possible workarounds:

• put all the clients i care about doing video calls with (my immediate family) on tailscale, which also performs the function of nat traversal
• talk to my provider about installing coturn on the ipv4 proxy box? but the cost in bandwidth and maintenance might be too high, especially if i'm the only customer using it
• maybe stun/turn as-a-service exists?
• admit defeat and just pay $1/mo for an ipv4 address

🤔 turn and stun are mechanisms to help ipv4 clients behind nats talk to each other directly, or failing that, proxy their traffic to each other

nats are pretty much only for ipv4 clients. if they have an ipv6 address is probably isn't nat'd

so it probably doesn't make sense to imagine how to run a stun/turn server on an ipv6-only vm

the appropriate place for it to live is probably alongside the sniproxy doing ip4->ip6 reverse proxying

but with this figured out, i now have an ipv6 vm that can still serve up its websites to people stuck on ipv4-only networks! without paying for an ipv4 address allocation! 🥳

next, to see if a prosody xmpp server and a coturn turn/stun server will work just as happily as the webserver does within this setup

today i learned that if you are reverse-proxying :80 and :443 with PROXY protocol to a caddy set up like this...

then, in addition to your https site definitions, you also have to toss this line in there to make proxy_protocol apply to the automatic http->https redirect that caddy sets up

https://caddyserver.com/docs/caddyfile/options#:~:text=unless%20you%20explicitly%20declare

i don't know how wrong that analysis is, that's just my takeaway from attempting to research the subject with one hand clutching my temples to keep my brains in

i went with utm for now, 2gb download will finish in another 2 hours or so