Unified STUN + ME Primary parallelized

- Unified STUN server source-of-truth
- parallelize per-DC primary ME init for multi-endpoint DCs

src/config/defaults.rs

@@ -111,25 +111,11 @@ pub(crate) fn default_proxy_secret_path() -> Option<String> {
 }
 
 pub(crate) fn default_middle_proxy_nat_stun() -> Option<String> {
-    Some("stun.l.google.com:19302".to_string())
+    None
 }
 
 pub(crate) fn default_middle_proxy_nat_stun_servers() -> Vec<String> {
-    vec![
-        "stun.l.google.com:5349".to_string(),
-        "stun1.l.google.com:3478".to_string(),
-        "stun.gmx.net:3478".to_string(),
-        "stun.l.google.com:19302".to_string(),
-        "stun.1und1.de:3478".to_string(),
-        "stun1.l.google.com:19302".to_string(),
-        "stun2.l.google.com:19302".to_string(),
-        "stun3.l.google.com:19302".to_string(),
-        "stun4.l.google.com:19302".to_string(),
-        "stun.services.mozilla.com:3478".to_string(),
-        "stun.stunprotocol.org:3478".to_string(),
-        "stun.nextcloud.com:3478".to_string(),
-        "stun.voip.eutelia.it:3478".to_string(),
-    ]
+    Vec::new()
 }
 
 pub(crate) fn default_stun_nat_probe_concurrency() -> usize {

src/config/load.rs

@@ -65,6 +65,16 @@ fn validate_network_cfg(net: &mut NetworkConfig) -> Result<()> {
     Ok(())
 }
 
+fn push_unique_nonempty(target: &mut Vec<String>, value: String) {
+    let trimmed = value.trim();
+    if trimmed.is_empty() {
+        return;
+    }
+    if !target.iter().any(|existing| existing == trimmed) {
+        target.push(trimmed.to_string());
+    }
+}
+
 // ============= Main Config =============
 
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
@@ -138,6 +148,30 @@ impl ProxyConfig {
             config.general.update_every = None;
         }
 
+        let legacy_nat_stun = config.general.middle_proxy_nat_stun.take();
+        let legacy_nat_stun_servers = std::mem::take(&mut config.general.middle_proxy_nat_stun_servers);
+        let legacy_nat_stun_used = legacy_nat_stun.is_some() || !legacy_nat_stun_servers.is_empty();
+
+        let mut unified_stun_servers = Vec::new();
+        for stun in std::mem::take(&mut config.network.stun_servers) {
+            push_unique_nonempty(&mut unified_stun_servers, stun);
+        }
+        if let Some(stun) = legacy_nat_stun {
+            push_unique_nonempty(&mut unified_stun_servers, stun);
+        }
+        for stun in legacy_nat_stun_servers {
+            push_unique_nonempty(&mut unified_stun_servers, stun);
+        }
+
+        if unified_stun_servers.is_empty() {
+            unified_stun_servers = default_stun_servers();
+        }
+        config.network.stun_servers = unified_stun_servers;
+
+        if legacy_nat_stun_used {
+            warn!("general.middle_proxy_nat_stun and general.middle_proxy_nat_stun_servers are deprecated; use network.stun_servers");
+        }
+
         if let Some(update_every) = config.general.update_every {
             if update_every == 0 {
                 return Err(ProxyError::Config(

src/config/types.rs

@@ -160,11 +160,13 @@ pub struct GeneralConfig {
     #[serde(default = "default_true")]
     pub middle_proxy_nat_probe: bool,
 
-    /// Optional STUN server address (host:port) for NAT probing.
+    /// Deprecated legacy single STUN server for NAT probing.
+    /// Use `network.stun_servers` instead.
     #[serde(default = "default_middle_proxy_nat_stun")]
     pub middle_proxy_nat_stun: Option<String>,
 
-    /// Optional list of STUN servers for NAT probing fallback.
+    /// Deprecated legacy STUN list for NAT probing fallback.
+    /// Use `network.stun_servers` instead.
     #[serde(default = "default_middle_proxy_nat_stun_servers")]
     pub middle_proxy_nat_stun_servers: Vec<String>,