Refactor TURN/STUN handling:

- Split internal/external Coturn for BBB and Nextcloud
- Added dedicated relay port ranges per app
- Updated env and compose overrides for coturn
- Ensure coturn role is loaded conditionally
- Standardize credential/env passing for coturn
@See https://chatgpt.com/share/68d6f376-4878-800f-b4f7-62822caa49ea

roles/web-app-bigbluebutton/config/main.yml

@@ -32,4 +32,4 @@ docker:
     greenlight:
       enabled:    true
     coturn:
-      enabled:    true
+      internal:   "{{ not 'web-svc-coturn' in group_names | lower }}"

roles/web-app-bigbluebutton/tasks/main.yml

@@ -68,3 +68,13 @@
   include_tasks: "02_administrator.yml"
 
 
+- name: "Load Coturn Role for '{{ application_id }}'"
+  include_role:
+    name: web-svc-coturn
+  vars:
+    flush_handlers: true
+  when:    
+    - run_once_web_svc_coturn is not defined
+    - not BBB_INTERNAL_COTURN_ENABLED
+
+

roles/web-app-bigbluebutton/templates/docker-compose.override.yml.j2

@@ -5,3 +5,25 @@ services:
       MS_ENABLE_IPV6: "false"
       MS_WEBRTC_LISTEN_IPS: >-
         [{"ip":"0.0.0.0","announcedIp":"${EXTERNAL_IPv4}"}]
+  coturn:
+    ports:
+      - "{{ BBB_TURN_PORT }}:{{ BBB_TURN_PORT }}/udp"
+      - "{{ BBB_TURN_PORT }}:{{ BBB_TURN_PORT }}/tcp"
+      - "{{ BBB_STUN_PORT }}:{{ BBB_STUN_PORT }}/udp"
+      - "{{ BBB_STUN_PORT }}:{{ BBB_STUN_PORT }}/tcp"
+      - "{{ BBB_RELAY_PORT_RANGE }}/udp"
+    command: >-
+      --use-auth-secret
+      --static-auth-secret=${TURN_SECRET}
+      --lt-cred-mech
+      --realm=${DOMAIN}
+      --fingerprint
+      --no-multicast-peers
+      --no-cli
+      --no-tcp-relay
+      --min-port={{ BBB_RELAY_PORT_START }}
+      --max-port={{ BBB_RELAY_PORT_END }}
+      --external-ip=${EXTERNAL_IPv4}
+      {% if BBB_IP6_ENABLED %}--external-ip=${EXTERNAL_IPv6}{% endif %}
+      --cert=${COTURN_TLS_CERT_PATH}
+      --pkey=${COTURN_TLS_KEY_PATH}

roles/web-app-bigbluebutton/templates/env.j2

@@ -1,7 +1,7 @@
 # Coturn
-ENABLE_COTURN={{ BBB_COTURN_ENABLED }}
+ENABLE_COTURN={{ BBB_INTERNAL_COTURN_ENABLED }}
 
-# Credentials
+## Credentials
 COTURN_TLS_CERT_PATH={{ BBB_COTURN_TLS_CERT_PATH }}
 COTURN_TLS_KEY_PATH={{ BBB_COTURN_TLS_KEY_PATH }}
 

roles/web-app-bigbluebutton/vars/main.yml

@@ -34,9 +34,12 @@ BBB_COTURN_TLS_CERT_PATH:             "{{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_fold
 BBB_COTURN_TLS_KEY_PATH:              "{{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder,   'privkey.pem'] | path_join }}"
 
 ## Turn
-BBB_TURN_DOMAIN:                    "{{ networks.internet.ip4 if BBB_COTURN_ENABLED else domains | get_domain('web-svc-coturn') }}"
-BBB_TURN_PORT:                      "{{ ports.public.turn[application_id] if BBB_COTURN_ENABLED else ports.public.turn['web-svc-coturn'] }}"
-BBB_STUN_PORT:                      "{{ ports.public.turn[application_id] if BBB_COTURN_ENABLED else ports.public.stun['web-svc-coturn'] }}"
+BBB_TURN_DOMAIN:                    "{{ networks.internet.ip4 if BBB_INTERNAL_COTURN_ENABLED else domains | get_domain('web-svc-coturn') }}"
+BBB_TURN_PORT:                      "{{ ports.public.turn[application_id] if BBB_INTERNAL_COTURN_ENABLED else ports.public.turn['web-svc-coturn'] }}"
+BBB_STUN_PORT:                      "{{ ports.public.turn[application_id] if BBB_INTERNAL_COTURN_ENABLED else ports.public.stun['web-svc-coturn'] }}"
+BBB_RELAY_PORT_START:               "{{ ports.public.relay_port_ranges[application_id ~ '_start'] }}"
+BBB_RELAY_PORT_END:                 "{{ ports.public.relay_port_ranges[application_id ~ '_end'] }}"
+BBB_RELAY_PORT_RANGE:               "{{ BBB_RELAY_PORT_START }}-{{ BBB_RELAY_PORT_END }}"
 
 ## Switchs
 
@@ -45,7 +48,7 @@ BBB_IP6_ENABLED:                      "{{ applications | get_app_conf(applicatio
 
 ### Container
 BBB_GREENLIGHT_ENABLED:               "{{ applications | get_app_conf(application_id, 'docker.services.greenlight.enabled') }}"
-BBB_COTURN_ENABLED:                   "{{ applications | get_app_conf(application_id, 'docker.services.coturn.enabled') }}"
+BBB_INTERNAL_COTURN_ENABLED:          "{{ applications | get_app_conf(application_id, 'docker.services.coturn.internal') }}"
 
 ### SSO
 BBB_LDAP_ENABLED:                     "{{ applications | get_app_conf(application_id, 'features.ldap') }}"