- Enable both TURN (port 3478) and TURNS (port 5349) for maximum client compatibility
- Add recommended coturn settings: stale-nonce, unlimited quotas
- Remove deprecated 'warn' parameter from shell task
- Add comprehensive tags to all roles in site.yml for selective deployment
- Remove redundant update playbooks (replaced by tags functionality)
- Update README with detailed tags documentation and common workflows
- Update coturn documentation with correct Nextcloud configuration
- Add coturn_static_secret and wireguard server keys to vault example
Coturn improvements:
- Enable TURNS-only mode (port 5349) for encrypted signaling
- Disable unencrypted TURN (port 3478) for better security
- Fix certificate permission issues for turnserver user
- Remove incompatible config options (no-loopback-peers, lt-cred-mech)
- Add automatic private key permission fixing on deploy
- Configure firewall rules for TURNS port 5349
WireGuard improvements:
- Add server key persistence via vault
- Server keys now stored in vault (wireguard_server_private_key/public_key)
- Keys persist across server rebuilds
- Fallback to key generation if vault keys not defined
Blog deployment automation:
- Add blog_deploy role for automated deployment user setup
- Creates blogdeploy user with SSH key pair
- Sets up /var/www/blog directory structure
- Configures authorized_keys for GitHub Actions deployment
- Provides instructions for adding SSH key to GitHub secrets
Configuration updates:
- Comment out TURN port 3478 (using TURNS-only)
- Add TURNS port 5349 to external ports
- Update vault with WireGuard server keys
Major changes:
- Add Coturn role for Nextcloud Talk WebRTC support
- Automatic SSL/TLS via Let's Encrypt
- DPI-resistant configuration with static auth
- Firewall rules for TURN (3478) and relay ports (49152-49252)
- Optimize nginx WebSocket support with conditional Connection header
- Change Forgejo domain from git.okhsunrog.dev to fgj.okhsunrog.dev
- Fix certbot role to properly handle new domains on existing infrastructure
- Update all Ansible variables to use ansible_facts syntax (Ansible 2.24 compatibility)
- Add network role support for ports with both TCP and UDP
- Remove unused snake/serpentina service configuration
- Add comprehensive documentation in docs/ directory
Bug fixes:
- Certbot now checks each domain individually instead of skipping all if any exist
- Create ssl-cert group before adding turnserver user to it
- Add new AmneziaWG role with Ubuntu 24.04 DKMS support
- Implement clean installation method for both Ubuntu 22.04/24.04
- Add obfuscation parameters for Deep Packet Inspection bypass
- Configure AmneziaWG subnet (10.65.65.0/24) and port (58888/udp)
- Update network role to include AmneziaWG in firewall rules
- Add user management playbook for AmneziaWG
- Update vault.yml.example with AmneziaWG peer configuration
- Document project architecture and commands in CLAUDE.md
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
