From c5e0d022187b399f67895ec51086e6bc8f8d7942 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Sun, 20 Jul 2025 23:43:13 +0200 Subject: [PATCH] Add fieldpoc --- .sops.yaml | 10 +++ docs/SUMMARY.md | 1 + docs/fieldpoc.md | 29 +++++++++ docs/hp-switch.md | 21 ++++--- flake.lock | 30 ++++----- flake.nix | 2 +- hosts/default.nix | 1 + hosts/pbx/configuration.nix | 1 + hosts/pbx/secrets.yaml | 30 +++++++++ hosts/pbx/services/default.nix | 5 ++ hosts/pbx/services/fieldpoc.nix | 106 ++++++++++++++++++++++++++++++++ 11 files changed, 211 insertions(+), 25 deletions(-) create mode 100644 .sops.yaml create mode 100644 docs/fieldpoc.md create mode 100644 hosts/pbx/secrets.yaml create mode 100644 hosts/pbx/services/default.nix create mode 100644 hosts/pbx/services/fieldpoc.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..791a93b --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &admin_jalr 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 + - &host_pbx age16s0cyttcsp40jup9vnreck6mw500ae8j4ayrmf0tg79ukhgua3vsf4m5j4 +creation_rules: + - path_regex: hosts/pbx/secrets\.yaml$ + key_groups: + - pgp: + - *admin_jalr + age: + - *host_pbx diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md index c544387..d17bc4a 100644 --- a/docs/SUMMARY.md +++ b/docs/SUMMARY.md @@ -1,3 +1,4 @@ # Weinturm Open Air Infrastructure +* [fieldpoc](fieldpoc.md) * [HP Switch](hp-switch.md) diff --git a/docs/fieldpoc.md b/docs/fieldpoc.md new file mode 100644 index 0000000..f16a239 --- /dev/null +++ b/docs/fieldpoc.md @@ -0,0 +1,29 @@ +# FieldPOC + +A simple to use, good enough phone system for medium sized DECT networks. + +## Setup + +### Open AXI port on OMM + +```text +ssh omm@$omm +ommconsole +cnf sys uap on +``` + +### Generate secrets + +example `secrets.yaml`: + +```yaml +fieldpoc: + omm: s0m3Pa55w0rd + sip: 000102030405060708090a0b0c0d0e0f +``` + +sipsecret **must** be a 32 character long hexadecimal string. + +```bash +nix run nixpkgs#openssl -- rand -hex 16 +``` diff --git a/docs/hp-switch.md b/docs/hp-switch.md index e28d2d3..b87668b 100644 --- a/docs/hp-switch.md +++ b/docs/hp-switch.md @@ -36,6 +36,8 @@ Change screen length: `screen-length 50` ### Bauwagen +#### Ports + ```text console baud-rate 115200 write memory @@ -45,39 +47,40 @@ conf t vlan 2 name jugendtreff vlan 2 qos priority 1 +vlan 2 tagged 23,24 vlan 6 name public-event vlan 6 qos priority 0 +vlan 6 tagged 21-24 vlan 7 name weinturm vlan 7 qos priority 1 +vlan 7 tagged 21-24 +vlan 7 untagged 1-12 vlan 8 name voice vlan 8 qos priority 5 +vlan 8 tagged 21-24 +vlan 8 untagged 17,19 vlan 8 voice interface ethernet 1-12 enable -interface ethernet 1-12 untagged vlan 7 + +interface ethernet 17,19 enable +interface ethernet 17,19 name dect interface ethernet 21 name kleinturm-copper interface ethernet 22 name kleinturm-fiber interface ethernet 22 speed-duplex 1000-full -interface ethernet 21,22 tagged vlan 6,7,8 interface ethernet 23 name pbx interface ethernet 23 enable interface ethernet 23 speed-duplex auto-1000 -interface ethernet 23 tagged vlan 2,6,7,8 interface ethernet 24 name uplink interface ethernet 24 speed-duplex 1000-full -interface ethernet 23 tagged vlan 2,6,7,8 - -dhcp-snooping vlan 1-100 -dhcp-snooping trust 24 -dhcp-snooping authorized-server 192.168.96.1 -dhcp-snooping +vlan 1 forbid 1-12,17,19,21-24 ``` diff --git a/flake.lock b/flake.lock index b36a092..ef25fc7 100644 --- a/flake.lock +++ b/flake.lock @@ -28,11 +28,11 @@ ] }, "locked": { - "lastModified": 1752541678, - "narHash": "sha256-dyhGzkld6jPqnT/UfGV2oqe7tYn7hppAqFvF3GZTyXY=", + "lastModified": 1752718651, + "narHash": "sha256-PkaR0qmyP9q/MDN3uYa+RLeBA0PjvEQiM0rTDDBXkL8=", "owner": "nix-community", "repo": "disko", - "rev": "2bf3421f7fed5c84d9392b62dcb9d76ef09796a7", + "rev": "d5ad4485e6f2edcc06751df65c5e16572877db88", "type": "github" }, "original": { @@ -47,17 +47,17 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1711287766, - "narHash": "sha256-2roymGPfsQZC1Lg/i3iffBQ8c86DLEXmuoKQIlbOg5o=", + "lastModified": 1753041163, + "narHash": "sha256-tznTKkemDXlG/YuVeC+mxc9n6zU+48BQfjm8GrHf4fo=", "ref": "refs/heads/main", - "rev": "f707f212378f9d8de103ac96abcd9d377a2605a8", - "revCount": 56, + "rev": "3d771daae7aef7f5d8556f4c754c50c2a76661d2", + "revCount": 67, "type": "git", - "url": "https://git.clerie.de/clerie/fieldpoc.git" + "url": "https://git.jalr.de/jalr/fieldpoc.git" }, "original": { "type": "git", - "url": "https://git.clerie.de/clerie/fieldpoc.git" + "url": "https://git.jalr.de/jalr/fieldpoc.git" } }, "flake-compat": { @@ -122,11 +122,11 @@ ] }, "locked": { - "lastModified": 1752544374, - "narHash": "sha256-ReX0NG6nIAEtQQjLqeu1vUU2jjZuMlpymNtb4VQYeus=", + "lastModified": 1752780124, + "narHash": "sha256-5dn97vIYxn6VozKePOQSDxVCsrl38nDdMJXx86KIJH0=", "owner": "nix-community", "repo": "home-manager", - "rev": "2e00ed310c218127e02ffcf28ddd4e0f669fde3e", + "rev": "c718918222bdb104397762dea67e6b397a7927fe", "type": "github" }, "original": { @@ -263,11 +263,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1752620740, - "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=", + "lastModified": 1752866191, + "narHash": "sha256-NV4S2Lf2hYmZQ3Qf4t/YyyBaJNuxLPyjzvDma0zPp/M=", "owner": "nixos", "repo": "nixpkgs", - "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e", + "rev": "f01fe91b0108a7aff99c99f2e9abbc45db0adc2a", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 342663c..d0fc538 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git"; + fieldpoc.url = "git+https://git.jalr.de/jalr/fieldpoc.git"; flake-utils.url = "github:numtide/flake-utils"; diff --git a/hosts/default.nix b/hosts/default.nix index 9f86f5b..a94de06 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,5 +1,6 @@ _inputs: { pbx = { system = "x86_64-linux"; + targetHost = "192.168.96.1"; }; } diff --git a/hosts/pbx/configuration.nix b/hosts/pbx/configuration.nix index 709d889..568611c 100644 --- a/hosts/pbx/configuration.nix +++ b/hosts/pbx/configuration.nix @@ -2,6 +2,7 @@ imports = [ ./disko.nix ../../users/jalr + ./services ]; weinturm = { diff --git a/hosts/pbx/secrets.yaml b/hosts/pbx/secrets.yaml new file mode 100644 index 0000000..c0c44cb --- /dev/null +++ b/hosts/pbx/secrets.yaml @@ -0,0 +1,30 @@ +fieldpoc: + omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str] + sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str] +sops: + age: + - recipient: age16s0cyttcsp40jup9vnreck6mw500ae8j4ayrmf0tg79ukhgua3vsf4m5j4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzYWFhQUIwVXpRYmtPVlpC + VGF1VnhqcU9DWFVnbEI3dU44KytGeWV0ZERvCnpxd2c2MWlOYzlhNW85OG1ySy95 + UXk4Um4vV29IdmNTb0FGNmw5ZGtIQ0EKLS0tIDFXK2RsMjFwSFRVR0V3S0FTcVBk + TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO + JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-20T18:36:56Z" + mac: ENC[AES256_GCM,data:Muf4j7qXlS2T09nEsC4qEk+CnuzlHiUTq6OAcSbYkEH3xh+g/L4Ez9liBgAnp/1oMt375T643dcQIgo3e90rqiutoDfPHiJr7/XBWLE+7GxFgdzIO1n/5EOt0uEhs4az3JDY2d+Ec7m4uStJHLyNveOC29D9HM7bClxj/NmV/b8=,iv:5sFDtrM/7MqsFYjL6WTJP5LVpI8U9R/DAomHt1Cf/NI=,tag:aItzmIdB8NorZj8n90tyqA==,type:str] + pgp: + - created_at: "2025-07-18T23:14:45Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DY/xpNY5WhB0SAQdA5BD/2H3ei7/9sJa1ANVXMF1hqugGXCVnQl818nkziRww + 0WVMtGXiGpwlNYmDX6XVX7s232/PhGPWfpgjjlC/FVnj8wfgs5+LEc/qjRPFD0Vg + 0lwBbdyMeq1B5GeyHwlHLsl1T2PZR5401gyoUH0cvdUGby3NKLNNStJBSVCeUjKP + 5lyRdroUp3e9qqLrItgZylyXY5I3c8MUjYSRc9/LWi6rXr9gvw2VHQITuRe1GQ== + =0PlX + -----END PGP MESSAGE----- + fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/hosts/pbx/services/default.nix b/hosts/pbx/services/default.nix new file mode 100644 index 0000000..136d645 --- /dev/null +++ b/hosts/pbx/services/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./fieldpoc.nix + ]; +} diff --git a/hosts/pbx/services/fieldpoc.nix b/hosts/pbx/services/fieldpoc.nix new file mode 100644 index 0000000..ae8b03a --- /dev/null +++ b/hosts/pbx/services/fieldpoc.nix @@ -0,0 +1,106 @@ +{config, ...}: let + ommIp = "192.168.98.11"; + rtpPorts = { + from = 11000; + to = 11250; + }; +in { + sops.secrets."fieldpoc/omm" = { + sopsFile = ../secrets.yaml; + owner = "fieldpoc"; + }; + sops.secrets."fieldpoc/sip" = { + sopsFile = ../secrets.yaml; + owner = "fieldpoc"; + }; + + networking.firewall.interfaces.voice = { + allowedUDPPorts = [53 5060]; + allowedUDPPortRanges = [ + { + inherit (rtpPorts) from; + inherit (rtpPorts) to; + } + ]; + }; + networking.firewall.interfaces.jugendtreff = { + allowedUDPPortRanges = [ + { + inherit (rtpPorts) from; + inherit (rtpPorts) to; + } + ]; + }; + + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/fieldpoc"; + user = "fieldpoc"; + group = "fieldpoc"; + mode = "u=rwx,g=,o="; + } + { + directory = "/var/lib/postgresql"; + user = "postgres"; + group = "postgres"; + mode = "u=rwx,g=rx,o="; + } + ]; + + services = { + yate.config.yrtpchan.general = { + minport = rtpPorts.from; + maxport = rtpPorts.to; + }; + + dnscache = { + enable = true; + clientIps = ["192.168.98"]; + }; + + fieldpoc = { + enable = true; + inherit ommIp; + ommUser = "omm"; + ommPasswordPath = config.sops.secrets."fieldpoc/omm".path; + sipsecretPath = config.sops.secrets."fieldpoc/sip".path; + + dhcp = { + enable = true; + interface = "voice"; + subnet = "192.168.98.0/24"; + pool = "192.168.98.100 - 192.168.98.250"; + router = "192.168.98.1"; + dnsServers = "192.168.98.1"; + omm = ommIp; + reservations = [ + { + name = "rfp-01"; + macAddress = "00:30:42:1b:23:ed"; + ipAddress = ommIp; + } + { + name = "rfp-02"; + macAddress = "00:30:42:1b:21:c1"; + ipAddress = "192.168.98.12"; + } + { + name = "rfp-03"; + macAddress = "00:30:42:1b:26:f6"; + ipAddress = "192.168.98.13"; + } + { + name = "rfp-04"; + macAddress = "00:30:42:1b:22:3b"; + ipAddress = "192.168.98.14"; + } + { + name = "rfp-05"; + macAddress = "00:30:42:1b:22:7c"; + ipAddress = "192.168.98.15"; + } + ]; + }; + }; + }; +}