raven/asterisk: init

Co-Authored-By: Jakob Lechner <mail@jalr.de>
2021-12-08 17:42:20 +01:00 · 2021-12-08 17:42:20 +01:00 · 3fe66c180c
commit 3fe66c180c
parent 3c70582979
9 changed files with 161 additions and 3 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -9,3 +9,9 @@ creation_rules:
      - *jalr
      - *simon
      - *raven
+  - path_regex: machines/raven/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *jalr
+      - *simon
+      - *raven
--- a/flake.lock
+++ b/flake.lock
@ -94,6 +94,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-asterisk": {
+      "locked": {
+        "lastModified": 1638872530,
+        "narHash": "sha256-4tQOkGTdwa4xGJNwKaM+c67u37bDP4cDseYppq3xy0s=",
+        "owner": "yayayayaka",
+        "repo": "nixpkgs",
+        "rev": "77758650a83959c60aa2c7e2f2cf739ec7ddb793",
+        "type": "github"
+      },
+      "original": {
+        "owner": "yayayayaka",
+        "ref": "asterisk-secrets-handling",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1640408860,
@ -117,6 +133,7 @@
        "nix-pre-commit-hooks": "nix-pre-commit-hooks",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
+        "nixpkgs-asterisk": "nixpkgs-asterisk",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix"
      }
--- a/flake.nix
+++ b/flake.nix
@ -9,6 +9,8 @@
    nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11";

    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged
+    nixpkgs-asterisk.url = "github:yayayayaka/nixpkgs/asterisk-secrets-handling";

    nixos-hardware.url = "github:nixos/nixos-hardware/master";

--- a/machines/default.nix
+++ b/machines/default.nix
@ -9,6 +9,8 @@ in
    extraModules = [
      hardware.common-cpu-intel
      hardware.common-pc-ssd
+      # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged
+      "${inputs.nixpkgs-asterisk}/nixos/modules/services/networking/asterisk.nix"
    ];
  };
 }
--- a/machines/raven/configuration.nix
+++ b/machines/raven/configuration.nix
@ -17,6 +17,10 @@
        id = 1;
        interface = "eno1";
      };
+      voip = {
+        id = 5;
+        interface = "eno1";
+      };
    };
    interfaces = {
      eno2.useDHCP = true;
@ -24,11 +28,18 @@
        address = "192.168.94.1";
        prefixLength = 24;
      }];
+      voip.ipv4.addresses = [{
+        address = "192.168.93.1";
+        prefixLength = 24;
+      }];
    };
    nat = {
      enable = true;
      externalInterface = "eno2";
-      internalInterfaces = lib.singleton "labprod";
+      internalInterfaces = [
+        "labprod"
+        "voip"
+      ];
    };
  };

