# ============================================================
#  coturn.conf — Coturn TURN/STUN Server Configuration
#  Mount this at /etc/coturn/turnserver.conf in the container.
#
#  Generate a secret with:  pwgen -s 64 1
#  The secret here MUST match turn_secret in continuwuity.toml.
# ============================================================

# Use time-limited shared-secret auth (more secure than static credentials)
use-auth-secret
static-auth-secret=YOUR_COTURN_SECRET   # EDIT THIS — must match continuwuity.toml

# realm should match your Matrix domain
realm=matrix.example.com   # EDIT THIS

# ------------------------------------------------------------
#  Port ranges
#  Default coturn range is 49152-65535.
#  We start at 50201 so it doesn't overlap with LiveKit (50100-50200).
# ------------------------------------------------------------
min-port=50201
max-port=65535

# ------------------------------------------------------------
#  Optional: TLS support (recommended for production)
#  You'll need to provide certificates. One approach is to copy
#  them from your Let's Encrypt store (requires a cron/hook).
#  Comment these out if you're not setting up TLS on coturn.
# ------------------------------------------------------------
# tls-listening-port=5349
# cert=/etc/coturn/certs/fullchain.pem
# pkey=/etc/coturn/certs/privkey.pem

# ------------------------------------------------------------
#  Security hardening
#  Prevents coturn from being used as an open relay/proxy.
# ------------------------------------------------------------
# Deny connections to private/loopback IP ranges (prevents SSRF)
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=127.0.0.0-127.255.255.255

# Only allow relay to public IPs
no-multicast-peers

# Disable the web admin interface (not needed, reduces attack surface)
no-cli

# Log to stdout so Docker captures it
log-file=stdout