From 9d463e5f96db2effa5ebb398804e2cf59d910545 Mon Sep 17 00:00:00 2001
From: bvn13 <from.github@bvn13.me>
Date: Sat, 28 Feb 2026 09:53:13 +0300
Subject: [PATCH] revert coturn container, use Snikket built-in TURN instead

The snikket_server image includes a TURN server that is enabled by default
(SNIKKET_TWEAK_TURNSERVER=1). A separate coturn container conflicts on port
3478 and adds unnecessary complexity for a standard deployment.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 server/README.md               |  2 --
 server/docker-compose.yml      | 28 ----------------------------
 server/prosody.cfg.lua.example | 33 ---------------------------------
 server/secrets.env.example     |  4 ----
 4 files changed, 67 deletions(-)

diff --git a/server/README.md b/server/README.md
index eba5e41..42aaf96 100644
--- a/server/README.md
+++ b/server/README.md
@@ -10,7 +10,6 @@ XMPP-сервер на базе [Snikket](https://snikket.org/) (обёртка
 | `snikket_proxy` | `snikket/snikket-web-proxy:stable` | Веб-прокси (nginx) |
 | `snikket_certs` | `snikket/snikket-cert-manager:stable` | Автоматическое получение TLS-сертификатов (Let's Encrypt) |
 | `snikket_portal` | `snikket/snikket-web-portal:stable` | Веб-портал для управления пользователями и инвайтами |
-| `snikket_turn` | `coturn/coturn:latest` | TURN/STUN-сервер для голосовых и видеозвонков |
 | `s3_upload_handler` | собирается из `./s3-upload-handler` | Обработчик загрузки файлов — принимает файлы от XMPP-клиентов и сохраняет в S3 |
 | `postgres` | `postgres:15` | База данных PostgreSQL для Prosody |
 
@@ -87,7 +86,6 @@ cp secrets.env.example secrets.env
 | `AWS_ACCESS_KEY_ID` | Ключ доступа AWS/S3 |
 | `AWS_SECRET_ACCESS_KEY` | Секретный ключ AWS/S3 |
 | `POSTGRES_PASSWORD` | Пароль PostgreSQL |
-| `TURN_SECRET` | Shared secret для TURN-аутентификации (должен совпадать между coturn и Prosody). Генерация: `openssl rand -hex 32` |
 
 ### S3 Upload Handler (environment)
 
diff --git a/server/docker-compose.yml b/server/docker-compose.yml
index 0f2c649..1acb7c3 100644
--- a/server/docker-compose.yml
+++ b/server/docker-compose.yml
@@ -61,34 +61,6 @@ services:
       PRESIGN_EXPIRE: "3600"
     restart: "unless-stopped"
 
-  snikket_turn:
-    container_name: snikket-turn
-    image: coturn/coturn:latest
-    network_mode: host
-    env_file:
-      - snikket.conf
-      - secrets.env
-    volumes:
-      - snikket_data:/snikket:ro
-    entrypoint: ["/bin/sh", "-c"]
-    command: >-
-      turnserver
-      --use-auth-secret
-      --static-auth-secret=$$TURN_SECRET
-      --realm=$$SNIKKET_DOMAIN
-      --listening-port=3478
-      --tls-listening-port=5349
-      --cert=/snikket/letsencrypt/live/$$SNIKKET_DOMAIN/fullchain.pem
-      --pkey=/snikket/letsencrypt/live/$$SNIKKET_DOMAIN/privkey.pem
-      --min-port=49152
-      --max-port=65535
-      --fingerprint
-      --no-cli
-      --log-file=stdout
-    restart: "unless-stopped"
-    depends_on:
-      - snikket_certs
-
   postgres:
     container_name: snikket-postgres
     image: postgres:17
diff --git a/server/prosody.cfg.lua.example b/server/prosody.cfg.lua.example
index 4fb1780..14f5585 100644
--- a/server/prosody.cfg.lua.example
+++ b/server/prosody.cfg.lua.example
@@ -26,7 +26,6 @@ modules_disabled = {
 
 modules_enabled = {
     "http_upload_external";
-    "external_services";
 }
 
 -- URL of the external upload service that handles S3 interaction.
@@ -45,35 +44,3 @@ http_upload_external_expire_after = 3600
 -- Max file size in bytes (10 MB)
 http_upload_external_file_size_limit = 10485760
 
-----------------------------------------------------------------------
--- TURN/STUN for voice/video calls (via mod_external_services)
--- Credentials are generated on-the-fly using TURN REST API (RFC 8489 §9.2)
--- Shared secret must match TURN_SECRET in secrets.env
-----------------------------------------------------------------------
-
-external_services = {
-    {
-        type      = "stun";
-        host      = os.getenv("SNIKKET_DOMAIN");
-        port      = 3478;
-        transport = "udp";
-    },
-    {
-        type      = "turn";
-        host      = os.getenv("SNIKKET_DOMAIN");
-        port      = 3478;
-        transport = "udp";
-        secret    = os.getenv("TURN_SECRET");
-        algorithm = "turn";
-        ttl       = 86400;
-    },
-    {
-        type      = "turns";
-        host      = os.getenv("SNIKKET_DOMAIN");
-        port      = 5349;
-        transport = "tcp";
-        secret    = os.getenv("TURN_SECRET");
-        algorithm = "turn";
-        ttl       = 86400;
-    },
-};
diff --git a/server/secrets.env.example b/server/secrets.env.example
index 36eb028..967323c 100644
--- a/server/secrets.env.example
+++ b/server/secrets.env.example
@@ -5,7 +5,3 @@ AWS_SECRET_ACCESS_KEY=change-me
 
 # PostgreSQL secrets
 POSTGRES_PASSWORD=change-me
-
-# TURN server shared secret (used by both coturn and Prosody mod_external_services)
-# Generate with: openssl rand -hex 32
-TURN_SECRET=change-me