--- a/machines/raven/secrets.yaml
+++ b/machines/raven/secrets.yaml
@ -1,12 +1,15 @@
 dyndns-password: ENC[AES256_GCM,data:FXAuhhVqs1cD8r1SKaY2pbAdzDU=,iv:t1wj201txdfPXRVBrX8bZbemEDNY9JoCQzKnw/VhW1I=,tag:E1XgN73DME1qKZD7qzkxCg==,type:str]
+asterisk-pjsip: ENC[AES256_GCM,data:V3h5ramFMFcIvprkKs4RrY6gVsm6X+KBz4vVy+t4XevXVvxaGgxQamTiPQoD4JzwC5k+AabWpBGvHiMDkdVlhBbkCwTJrlD6cxrQhp+TsW4wjKtOzF3XZI6mwWMBbnKJFyE/TK67jGR17hvJq3Gx5A2m1/7RpP+tY9J59oe5/9ooG+mAnqCa6IfYxnJX16/0mDGYYf3aG4ScZXYYvyudVFpyYdb2KTJRafgfL568K4vg4Pm+PG1c/T7yxyaZBEq8P+OT4pYhk4now+SF170ZOSx3cslRmHXccduOiHMYd1GbVpL1rHHkHHyAr1jjG6jU+FrYEHKaeVrD1aYE2iGOVdATZafx7ldKc1tSTqSNqDEnUPizjvvCEnm4oxvWk5bB4yUbjxs8ip2dQetF9cOk83QVo6nypx4kvKX/WC+1Wv3WemrZrOhP15+A60Gb9g/N3G809LK3mOTVytq+o1u80wwrh9gTfkQ0FUs/eKr5Ifq5jgJvRU/4Ics4Hc94hWYG+iOVleh62ru15XOZGbsJo2PtVX2A34Ctq8lprBWT0dXY8oZZahoXG1jboK9g4gxvjAAqd0MQA2J2IEhgI+h4e92QY86pc04LDY8PWaiH8o5bd+MSgnTLSGPSxlZ3BPeDdFxB5mVGwo3SlGABfT0VsKxbHfCrQBc2UjH5rW9EQJjpNV78stc3300X+DmmgwvOvw6XkYYmMlOstGMrgz4fEPMqJ95S0LnMBIjL5Vxb1o92nFsElrfWJTyYGcNHFvKzP9LLmtlaausQT7qpeiYKEVE3YdxYiTpddw/gaQjcgzu2kduZEfRTIcxGYA545+R6As96NMlu87YfdaYQmNyHQ+8D50zvS/EwsSJDYWekXTHcKQvodcUnSiS4Md2c8FlBrjvI7p/R11qCrvkVfzblvmi2zGiFXAqAhg5/8NWJVPttVnwC6+VpIroPUy0WUydXTzDVPnYuiVaY5AyIcbcVoULY1M/z2XGnvGN9bLsiEvJz41UjVxsMSqqKTszr6PDvTzhHgW1Qlr7vPnFTL6Hr9NIPj3LkVk3FJ4WAJpuGlL3NjJLXQrW34Sou6nasTT8aEWjjoGDSpNZ/j9HjWYzVGETuQQHXjz/9EvfU2BIwHiL1Xo3X3aW9pyvPv1ZQ+r+bgw/ZyjddVtam2EFYQ3tDV8w1arIB3PH0iwi3O3Bv8OfYg0ru6pX8VOhYtEZJ50w/e0ORQowvIeWFfJDofICRc7Zg2d0280DzPgS9dfKyO5UbBsRdrOx1RtweEwnXGQvXq4zlOZLX0uHD4g/kWSoiQm5jfCiSZPrnY7d9x3FPm/nYHQ3iYKfygFanJ0stMaryMpI+Fsm3nVbFXQ9vKf25ZVa/8CLZvL4XHnPQWErOHsqTzvDJnKqsjwRd7hUIyZ+sHJ4QCnFEEcd8plSYQOSPqgoVsZm2O2li4QdUtAgaeMalLlV0kSM+eOOy1ne90GgbtUzevHEOu0+w+EqzWpVRzVdFZAvBc2xG4qsf6Z2fu1LibNky1EUGs0aQaXD7EJftCY6s0JnkZ/rVGnTmlRZDXdVTodvU7JfVeHj4xn8A3cvP4296aW8So3obnI5dEPTwIbKOpAGZgKjuqk+mNelDJu8Hjr+uipTVAlUrXJgLeoWItfOHkRWxCRkC35BgGWEbUGe7CJfM80Cmi0qOQauRr7akz0dB/gHbHGhq+tLf4Pvi14/nUVbdiQ0zRf/Gy4Gmhh+gX+eGLQ2E/QDGrwzXTjcCmLxfXc+jdMsohLwIL4hvlLyt3o5EN6CKuzU1KtHmdSK/CcMMMyupjvBjT7qxYlaGWAK+PWYcgTc++g3PsPBSjfM7DUp4UicOzyEuryOvSz3sIuA8Fl5Vlv0pDoFgBTy95vn9cRKFhEl9YEVdGfKkHK+JZcNoBgEPDxuKchLO8l5/hFe36AgIM6+PD12lHt5EHJcJGqUW5tmJph6BHvarvVcQ6TkNVynh7TD+DOKJ5TZBrE6gHZ1CGZ8E+lzzpqp+Vrvst+Uwq+5fETv5+nR7iqhWdJ9Ghhek/aGLojaAAf8Ol5UrKdbTRWxddAvrPEreO8609URLCFOYFKVEQ+bCY7iSJVOnsduZGnZ3/3V5TllTgFDBcyWaMlH7kfHNB/6nuwdJO5e3mYsOLiZ+azfOt2bpvSomcvWXkCbEcUxsvZrdd3bfQZPOerDAdzJI1vvux6MXhwCT5vgjLtXOMDL96LDAApGkuWUp8d7N/Eio59/metH/8YCtyeEg8+7eBfXbnJZkAUheJlTWOdfWHbFQL/3jU6x8CpYV18OwRUvYzgTqV6F0fHRonjs+sAgd5t5VKxm7CFuAw0/ZUcDZnaXCbBA0zOeJDgbiA6bVoDJyUMXIBJUt0Cz2oRlvT6DAlIiPYfKKDmXd3hn+W7q+hSrcyDlRVvS3mYEA41H1TuOnx6E+bLtQrKqSytUE5hRs5OqtJ02EDwp1aZqz1Z3Pksoj8+PE+wd+XMacqdZSg09vvLKaJ+luu7teF+amKSLtyv4rFGs6AHol4Au/+mZHdb2pmArUsr2z44k1NqV9dNvzZT0FKTcXsCr0fZa4nxyhS+NvWL60rLtQmwcLh4