From c41cf7ed36c57c5c76917ca2cb1350e607e02dd5 Mon Sep 17 00:00:00 2001
From: Disco DeDisco <adamcraighamilton@gmail.com>
Date: Wed, 27 May 2026 14:30:38 -0400
Subject: [PATCH] coturn: activate [coturn] inventory host (turn.earthmanrpg.me
 + v4/v6)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Uncomment + fill the [coturn] group so the play has a host to target (empty group was the 'no hosts matched' / 'no hosts to target' error). Secret stays vault-only — deliberately omitted from the host line (host_vars override group_vars).

Code architected by Disco DeDisco <discodedisco@outlook.com>
Git commit message Co-Authored-By:
Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 infra/group_vars/all/vault.yaml | 10 ++++++++++
 infra/inventory.ini             | 16 +++++++++-------
 2 files changed, 19 insertions(+), 7 deletions(-)
 create mode 100644 infra/group_vars/all/vault.yaml

diff --git a/infra/group_vars/all/vault.yaml b/infra/group_vars/all/vault.yaml
new file mode 100644
index 0000000..339e835
--- /dev/null
+++ b/infra/group_vars/all/vault.yaml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+62633637333430623762333637306466646161323861663564373533353565366661616433376465
+6138653163616138396163363764353464616133303731370a656166623332656234356564373330
+34656230353138653939313337376365343866623461616466343131313236303439613664616333
+6665333231353436650a616663653630613465613931353232383437623434383930313862626164
+39653231326663626562323832666264366331306365333061613535396532303937343065616261
+62663638386235373566336634616331396434643134303731646435396563343333333034303063
+66313030396437666461303137613233666366376430356164386561626337643930383433653130
+39663237303737333834366530303435666366336664363666646632396630626434373535303937
+3739
diff --git a/infra/inventory.ini b/infra/inventory.ini
index c71f27d..1696b21 100644
--- a/infra/inventory.ini
+++ b/infra/inventory.ini
@@ -11,10 +11,12 @@ gitea.earthmanrpg.me ansible_user=root ansible_ssh_private_key_file=~/.ssh/id_ed
 
 # Dedicated coturn (TURN/STUN) droplet for WebRTC mesh voice — provisioned by
 # coturn-playbook.yaml. UNCOMMENT + fill once the droplet + static IP exist
-# (see the playbook header). coturn_secret must equal the app's
-# COTURN_SHARED_SECRET. coturn_private_ip / coturn_tls_* are optional.
-# coturn_public_ip6 (optional): set the droplet's public IPv6 to serve
-# dual-stack TURN (adds a v6 external-ip + matching v6 peer-denial lockdown);
-# leave unset for a pure-IPv4 relay.
-# [coturn]
-# turn.earthmanrpg.me ansible_user=root ansible_ssh_private_key_file=~/.ssh/id_ed25519_wsl_python-tdd coturn_secret=CHANGEME coturn_realm=earthmanrpg.me coturn_public_ip=CHANGEME
+# (see the playbook header). coturn_secret is NOT set here — it comes from the
+# shared vault (group_vars/all/vault.yaml) so it matches the app's
+# COTURN_SHARED_SECRET. (Inventory host_vars OVERRIDE group_vars, so never put
+# coturn_secret on this line or it would clobber the vault value.)
+# coturn_private_ip / coturn_tls_* are optional. coturn_public_ip6 (optional):
+# set the droplet's public IPv6 to serve dual-stack TURN (adds a v6 external-ip
+# + matching v6 peer-denial lockdown); leave unset for a pure-IPv4 relay.
+[coturn]
+turn.earthmanrpg.me ansible_user=root ansible_ssh_private_key_file=~/.ssh/id_ed25519_wsl_python-tdd coturn_realm=earthmanrpg.me coturn_public_ip=167.172.236.157 coturn_public_ip6=2604:a880:800:14:0:3:384:6000