwords
-```bash
-docker run --rm ruby:latest ruby -rsecurerandom -e 'puts SecureRandom.hex(64)'
-```

roles/web-app-bigbluebutton/TODO.md

@@ -1,3 +1,3 @@
 # Todo
 - Propper implement and test the LDAP integration, the configuration values just had been set during refactoring
-- Move this whole overcomplicated handlers to the copying of a docker-compose.yml file. This is just legacy stuff
+- Implement that BBB can be opened in web-app-desktop app

roles/web-app-bigbluebutton/config/main.yml

@@ -1,15 +1,14 @@
-enable_greenlight:    "true"
+api_suffix:             "/bigbluebutton/"
-api_suffix:           "/bigbluebutton/"
 features:
-  matomo:             true
+  matomo:               true
-  css:                true
+  css:                  true
-  desktop:            false # Videos can't open in frame due to iframe restrictions
+  desktop:              false # Videos can't open in frame due to iframe restrictions
-                            # @todo fix this
+  ldap:                 false
-  ldap:               false
+  oidc:                 true
-  oidc:               true
+  central_database:     false # Propably required for backup routines
-  central_database:   false # Propably required for backup routines
+  logout:               true
-  logout:             true
 server:
+  ip6_enabled:          false
   csp:
     flags:
       script-src-elem:
@@ -29,4 +28,8 @@ docker:
       version:    "main"  
     database:
       # This is set to true to pass integration test, doesn't have any other function
-      enabled: true
+      enabled:    true
+    greenlight:
+      enabled:    true
+    coturn:
+      enabled:    true

roles/web-app-bigbluebutton/tasks/01_docker-compose.yml

@@ -8,12 +8,12 @@
 
 - name: Slurp docker-compose.yml from remote host
   slurp:
-    src: "{{ docker_compose_file_origine }}"
+    src: "{{ BBB_DOCKER_COMPOSE_FILE_ORIGINE }}"
   register: compose_slurp
 
 - name: Transform docker-compose.yml with compose_mods
   copy:
     content: "{{ compose_slurp.content | b64decode | compose_mods(docker_repository_path, docker_compose.files.env) }}"
-    dest: "{{ docker_compose_file_final }}"
+    dest: "{{ BBB_DOCKER_COMPOSE_FILE_FINAL }}"
   notify:
     - docker compose up

roles/web-app-bigbluebutton/tasks/main.yml

@@ -15,7 +15,7 @@
   vars:
     docker_compose_flush_handlers: false
 - name: "include 04_seed-database-to-backup.yml"
-  include_tasks: "{{ playbook_dir }}/roles/sys-ctl-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml"
+  include_tasks: "{{ [ playbook_dir, 'roles/sys-ctl-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml' ] | path_join }}"
 
 - name: "Unset 'proxy_extra_configuration'"
   set_fact:
@@ -24,33 +24,42 @@
 - name: configure websocket_upgrade.conf
   copy: 
     src:  "websocket_upgrade.conf"
-    dest: "{{NGINX.DIRECTORIES.HTTP.MAPS}}websocket_upgrade.conf"
+    dest: "{{ [ NGINX.DIRECTORIES.HTTP.MAPS, 'websocket_upgrade.conf' ] | path_join }}"
   notify: restart openresty
 
 - name: "Set BBB Facts"
   set_fact:
-    bbb_env_file_link:            "{{ docker_repository_path }}.env"
+    BBB_ENV_FILE_LINK:                "{{ [ docker_repository_path, '.env' ] | path_join }}"
-    bbb_env_file_origine:         "{{ docker_compose.files.env }}"
+    BBB_ENV_FILE_ORIGINE:             "{{ docker_compose.files.env }}"
-    docker_compose_file_origine:  "{{ docker_repository_path }}docker-compose.yml"
+    BBB_DOCKER_COMPOSE_FILE_ORIGINE:  "{{ [ docker_repository_path, 'docker-compose.yml' ] | path_join }}"
-    docker_compose_file_final:    "{{ docker_compose.directories.instance }}docker-compose.yml"
+    BBB_DOCKER_COMPOSE_FILE_FINAL:    "{{ [ docker_compose.directories.instance, 'docker-compose.yml' ] | path_join }}"
+
+- name: Write docker-compose.override.yml for BigBlueButton
+  template:
+    src:  docker-compose.override.yml.j2
+    dest: "{{ [ docker_compose.directories.instance, 'docker-compose.override.yml' ] | path_join }}"
+  notify:
+    - docker compose up
 
 - name: deploy .env
   # This seems redundant @todo Checkout if this is true and if so, delete it
   template:
     src:  env.j2
-    dest: "{{ bbb_env_file_origine }}"
+    dest: "{{ BBB_ENV_FILE_ORIGINE }}"
+  notify:
+    - docker compose up
 
 - name: Create symbolic link from .env file to target location
   file:
-    src:    "{{ bbb_env_file_origine }}"
+    src:    "{{ BBB_ENV_FILE_ORIGINE }}"
-    dest:   "{{ bbb_env_file_link }}"
+    dest:   "{{ BBB_ENV_FILE_LINK }}"
     state:  link
 
 - name: "Setup docker-compose.yml file"
   include_tasks: "01_docker-compose.yml"
 