HMC9CmeFzwNE8PTcItqMmmmJN8m9VsbCcz6cVZM6aEFgnw1bhm4dd1LGHHaO2WpMgbS0OguG7VSTAz4OA/fa1CsEQHwcJFWdFDAvoJt4LiAoKrEtgYEoII6VwF7voBJELSDlqUbNg95dsuwD03iFndBG8cio5Mv5A+SKNQQZo3Zooqlg1dtaOPO4q3QZdiUGw2A1hMppZBPdw+jG6LpNNdPmFJxe0ZmWAsWZGGlRJHNDIHqQESIDAQ3xdMIsBzgQ+liUiVfXl2SJHsCGEp/7GlTAYrxGKLevwFay5FWdJuxyXF479A12Lvd4lO66lfo45zS7GPXPxWWJSOOcvyYCw+q9nEHntqV/XI8ckBr7rw+engFPpN8eqbfpa47f71Dihe11bZ0yDQpjQPjKj8bv+L3XjDmSC12HtworSzzGcHH2MJyTbzxusAGz8eNw6Wjtod/rpMzKX9WjJPW42nnrSs/g1ylw1tIg92R0nVI635m8QbiMy/H9AT+9ELlksq8nwv7k9tZUDVrEe6gdJtfI3KUhefOVTA4k91kwm6BonH34UODvEFWL6EuyHvhCztoLayyC34+Ab0s86tOBENj/ciZHKbz1dTI2AK3zTwaRWNTWyIiFkFjBGBCsbeNxG+Ydcon31D2ga+XkMay1Xw652Z1f0ZNHS4Gayi4+5MgRJKDPgjIzh5shFAb3E5bcAbx5V6QaUhOPDXI1isNJrwxxztRX5XKwQgJrEFVbXlbi4C49/mHSnfbdZSvGlgaEiuxh8xFbf7WMPDiXwxYfcqTz0L4pHwp1WwOVZQ/bmRvg1DG7CLK/p/AmG1ZOIEUhUdlU8vVi+xb47XCqGiZkk5Fsp3v53J0s99BmFtRDF385hj9BI1dpkqIcT9FnBYv/HFMCfMKNyf1p33eNLFb/+0vVjUkCT+m7AApT0TmV5BecR2VRAksls2pg38AHNG61hcDwOGdIN2djMr+gB3zym7H4fyscF7hQ6/wUTTj0hv6wmGxydCS1oacxMRWxmazRANZUagrj2t9+aWsK5V//Qr2AFDXBdStXemhsDlTQBbBTTh7fcI4qkLlECdRqEXg3dpMrkg7x5Ae+GDRbuS7R3oNTWBpfrh5rBNfGjKrbE12LjuUZw=,iv:2u0VbIXZoPb1VshacMr374XYHqZ0eP/pTrLI3OvjAL0=,tag:cd45cSC4gk7EstxWH/gZBw==,type:str]
+asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKNA1ZVf4DTtm6d232LXKde54ACMSUEyQWTu1mU6oQ7W5P2VSK2HZvHzSrnC0dJVKPrYEnBWfyA6sjKBULQSyW6j1/c/k,iv:jE/Y1A3i8embrwJqN8TBO0E8nr5WhGDKPH0gXgWnsMQ=,tag:j8PH6tDeo2YTCI2BnVY24w==,type:str]
+asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2021-12-18T19:53:04Z"
-    mac: ENC[AES256_GCM,data:y7gMYWpapU/dPEZmzQucmV7P+OdAsQmxrVdTiFLAdEbyJVHaxrN31al+e61sa8lfYiRwNCy8d4YW0KohLfS/5NUW2xxvFLgZaGBUwV1+l/4XiPl+ehj7MCbsNTZlK+X0JkT82kL9Z2N5QNACZ7nZlH5X6xPYldehs9IFIgw5jwU=,iv:MXbLB1+otY0FPybM2Dzv1pyNpAo0ajP9PjxyFMGHTMY=,tag:norYrQYtRY+HJm1/Sehbzw==,type:str]
+    lastmodified: "2021-12-22T19:12:17Z"
+    mac: ENC[AES256_GCM,data:86N6c+PUwuoosU/Ktb6+EKERiny4C3hHDzf5uLR3j5RXdVjVkGa8laGX45s8OGsfcg4/V6O9gnDOl9eAzUsaS9A6ckl6dpfTAGJ/HNb1zWyU7OLwoGqzMWR5E5JO6+EznYSBOb6rhO5EAJsJJ097IZox/PRkMfz0h6fpa1ffxP4=,iv:2Nzl85sqFgbSnMjguao9JuN8KFa8v2Q+UhMB3TzhqOc=,tag:oSbuvKix7NPdjTrOeCizig==,type:str]
    pgp:
        - created_at: "2021-12-18T19:52:00Z"
          enc: |
--- a/machines/raven/services/asterisk.nix
+++ b/machines/raven/services/asterisk.nix
@ -0,0 +1,115 @@
+{ config, lib, ... }:
+let
+  secretConfigFiles = [
+    "ari"
+    "pjsip"
+    "voicemail"
+  ];
+  rtp = {
+    start = 10000;
+    end = 10200;
+  };
+in
+{
+  # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged
+  disabledModules = [ "services/networking/asterisk.nix" ];
+
+  services.asterisk = {
+    enable = true;
+    confFiles = {
+      "extensions.conf" = ''
+        [sipgate-in]
+        exten => _2430207e0,1,Noop(Processing an incoming call)
+        same => n,Dial(PJSIP/100,20,tT)
+        same  = n,VoiceMail(7929876@fablab,su)
