[ci skip] Add coturn TURN/STUN server for WebRTC relay

- Deploy coturn on k8s with MetalLB shared IP (10.0.20.200) - Normal pod networking (no hostNetwork), runs on any node - 100 relay ports (49152-49252), port 3478 for STUN/TURN signaling - Shared secret auth for time-limited TURN credentials - For F1 streaming WebRTC NAT traversal
2026-02-21 18:08:01 +00:00 · 2026-02-21 18:08:01 +00:00 · de1a43a3c7
commit de1a43a3c7
parent 5fe288a4e4
3 changed files with 208 additions and 3 deletions
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@ -132,6 +132,7 @@ variable "modal_api_key" { type = string }
 variable "gemini_api_key" { type = string }
 variable "llama_api_key" { type = string }
 variable "brave_api_key" { type = string }
+variable "coturn_turn_secret" { type = string }

 variable "k8s_users" {
  type    = map(any)
@ -159,7 +160,7 @@ locals {
    3 : ["reverse-proxy"],                                                                                                # Cluster admin services (k8s-dashboard chart repo still 404)
    4 : [
      "mailserver", "shadowsocks", "webhook_handler", "tuya-bridge", "dawarich", "owntracks", "nextcloud",
-      "calibre", "onlyoffice", "f1-stream", "rybbit", "isponsorblocktv", "actualbudget"
+      "calibre", "onlyoffice", "f1-stream", "rybbit", "isponsorblocktv", "actualbudget", "coturn"
    ], # Activel used services
    # Optional services
    5 : [
@ -256,6 +257,16 @@ module "f1-stream" {
  depends_on = [null_resource.core_services]
 }

+module "coturn" {
+  source          = "./coturn"
+  for_each        = contains(local.active_modules, "coturn") ? { coturn = true } : {}
+  tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.edge
+  turn_secret     = var.coturn_turn_secret
+
+  depends_on = [null_resource.core_services]
+}
+
 module "hackmd" {
  source             = "./hackmd"
  for_each           = contains(local.active_modules, "hackmd") ? { hackmd = true } : {}