Add lt-cred-mech authentication mechanism to Coturn

All homeserver implementations have been updated to support this as
well.

It's just Jitsi that possibly doesn't work with anything other than `auth-secret`.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3191

roles/custom/matrix-coturn/defaults/main.yml

@@ -73,10 +73,26 @@ matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_con
 matrix_coturn_turn_udp_min_port: 49152
 matrix_coturn_turn_udp_max_port: 49172
 
-# A shared secret (between Synapse and Coturn) used for authentication.
+# Controls which authentication method to enable.
+#
+# lt-cred-mech likely provides better compatibility,
+# as described here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3191
+# but those claims are unverified.
+#
+# For now, we still default to `auth-secret` like we've always done.
+#
+# Known values: auth-secret, lt-cred-mech
+matrix_coturn_authentication_method: auth-secret
+
+# A shared secret used for authentication when `matrix_coturn_authentication_method` is `auth-secret`.
 # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
 matrix_coturn_turn_static_auth_secret: ""
 
+# A username used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.
+matrix_coturn_lt_cred_mech_username: ""
+# A password used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.
+matrix_coturn_lt_cred_mech_password: ""
+
 # The external IP address of the machine where Coturn is.
 # If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.
 # See `matrix_coturn_turn_external_ip_address_auto_detection_enabled`

roles/custom/matrix-coturn/tasks/validate_config.yml

@@ -9,10 +9,18 @@
   with_items:
     - {'old': 'matrix_coturn_docker_network', 'new': 'matrix_coturn_container_network'}
 
+- name: Fail if matrix_coturn_authentication_method is invalid
+  ansible.builtin.fail:
+    msg: >-
+      Invalid authentication method specified in `matrix_coturn_authentication_method`
+  when: "matrix_coturn_authentication_method not in ['auth-secret', 'lt-cred-mech']"
+
 - name: Fail if required Coturn settings not defined
   ansible.builtin.fail:
     msg: >-
-      You need to define a required configuration setting (`{{ item }}`) for using Coturn.
-  when: "vars[item] == ''"
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] == ''"
   with_items:
-    - "matrix_coturn_turn_static_auth_secret"
+    - {'name': 'matrix_coturn_turn_static_auth_secret', when: "{{ matrix_coturn_authentication_method == 'auth-secret' }}"}
+    - {'name': 'matrix_coturn_lt_cred_mech_username', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}
+    - {'name': 'matrix_coturn_lt_cred_mech_password', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}

roles/custom/matrix-coturn/templates/turnserver.conf.j2

@@ -1,17 +1,27 @@
 #jinja2: lstrip_blocks: "True"
+
+{% if matrix_coturn_authentication_method == 'auth-secret' %}
 use-auth-secret
 static-auth-secret={{ matrix_coturn_turn_static_auth_secret }}
+userdb=/var/tmp/turnserver.db
+{% endif %}
+
+{% if matrix_coturn_authentication_method == 'lt-cred-mech' %}
+lt-cred-mech
+user={{ matrix_coturn_lt_cred_mech_username }}:{{ matrix_coturn_lt_cred_mech_password }}
+{% endif %}
+
 realm=turn.{{ matrix_server_fqn_matrix }}
 
 min-port={{ matrix_coturn_turn_udp_min_port }}
 max-port={{ matrix_coturn_turn_udp_max_port }}
+
 {% for ip in matrix_coturn_turn_external_ip_addresses %}
 external-ip={{ ip }}
 {% endfor %}
 
 log-file=stdout
 pidfile=/var/tmp/turnserver.pid
-userdb=/var/tmp/turnserver.db
 
 no-cli