+        same => n,Hangup()
+
+        [dect]
+        exten = 99,1,Answer()
+        same = n,Wait(1)
+        same = n,VoiceMailMain(7929876@fablab)
+        same = n,Hangup()
+
+        exten = 98,1,Answer()
+        same = n,Wait(1)
+        same = n,Playback(der_dude_ist_nicht)
+        same = n,Hangup()
+
+        exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT)
+        same = n,Hangup()
+
+        exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT)
+        same = n,Hangup()
+
+        ; weinturm
+        exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT)
+        same = n,Hangup()
+        ; /weinturm
+
+        exten => _XXX.,1,Noop(Processing an outgoing call)
+        same => n,Dial(PJSIP/''${EXTEN}@sipgate,tT)
+        same => n,Hangup()
+
+        [cisco]
+        exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT)
+        same = n,Hangup()
+
+        exten = 420,1,Dial(PJSIP/101,30,tT)
+        same = n,Hangup()
+
+        exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT)
+        same = n,Hangup()
+
+        ; weinturm
+        exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT)
+        same = n,Hangup()
+        ; /weinturm
+      '';
+      "http.conf" = ''
+        [general]
+        enabled=yes
+        bindaddr=127.0.0.1
+
+        ; Port to bind to for HTTP sessions (default is 8088)
+        ;bindport=8088
+
+        tlsdisablev1=yes
+        tlsdisablev11=yes
+        tlsdisablev12=yes
+
+        tlsservercipherorder=yes
+      '';
+      "rtp.conf" = ''
+        [general]
+        rtpstart=${toString rtp.start}
+        rtpend=${toString rtp.end}
+      '';
+    };
+    useTheseDefaultConfFiles = [ ];
+  };
+
+  sops.secrets = (lib.listToAttrs (map
+    (name: lib.nameValuePair "asterisk-${name}" {
+      sopsFile = ../secrets.yaml;
+      owner = config.users.users.asterisk.name;
+    })
+    secretConfigFiles));
+  environment.etc = lib.mapAttrs'
+    (name: _: lib.nameValuePair
+      "asterisk/${name}.conf"
+      { source = config.sops.secrets."asterisk-${name}".path; })
+    (lib.listToAttrs (map (name: lib.nameValuePair name { }) secretConfigFiles));
+
+  networking.firewall = {
+    allowedUDPPorts = [
+      5060
+      5062
+    ];
+    allowedUDPPortRanges = [
+      {
+        from = rtp.start;
+        to = rtp.end;
+      }
+    ];
+  };
+}
--- a/machines/raven/services/default.nix
+++ b/machines/raven/services/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
+    ./asterisk.nix
    ./dnsmasq.nix
    ./dyndns.nix
    ./labsync.nix
--- a/machines/raven/services/dnsmasq.nix
+++ b/machines/raven/services/dnsmasq.nix
@ -9,6 +9,7 @@

      expand-hosts
      domain=lab.fablab-nea.de
+      dhcp-range=192.168.93.20,192.168.93.254,5m
      dhcp-range=192.168.94.20,192.168.94.254,5m

      dhcp-boot=lpxelinux.0,raven,192.168.94.1