 - name: Ensure all containers in instance are running
-  include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/05_ensure_up.yml"
+  include_tasks: "{{ [ playbook_dir , 'roles/docker-compose/tasks/05_ensure_up.yml' ] | path_join }}"
 
 - name: flush docker service
   meta: flush_handlers

roles/web-app-bigbluebutton/templates/docker-compose.override.yml.j2

@@ -0,0 +1 @@
+{# Overrides for Big Blue Button #}

roles/web-app-bigbluebutton/templates/env.j2

@@ -1,7 +1,9 @@
-ENABLE_COTURN=true
+# Coturn
-COTURN_TLS_CERT_PATH={{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder] | path_join }}/fullchain.pem
+ENABLE_COTURN={{ BBB_COTURN_ENABLED }}
-COTURN_TLS_KEY_PATH={{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder] | path_join }}/privkey.pem
+COTURN_TLS_CERT_PATH={{ BBB_COTURN_TLS_CERT_PATH }}
-ENABLE_GREENLIGHT={{ applications | get_app_conf(application_id, 'enable_greenlight', True) }}
+COTURN_TLS_KEY_PATH={{ BBB_COTURN_TLS_KEY_PATH }}
+
+ENABLE_GREENLIGHT={{ BBB_GREENLIGHT_ENABLED }}
 
 # Enable Webhooks
 # used by some integrations
@@ -39,9 +41,9 @@ FSESL_PASSWORD={{ BBB_FSESL_PASSWORD }}
 
 DOMAIN={{ domain }}
 
+# IP
 EXTERNAL_IPv4={{ networks.internet.ip4 }}
-# The following line is not tested and could lead to bugs:
+EXTERNAL_IPv6={{ networks.internet.ip6 if BBB_IP6_ENABLED else '' }}
-EXTERNAL_IPv6={{ networks.internet.ip6 }}
 
 # STUN SERVER
 # stun.freeswitch.org
@@ -158,7 +160,7 @@ OFFICE365_HD=
 # It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy
 OAUTH2_REDIRECT=
 
-{% if applications | get_app_conf(application_id, 'features.ldap', False) %}
+{% if BBB_LDAP_ENABLED | bool %}
 # LDAP Login Provider (optional)
 #
 # You can enable LDAP authentication by providing values for the variables below.
@@ -283,7 +285,7 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
 #   approval - For approve/decline registration
 DEFAULT_REGISTRATION=invite
 
-{% if applications | get_app_conf(application_id, 'features.oidc', False) %}
+{% if BBB_OIDC_ENABLED | bool %}
 ### EXTERNAL AUTHENTICATION METHODS
 # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
 #

roles/web-app-bigbluebutton/vars/main.yml

@@ -6,7 +6,7 @@ database_type:                        "postgres"
 database_instance:                    "{{ application_id | get_entity_name }}"
 database_password:                    "{{ applications | get_app_conf(application_id, 'credentials.postgresql_secret') }}"
 database_username:                    "postgres"
-database_name:                        ""                              # Multiple databases
+database_name:                        "" # Multiple databases
 
 # Proxy
 domain:                               "{{ domains | get_domain(application_id) }}"
@@ -19,9 +19,27 @@ docker_repository_branch:             "{{ applications | get_app_conf(applicatio
 docker_pull_git_repository:           true
 
 # BigBlueButton
+
+## Credentials
 BBB_SHARED_SECRET:                    "{{ applications | get_app_conf(application_id, 'credentials.shared_secret') }}"
 BBB_ETHERPAD_API_KEY:                 "{{ applications | get_app_conf(application_id, 'credentials.etherpad_api_key') }}"
 BBB_RAILS_SECRET:                     "{{ applications | get_app_conf(application_id, 'credentials.rails_secret') }}"
 BBB_POSTGRESQL_SECRET:                "{{ applications | get_app_conf(application_id, 'credentials.postgresql_secret') }}"
 BBB_FSESL_PASSWORD:                   "{{ applications | get_app_conf(application_id, 'credentials.fsesl_password') }}"
-BBB_TURN_SECRET:                      "{{ applications | get_app_conf(application_id, 'credentials.turn_secret') }}"
+BBB_TURN_SECRET:                      "{{ applications | get_app_conf(application_id, 'credentials.turn_secret') }}"
+
+BBB_COTURN_TLS_CERT_PATH:             "{{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder,   'fullchain.pem'] | path_join }}"
+BBB_COTURN_TLS_KEY_PATH:              "{{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder,   'privkey.pem'] | path_join }}"
+
+## Switchs
+
+### Network
+BBB_IP6_ENABLED:                      "{{ applications | get_app_conf(application_id, 'server.ip6_enabled') }}"
+
+### Container
+BBB_GREENLIGHT_ENABLED:               "{{ applications | get_app_conf(application_id, 'docker.services.greenlight.enabled') }}"
+BBB_COTURN_ENABLED:                   "{{ applications | get_app_conf(application_id, 'docker.services.coturn.enabled') }}"
+
+### SSO
+BBB_LDAP_ENABLED:                     "{{ applications | get_app_conf(application_id, 'features.ldap') }}"
+BBB_OIDC_ENABLED:                     "{{ applications | get_app_conf(application_id, 'features.oidc') }}"