From 3fe66c180cbce7b489dc977e7e41835dda4bd8fa Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Wed, 8 Dec 2021 17:42:20 +0100 Subject: [PATCH] raven/asterisk: init Co-Authored-By: Jakob Lechner --- .sops.yaml | 6 ++ flake.lock | 17 ++++ flake.nix | 2 + machines/default.nix | 2 + machines/raven/configuration.nix | 13 ++- machines/raven/secrets.yaml | 7 +- machines/raven/services/asterisk.nix | 115 +++++++++++++++++++++++++++ machines/raven/services/default.nix | 1 + machines/raven/services/dnsmasq.nix | 1 + 9 files changed, 161 insertions(+), 3 deletions(-) create mode 100644 machines/raven/services/asterisk.nix diff --git a/.sops.yaml b/.sops.yaml index 69351cd..74f5600 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,3 +9,9 @@ creation_rules: - *jalr - *simon - *raven + - path_regex: machines/raven/secrets\.yaml$ + key_groups: + - pgp: + - *jalr + - *simon + - *raven diff --git a/flake.lock b/flake.lock index f558aea..4f97a04 100644 --- a/flake.lock +++ b/flake.lock @@ -94,6 +94,22 @@ "type": "github" } }, + "nixpkgs-asterisk": { + "locked": { + "lastModified": 1638872530, + "narHash": "sha256-4tQOkGTdwa4xGJNwKaM+c67u37bDP4cDseYppq3xy0s=", + "owner": "yayayayaka", + "repo": "nixpkgs", + "rev": "77758650a83959c60aa2c7e2f2cf739ec7ddb793", + "type": "github" + }, + "original": { + "owner": "yayayayaka", + "ref": "asterisk-secrets-handling", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1640408860, @@ -117,6 +133,7 @@ "nix-pre-commit-hooks": "nix-pre-commit-hooks", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", + "nixpkgs-asterisk": "nixpkgs-asterisk", "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix" } diff --git a/flake.nix b/flake.nix index 05125cb..1364d6b 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,8 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged + nixpkgs-asterisk.url = "github:yayayayaka/nixpkgs/asterisk-secrets-handling"; nixos-hardware.url = "github:nixos/nixos-hardware/master"; diff --git a/machines/default.nix b/machines/default.nix index da35b91..a773f2b 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -9,6 +9,8 @@ in extraModules = [ hardware.common-cpu-intel hardware.common-pc-ssd + # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged + "${inputs.nixpkgs-asterisk}/nixos/modules/services/networking/asterisk.nix" ]; }; } diff --git a/machines/raven/configuration.nix b/machines/raven/configuration.nix index d29f3fd..493ccd6 100644 --- a/machines/raven/configuration.nix +++ b/machines/raven/configuration.nix @@ -17,6 +17,10 @@ id = 1; interface = "eno1"; }; + voip = { + id = 5; + interface = "eno1"; + }; }; interfaces = { eno2.useDHCP = true; @@ -24,11 +28,18 @@ address = "192.168.94.1"; prefixLength = 24; }]; + voip.ipv4.addresses = [{ + address = "192.168.93.1"; + prefixLength = 24; + }]; }; nat = { enable = true; externalInterface = "eno2"; - internalInterfaces = lib.singleton "labprod"; + internalInterfaces = [ + "labprod" + "voip" + ]; }; }; diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml index 7fef540..7d9101c 100644 --- a/machines/raven/secrets.yaml +++ b/machines/raven/secrets.yaml @@ -1,12 +1,15 @@ dyndns-password: ENC[AES256_GCM,data:FXAuhhVqs1cD8r1SKaY2pbAdzDU=,iv:t1wj201txdfPXRVBrX8bZbemEDNY9JoCQzKnw/VhW1I=,tag:E1XgN73DME1qKZD7qzkxCg==,type:str] +asterisk-pjsip: ENC[AES256_GCM,data:V3h5ramFMFcIvprkKs4RrY6gVsm6X+KBz4vVy+t4XevXVvxaGgxQamTiPQoD4JzwC5k+AabWpBGvHiMDkdVlhBbkCwTJrlD6cxrQhp+TsW4wjKtOzF3XZI6mwWMBbnKJFyE/TK67jGR17hvJq3Gx5A2m1/7RpP+tY9J59oe5/9ooG+mAnqCa6IfYxnJX16/0mDGYYf3aG4ScZXYYvyudVFpyYdb2KTJRafgfL568K4vg4Pm+PG1c/T7yxyaZBEq8P+OT4pYhk4now+SF170ZOSx3cslRmHXccduOiHMYd1GbVpL1rHHkHHyAr1jjG6jU+FrYEHKaeVrD1aYE2iGOVdATZafx7ldKc1tSTqSNqDEnUPizjvvCEnm4oxvWk5bB4yUbjxs8ip2dQetF9cOk83QVo6nypx4kvKX/WC+1Wv3WemrZrOhP15+A60Gb9g/N3G809LK3mOTVytq+o1u80wwrh9gTfkQ0FUs/eKr5Ifq5jgJvRU/4Ics4Hc94hWYG+iOVleh62ru15XOZGbsJo2PtVX2A34Ctq8lprBWT0dXY8oZZahoXG1jboK9g4gxvjAAqd0MQA2J2IEhgI+h4e92QY86pc04LDY8PWaiH8o5bd+MSgnTLSGPSxlZ3BPeDdFxB5mVGwo3SlGABfT0VsKxbHfCrQBc2UjH5rW9EQJjpNV78stc3300X+DmmgwvOvw6XkYYmMlOstGMrgz4fEPMqJ95S0LnMBIjL5Vxb1o92nFsElrfWJTyYGcNHFvKzP9LLmtlaausQT7qpeiYKEVE3YdxYiTpddw/gaQjcgzu2kduZEfRTIcxGYA545+R6As96NMlu87YfdaYQmNyHQ+8D50zvS/EwsSJDYWekXTHcKQvodcUnSiS4Md2c8FlBrjvI7p/R11qCrvkVfzblvmi2zGiFXAqAhg5/8NWJVPttVnwC6+VpIroPUy0WUydXTzDVPnYuiVaY5AyIcbcVoULY1M/z2XGnvGN9bLsiEvJz41UjVxsMSqqKTszr6PDvTzhHgW1Qlr7vPnFTL6Hr9NIPj3LkVk3FJ4WAJpuGlL3NjJLXQrW34Sou6nasTT8aEWjjoGDSpNZ/j9HjWYzVGETuQQHXjz/9EvfU2BIwHiL1Xo3X3aW9pyvPv1ZQ+r+bgw/ZyjddVtam2EFYQ3tDV8w1arIB3PH0iwi3O3Bv8OfYg0ru6pX8VOhYtEZJ50w/e0ORQowvIeWFfJDofICRc7Zg2d0280DzPgS9dfKyO5UbBsRdrOx1RtweEwnXGQvXq4zlOZLX0uHD4g/kWSoiQm5jfCiSZPrnY7d9x3FPm/nYHQ3iYKfygFanJ0stMaryMpI+Fsm3nVbFXQ9vKf25ZVa/8CLZvL4XHnPQWErOHsqTzvDJnKqsjwRd7hUIyZ+sHJ4QCnFEEcd8plSYQOSPqgoVsZm2O2li4QdUtAgaeMalLlV0kSM+eOOy1ne90GgbtUzevHEOu0+w+EqzWpVRzVdFZAvBc2xG4qsf6Z2fu1LibNky1EUGs0aQaXD7EJftCY6s0JnkZ/rVGnTmlRZDXdVTodvU7JfVeHj4xn8A3cvP4296aW8So3obnI5dEPTwIbKOpAGZgKjuqk+mNelDJu8Hjr+uipTVAlUrXJgLeoWItfOHkRWxCRkC35BgGWEbUGe7CJfM80Cmi0qOQauRr7akz0dB/gHbHGhq+tLf4Pvi14/nUVbdiQ0zRf/Gy4Gmhh+gX+eGLQ2E/QDGrwzXTjcCmLxfXc+jdMsohLwIL4hvlLyt3o5EN6CKuzU1KtHmdSK/CcMMMyupjvBjT7qxYlaGWAK+PWYcgTc++g3PsPBSjfM7DUp4UicOzyEuryOvSz3sIuA8Fl5Vlv0pDoFgBTy95vn9cRKFhEl9YEVdGfKkHK+JZcNoBgEPDxuKchLO8l5/hFe36AgIM6+PD12lHt5EHJcJGqUW5tmJph6BHvarvVcQ6TkNVynh7TD+DOKJ5TZBrE6gHZ1CGZ8E+lzzpqp+Vrvst+Uwq+5fETv5+nR7iqhWdJ9Ghhek/aGLojaAAf8Ol5UrKdbTRWxddAvrPEreO8609URLCFOYFKVEQ+bCY7iSJVOnsduZGnZ3/3V5TllTgFDBcyWaMlH7kfHNB/6nuwdJO5e3mYsOLiZ+azfOt2bpvSomcvWXkCbEcUxsvZrdd3bfQZPOerDAdzJI1vvux6MXhwCT5vgjLtXOMDL96LDAApGkuWUp8d7N/Eio59/metH/8YCtyeEg8+7eBfXbnJZkAUheJlTWOdfWHbFQL/3jU6x8CpYV18OwRUvYzgTqV6F0fHRonjs+sAgd5t5VKxm7CFuAw0/ZUcDZnaXCbBA0zOeJDgbiA6bVoDJyUMXIBJUt0Cz2