fix: resolve TURN_DOMAIN default at .env layer

docker-compose does not recursively expand nested `${...}` in `:-`
defaults, so `TURN_DOMAIN=${TURN_DOMAIN:-${LIVEKIT_DOMAIN}}` leaked the
literal string `${LIVEKIT_DOMAIN}` into the container, breaking TURN
and WebRTC connectivity. Set the default in .env.sample where abra
shell-expands it before docker-compose sees it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.env.sample

@@ -82,7 +82,9 @@ LIVEKIT_NODE_IP=
 #LIVEKIT_TURN_ENABLED=false
 ## TURN domain — must resolve to this server's IP.
 ## Defaults to LIVEKIT_DOMAIN, which works for TURN/UDP setups.
-#TURN_DOMAIN=turn.example.com
+## NOTE: must be set here, not as a compose-level `:-` default —
+## docker-compose does not recursively expand nested `${...}` references.
+TURN_DOMAIN=${LIVEKIT_DOMAIN}
 ## TURN/UDP port (default: 443). Recommended because UDP 443 is rarely
 ## blocked and doesn't conflict with Traefik's TCP 443.
 #TURN_UDP_PORT=443

compose.yml

@@ -191,7 +191,7 @@ services:
       - LIVEKIT_NODE_IP
       - LIVEKIT_FORCE_TCP=${LIVEKIT_FORCE_TCP:-false}
       - LIVEKIT_TURN_ENABLED=${LIVEKIT_TURN_ENABLED:-true}
-      - TURN_DOMAIN=${TURN_DOMAIN:-${LIVEKIT_DOMAIN}}
+      - TURN_DOMAIN=${TURN_DOMAIN}
       - TURN_UDP_PORT=${TURN_UDP_PORT:-443}
     # WebRTC ICE ports must be published directly on the host.
     # These carry raw RTP media, not HTTP — cannot be proxied through Traefik without extra traefik compose.