diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index 4772b9722..a5928dede 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -224,6 +224,12 @@ matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_s
 #     (see `matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled`)
 # - core services (the homeserver) get a level of ~1000
 # - services that the homeserver depends on (database, Redis, ntfy, Coturn, etc.) get a lower level - between 500 and 1000
+# - Coturn gets a higher level if `devture_systemd_service_manager_service_restart_mode == 'one-by-one'` to intentionally delay it, because:
+#  - starting services one by one means that the service manager role waits for each service to fully start before proceeding to the next one
+#  - if Coturn has a lower priority than the homeserver, it would be started before it
+#  - since Coturn is started before the homeserver, there's no container label telling Traefik to get a `matrix.DOMAIN` certificate
+#  - thus, Coturn would spin and wait for a certificate until it fails. We'd get a playbook failure due to it, but service manager will proceed to start all other services anyway.
+#  - only later, when the homeserver actually starts, would that certificate be fetched and dumped
 # - reverse-proxying services get level 3000
 # - Matrix utility services (bridges, bots) get a level of 2000/2200, so that:
 #   - they can start before the reverse-proxy
@@ -330,7 +336,7 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': 'matrix-corporal.service', 'priority': 1500, 'groups': ['matrix', 'corporal']}] if matrix_corporal_enabled else [])
     +
-    ([{'name': 'matrix-coturn.service', 'priority': 4000, 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else [])
+    ([{'name': 'matrix-coturn.service', 'priority': (900 if devture_systemd_service_manager_service_restart_mode == 'clean-stop-start' else 4000), 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else [])
     +
     ([{'name': 'matrix-rageshake.service', 'priority': 4000, 'groups': ['matrix', 'rageshake']}] if matrix_rageshake_enabled else [])
     +
diff --git a/requirements.yml b/requirements.yml
index 9b557b48c..af1dfde24 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -31,7 +31,7 @@
   version: v2.8.0-1
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
-  version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f
+  version: 201c939eed363de269a83ba29784fc3244846048
   name: playbook_help
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
   version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
diff --git a/setup.yml b/setup.yml
index ea5070aa6..beb0b0a58 100644
--- a/setup.yml
+++ b/setup.yml
@@ -6,6 +6,9 @@
   roles:
     # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`).
     - role: galaxy/playbook_help
+      tags:
+        - setup-all
+        - install-all
 
     - role: galaxy/systemd_docker_base