Allow matrix_coturn_docker_network to be set to 'host' to use host-networking

This helps large deployments which need to open up thousands of ports
(matrix_coturn_turn_udp_min_port, matrix_coturn_turn_udp_min_port)

On a test VM, opening 1k ports takes 17 seconds for Docker to "publish"
all of these ports (setting up forwarding rules with the firewall, etc),
so service startup and shutdown take a long amount of time.

If host-networking is used, there's no need to open any ports at all
and startup/shutdown can be quick.

CHANGELOG.md

@@ -1,5 +1,21 @@
 # 2023-01-26
 
+## Coturn can now use host-networking
+
+Large Coturn deployments (with a huge range of ports specified via `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`) experience a huge slowdown with how Docker publishes all these ports (setting up firewall forwarding rules), which leads to a very slow Coturn service startup and shutdown.
+
+Such deployments don't need to run Coturn within a private container network anymore. Coturn can now run with host-networking by using configuration like this:
+
+```yaml
+matrix_coturn_docker_network: host
+```
+
+With such a configuration, Docker no longer needs to configure thousands of firewall forwarding rules each time Coturn starts and stops.
+You may, however, need to allow these ports in your firewall configuration yourself.
+
+Thanks to us [tightening Coturn security](#backward-compatibility-tightening-coturn-security-can-lead-to-connectivity-issues), running Coturn with host-networking should be safe and not expose neither other services running on the host, nor other services running on the local network.
+
+
 ## (Backward Compatibility) Tightening Coturn security can lead to connectivity issues
 
 **TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default Coturn blocklists. They may need to override `matrix_coturn_denied_peer_ips` and remove some IP ranges from it.

roles/custom/matrix-coturn/defaults/main.yml

@@ -20,6 +20,13 @@ matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith('
 #
 # Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
 # possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
+#
+# Setting `matrix_coturn_docker_network` to 'host' will run the container with host networking,
+# which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.
+# Running with host networking can be dangerous, as it potentially exposes your local network and its services to Coturn peers.
+# Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`,
+# which hopefully prevents access to such private network ranges.
+# When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.
 matrix_coturn_docker_network: "matrix-coturn"
 
 matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
@@ -41,20 +48,20 @@ matrix_coturn_container_extra_arguments: []
 # Controls whether the Coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
-matrix_coturn_container_stun_plain_host_bind_port: '3478'
+matrix_coturn_container_stun_plain_host_bind_port: "{{ '3478' if matrix_coturn_docker_network != 'host' else '' }}"
 
 # Controls whether the Coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
-matrix_coturn_container_stun_tls_host_bind_port: '5349'
+matrix_coturn_container_stun_tls_host_bind_port: "{{ '5349' if matrix_coturn_docker_network != 'host' else '' }}"
 
 # Controls whether the Coturn container exposes its TURN UDP port range and which interface to do it on.
 #
 # Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.
-# Takes a null/none value (`~`) to prevent listening.
+# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
 #
 # The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.
-matrix_coturn_container_turn_range_listen_interface: ''
+matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_docker_network != 'host' else 'none' }}"
 
 # UDP port-range to use for TURN
 matrix_coturn_turn_udp_min_port: 49152

roles/custom/matrix-coturn/tasks/setup_install.yml

@@ -62,7 +62,8 @@
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_groupname }}"
 
-- name: Ensure Coturn network is created in Docker
+- when: matrix_coturn_docker_network not in ['', 'host']
+  name: Ensure Coturn network is created in Docker
   community.docker.docker_network:
     name: "{{ matrix_coturn_docker_network }}"
     driver: bridge

roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2

@@ -30,7 +30,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			-p {{ matrix_coturn_container_stun_tls_host_bind_port }}:5349 \
 			-p {{ matrix_coturn_container_stun_tls_host_bind_port }}:5349/udp \
 			{% endif %}
-			{% if matrix_coturn_container_turn_range_listen_interface is not none %}
+			{% if matrix_coturn_container_turn_range_listen_interface is not in [none, 'none'] %}
 			-p {{ matrix_coturn_container_turn_range_listen_interface }}{{ ':' if matrix_coturn_container_turn_range_listen_interface else '' }}{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
 			{% endif %}
 			--mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \