From 926def3d01fe40caf483c1f6b48579a6ab0a705d Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Sat, 27 Sep 2025 01:40:37 +0200
Subject: [PATCH] web-svc-coturn: Add resource limits and fix docker-compose
 template

- Set CPU, memory reservation/limit, and PID limit for coturn
- Ensure docker_compose_file_creation_enabled and disable git repo pulling
- Move certificate mounts to volumes and fix env var interpolation in command
- Correct realm and user formatting

See: https://chatgpt.com/share/66f65f18-799c-800a-95f4-b6b26511e9cb
---
 roles/web-svc-coturn/config/main.yml                 | 8 ++++++--
 roles/web-svc-coturn/tasks/01_core.yml               | 5 ++++-
 roles/web-svc-coturn/templates/docker-compose.yml.j2 | 8 ++++----
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/roles/web-svc-coturn/config/main.yml b/roles/web-svc-coturn/config/main.yml
index 1ac5f080..bbb27480 100644
--- a/roles/web-svc-coturn/config/main.yml
+++ b/roles/web-svc-coturn/config/main.yml
@@ -6,8 +6,12 @@ server:
 docker:
   services:
     coturn:
-      image:    "coturn/coturn"
-      version:  "latest"
+      image:            "coturn/coturn"
+      version:          "latest"
+      cpus:             1.0
+      mem_reservation:  512m
+      mem_limit:        1g
+      pids_limit:       256
     redis:
       enabled:  false
     database: 
diff --git a/roles/web-svc-coturn/tasks/01_core.yml b/roles/web-svc-coturn/tasks/01_core.yml
index 55c5eacc..c8e1b082 100644
--- a/roles/web-svc-coturn/tasks/01_core.yml
+++ b/roles/web-svc-coturn/tasks/01_core.yml
@@ -1,3 +1,6 @@
 - name: "Load 'sys-stk-semi-stateless' for '{{ application_id }}'"
   include_role:
-    name: sys-stk-semi-stateless
\ No newline at end of file
+    name: sys-stk-semi-stateless
+  vars:
+    docker_compose_file_creation_enabled: true
+    docker_pull_git_repository:           false
\ No newline at end of file
diff --git a/roles/web-svc-coturn/templates/docker-compose.yml.j2 b/roles/web-svc-coturn/templates/docker-compose.yml.j2
index d85fd055..1b374471 100644
--- a/roles/web-svc-coturn/templates/docker-compose.yml.j2
+++ b/roles/web-svc-coturn/templates/docker-compose.yml.j2
@@ -4,26 +4,26 @@
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     image: {{ COTURN_IMAGE }}:{{ COTURN_VERSION }}
     container_name: {{ COTURN_VOLUME }}
-    {% include 'roles/docker-container/templates/base.yml.j2' %}
     ports:
       - "{{ COTURN_TURN_PORT }}:{{ COTURN_TURN_PORT }}/udp"
       - "{{ COTURN_TURN_PORT }}:{{ COTURN_TURN_PORT }}/tcp"
       - "{{ COTURN_STUN_PORT }}:{{ COTURN_STUN_PORT }}/tcp"
       - "{{ COTURN_STUN_PORT }}:{{ COTURN_STUN_PORT }}/udp"
       - "{{ COTURN_RELAY_PORT_RANGE }}/udp"
+    volumes:
       - "{{ COTURN_TLS_CERT_PATH }}:{{ COTURN_TLS_CERT_PATH }}:ro"
       - "{{ COTURN_TLS_KEY_PATH }}:{{ COTURN_TLS_KEY_PATH }}:ro"
     command: >
       --use-auth-secret
-      --static-auth-secret=${ COTURN_STATIC_AUTH_SECRET }
+      --static-auth-secret="${COTURN_STATIC_AUTH_SECRET}"
       --lt-cred-mech
-      --user=${ COTURN_USER_NAME }:${ COTURN_USER_PASSWORD }
+      --user="${COTURN_USER_NAME}:${COTURN_USER_PASSWORD}"
       --log-file=stdout
       --external-ip={{ networks.internet.ip4 }}
 {% if networks.internet.ip6|default('') %}
       --external-ip={{ networks.internet.ip6 }}
 {% endif %}
-      --realm=${ COTURN_REALM }
+      --realm="${COTURN_REALM}"
       --fingerprint
       --total-quota=100
       --stale-nonce