Update LiveKit Server role to v1.12.0-0

LiveKit v1.12.0 tightens TURN security: credentials now carry a TTL,
and TURN no longer relays to restricted peer CIDRs by default. The
role defaults match upstream's secure defaults and are appropriate
for typical playbook deployments.

Bumps the migration-validation gate accordingly so users are pointed
at the CHANGELOG entry on next run.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

CHANGELOG.md

@@ -1,3 +1,25 @@
+# 2026-05-18
+
+## LiveKit Server has been upgraded to v1.12.0
+
+The playbook now ships [LiveKit Server](./docs/configuring-playbook-livekit-server.md) v1.12.0. See the [upstream release notes](https://github.com/livekit/livekit/releases/tag/v1.12.0) for details.
+
+This release tightens TURN security:
+
+- **TURN credentials now carry a TTL** (default: 300 seconds), exposed via `livekit_server_config_turn_ttl_seconds`.
+- **TURN no longer relays traffic to restricted peer CIDRs** (loopback, link-local, multicast, private, unspecified) by default. If your setup legitimately requires it, list the ranges in `livekit_server_config_turn_allow_restricted_peer_cidrs`.
+
+    For example, to allow TURN to reach the common [RFC1918](https://www.rfc-editor.org/rfc/rfc1918) private ranges, add to your `vars.yml`:
+    ```yaml
+    livekit_server_config_turn_allow_restricted_peer_cidrs:
+      - 10.0.0.0/8
+      - 172.16.0.0/12
+      - 192.168.0.0/16
+    ```
+
+    Adjust the ranges to match your network. To deny specific CIDRs (taking precedence over the allow list above), use `livekit_server_config_turn_deny_peer_cidrs` in the same shape.
+
+
 # 2026-05-07
 
 ## Tuwunel support

docs/configuring-playbook-livekit-server.md

@@ -61,6 +61,12 @@ livekit_server_container_labels_turn_traefik_entrypoints: "<your-livekit-turn-tr
 
 and configuring their own Traefik TCP entrypoint dedicated to LiveKit TURN traffic.
 
+## TURN access controls
+
+LiveKit's embedded TURN server enforces a credential TTL and restricts which peer CIDRs it will relay to. The playbook leaves these at the role's secure defaults, which are appropriate for typical deployments where TURN peers live on the public Internet.
+
+If your setup needs TURN to relay to private/restricted ranges, or you want to override the credential TTL, see the [TURN access controls and credential TTL](https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server/blob/main/docs/configuring-livekit-server.md#turn-access-controls-and-credential-ttl) section of the role's documentation.
+
 ## Limitations
 
 LiveKit Server's TURN listener behavior depends on where TLS is terminated:

examples/vars.yml

@@ -2,7 +2,7 @@
 # This variable acknowledges that you've reviewed breaking changes up to this version.
 # The playbook will fail if this is outdated, guiding you through what changed.
 # See the changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md
-matrix_playbook_migration_validated_version: v2026.04.24.0
+matrix_playbook_migration_validated_version: v2026.05.18.0
 
 # The bare domain name which represents your Matrix identity.
 # Matrix user IDs for your server will be of the form (`@alice:example.com`).

requirements.yml

@@ -42,7 +42,7 @@
   version: v10888-1
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.11.0-2
+  version: v1.12.0-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
   version: v2.22.0-1

roles/custom/matrix_playbook_migration/defaults/main.yml

@@ -14,10 +14,13 @@ matrix_playbook_migration_validated_version: ''
 # The version that the playbook expects the user to have validated against.
 # This is bumped whenever a breaking change is introduced.
 # The value configured here needs to exist in `matrix_playbook_migration_breaking_changes` as well.
-matrix_playbook_migration_expected_version: "v2026.04.24.0"
+matrix_playbook_migration_expected_version: "v2026.05.18.0"
 
 # A list of breaking changes, used to inform users what changed between their validated version and the expected version.
 matrix_playbook_migration_breaking_changes:
+  - version: "v2026.05.18.0"
+    summary: "LiveKit Server has been upgraded to v1.12.0 — TURN no longer relays to restricted peer CIDRs (loopback, link-local, multicast, private, unspecified) by default; TURN credentials now carry a TTL (300s)"
+    changelog_url: "https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#2026-05-18"
   - version: "v2026.04.24.0"
     summary: "(BC Break) mautrix-telegram has been rewritten in Go (bridgev2) — the web-based login endpoint, old-style relaybot and several variables have been removed"
     changelog_url: "https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#2026-04-24"