this post: HowTo: Setup Nextcloud Talk with TURN server is the most detailed documentation I can find for setting it up. it mentions STUN, but never mentions how to set it up. it makes it sound like TURN is something that must run on a different public-facing IP from your server? is that right? and also that TURN is only needed if your Nextcloud server is behind a NAT that can’t forward connections to your Nextcloud server? this is where I get really fuzzy on how all of this is supposed to work.
I’d like “full” functionality if it’s at all possible, I can forward any arbitrary ports through my firewall to my Nextcloud server if needed.
You only need to enter an address in Nextcloud Talk settings. AFAIK stun.nextcloud.com:443 is even preconfigured? You can also use IP:port of your Coturn when installed, as it includes STUN server as well. P2P/STUN will always be preferred, if possible, and TURN used as fallback, but most of the time when clients from different networks do video calls.
No, it can run on the same server system where Nextcloud runs, and behind a NAT. It just needs to be accessible by all clients, i.e. the port forwarded in case. Having it on a dedicated system directly connected to the web is just a performance recommendation for heavily used TURN servers to decouple from other services.
The TURN server is not used by/for Nextcloud but by the video call/WebRTC clients. It is needed if those cannot directly reach each other since they are on different networks behind a NAT, and usually ports are not forwarded to clients (they are no servers), so one client cannot know how to reach the other and wouldn’t recognise if the other tries to reach it. This is where STUN resp. in most cases TURN come into play: the server which both clients can connect to which either enables them to do P2P (STUN) or acts as relay for the video stream (TURN).