oRlvT6DAlIiPYfKKDmXd3hn+W7q+hSrcyDlRVvS3mYEA41H1TuOnx6E+bLtQrKqSytUE5hRs5OqtJ02EDwp1aZqz1Z3Pksoj8+PE+wd+XMacqdZSg09vvLKaJ+luu7teF+amKSLtyv4rFGs6AHol4Au/+mZHdb2pmArUsr2z44k1NqV9dNvzZT0FKTcXsCr0fZa4nxyhS+NvWL60rLtQmwcLh4HMC9CmeFzwNE8PTcItqMmmmJN8m9VsbCcz6cVZM6aEFgnw1bhm4dd1LGHHaO2WpMgbS0OguG7VSTAz4OA/fa1CsEQHwcJFWdFDAvoJt4LiAoKrEtgYEoII6VwF7voBJELSDlqUbNg95dsuwD03iFndBG8cio5Mv5A+SKNQQZo3Zooqlg1dtaOPO4q3QZdiUGw2A1hMppZBPdw+jG6LpNNdPmFJxe0ZmWAsWZGGlRJHNDIHqQESIDAQ3xdMIsBzgQ+liUiVfXl2SJHsCGEp/7GlTAYrxGKLevwFay5FWdJuxyXF479A12Lvd4lO66lfo45zS7GPXPxWWJSOOcvyYCw+q9nEHntqV/XI8ckBr7rw+engFPpN8eqbfpa47f71Dihe11bZ0yDQpjQPjKj8bv+L3XjDmSC12HtworSzzGcHH2MJyTbzxusAGz8eNw6Wjtod/rpMzKX9WjJPW42nnrSs/g1ylw1tIg92R0nVI635m8QbiMy/H9AT+9ELlksq8nwv7k9tZUDVrEe6gdJtfI3KUhefOVTA4k91kwm6BonH34UODvEFWL6EuyHvhCztoLayyC34+Ab0s86tOBENj/ciZHKbz1dTI2AK3zTwaRWNTWyIiFkFjBGBCsbeNxG+Ydcon31D2ga+XkMay1Xw652Z1f0ZNHS4Gayi4+5MgRJKDPgjIzh5shFAb3E5bcAbx5V6QaUhOPDXI1isNJrwxxztRX5XKwQgJrEFVbXlbi4C49/mHSnfbdZSvGlgaEiuxh8xFbf7WMPDiXwxYfcqTz0L4pHwp1WwOVZQ/bmRvg1DG7CLK/p/AmG1ZOIEUhUdlU8vVi+xb47XCqGiZkk5Fsp3v53J0s99BmFtRDF385hj9BI1dpkqIcT9FnBYv/HFMCfMKNyf1p33eNLFb/+0vVjUkCT+m7AApT0TmV5BecR2VRAksls2pg38AHNG61hcDwOGdIN2djMr+gB3zym7H4fyscF7hQ6/wUTTj0hv6wmGxydCS1oacxMRWxmazRANZUagrj2t9+aWsK5V//Qr2AFDXBdStXemhsDlTQBbBTTh7fcI4qkLlECdRqEXg3dpMrkg7x5Ae+GDRbuS7R3oNTWBpfrh5rBNfGjKrbE12LjuUZw=,iv:2u0VbIXZoPb1VshacMr374XYHqZ0eP/pTrLI3OvjAL0=,tag:cd45cSC4gk7EstxWH/gZBw==,type:str] +asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKNA1ZVf4DTtm6d232LXKde54ACMSUEyQWTu1mU6oQ7W5P2VSK2HZvHzSrnC0dJVKPrYEnBWfyA6sjKBULQSyW6j1/c/k,iv:jE/Y1A3i8embrwJqN8TBO0E8nr5WhGDKPH0gXgWnsMQ=,tag:j8PH6tDeo2YTCI2BnVY24w==,type:str] +asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2021-12-18T19:53:04Z" - mac: ENC[AES256_GCM,data:y7gMYWpapU/dPEZmzQucmV7P+OdAsQmxrVdTiFLAdEbyJVHaxrN31al+e61sa8lfYiRwNCy8d4YW0KohLfS/5NUW2xxvFLgZaGBUwV1+l/4XiPl+ehj7MCbsNTZlK+X0JkT82kL9Z2N5QNACZ7nZlH5X6xPYldehs9IFIgw5jwU=,iv:MXbLB1+otY0FPybM2Dzv1pyNpAo0ajP9PjxyFMGHTMY=,tag:norYrQYtRY+HJm1/Sehbzw==,type:str] + lastmodified: "2021-12-22T19:12:17Z" + mac: ENC[AES256_GCM,data:86N6c+PUwuoosU/Ktb6+EKERiny4C3hHDzf5uLR3j5RXdVjVkGa8laGX45s8OGsfcg4/V6O9gnDOl9eAzUsaS9A6ckl6dpfTAGJ/HNb1zWyU7OLwoGqzMWR5E5JO6+EznYSBOb6rhO5EAJsJJ097IZox/PRkMfz0h6fpa1ffxP4=,iv:2Nzl85sqFgbSnMjguao9JuN8KFa8v2Q+UhMB3TzhqOc=,tag:oSbuvKix7NPdjTrOeCizig==,type:str] pgp: - created_at: "2021-12-18T19:52:00Z" enc: | diff --git a/machines/raven/services/asterisk.nix b/machines/raven/services/asterisk.nix new file mode 100644 index 0000000..235a130 --- /dev/null +++ b/machines/raven/services/asterisk.nix @@ -0,0 +1,115 @@ +{ config, lib, ... }: +let + secretConfigFiles = [ + "ari" + "pjsip" + "voicemail" + ]; + rtp = { + start = 10000; + end = 10200; + }; +in +{ + # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged + disabledModules = [ "services/networking/asterisk.nix" ]; + + services.asterisk = { + enable = true; + confFiles = { + "extensions.conf" = '' + [sipgate-in] + exten => _2430207e0,1,Noop(Processing an incoming call) + same => n,Dial(PJSIP/100,20,tT) + same = n,VoiceMail(7929876@fablab,su) + same => n,Hangup() + + [dect] + exten = 99,1,Answer() + same = n,Wait(1) + same = n,VoiceMailMain(7929876@fablab) + same = n,Hangup() + + exten = 98,1,Answer() + same = n,Wait(1) + same = n,Playback(der_dude_ist_nicht) + same = n,Hangup() + + exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT) + same = n,Hangup() + + exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT) + same = n,Hangup() + + ; weinturm + exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT) + same = n,Hangup() + ; /weinturm + + exten => _XXX.,1,Noop(Processing an outgoing call) + same => n,Dial(PJSIP/''${EXTEN}@sipgate,tT) + same => n,Hangup() + + [cisco] + exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT) + same = n,Hangup() + + exten = 420,1,Dial(PJSIP/101,30,tT) + same = n,Hangup() + + exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT) + same = n,Hangup() + + ; weinturm + exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT) + same = n,Hangup() + ; /weinturm + ''; + "http.conf" = '' + [general] + enabled=yes + bindaddr=127.0.0.1 + + ; Port to bind to for HTTP sessions (default is 8088) + ;bindport=8088 + + tlsdisablev1=yes + tlsdisablev11=yes + tlsdisablev12=yes + + tlsservercipherorder=yes + ''; + "rtp.conf" = '' + [general] + rtpstart=${toString rtp.start} + rtpend=${toString rtp.end} + ''; + }; + useTheseDefaultConfFiles = [ ]; + }; + + sops.secrets = (lib.listToAttrs (map + (name: lib.nameValuePair "asterisk-${name}" { + sopsFile = ../secrets.yaml; + owner = config.users.users.asterisk.name; + }) + secretConfigFiles)); + environment.etc = lib.mapAttrs' + (name: _: lib.nameValuePair + "asterisk/${name}.conf" + { source = config.sops.secrets."asterisk-${name}".path; }) + (lib.listToAttrs (map (name: lib.nameValuePair name { }) secretConfigFiles)); + + networking.firewall = { + allowedUDPPorts = [ + 5060 + 5062 + ]; + allowedUDPPortRanges = [ + { + from = rtp.start; + to = rtp.end; + } + ]; + }; +} diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix index ae47ca9..c4f05bf 100644 --- a/machines/raven/services/default.nix +++ b/machines/raven/services/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./asterisk.nix ./dnsmasq.nix ./dyndns.nix ./labsync.nix diff --git a/machines/raven/services/dnsmasq.nix b/machines/raven/services/dnsmasq.nix index fdf7531..0eb666a 100644 --- a/machines/raven/services/dnsmasq.nix +++ b/machines/raven/services/dnsmasq.nix @@ -9,6 +9,7 @@ expand-hosts domain=lab.fablab-nea.de + dhcp-range=192.168.93.20,192.168.93.254,5m dhcp-range=192.168.94.20,192.168.94.254,5m dhcp-boot=lpxelinux.0,raven,192.168.94.1