Add fieldpoc

2025-07-20 23:43:13 +02:00 · 2025-07-20 23:43:13 +02:00 · c5e0d02218
commit c5e0d02218
parent 99560ea408
11 changed files with 211 additions and 25 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -1,5 +1,6 @@
 _inputs: {
  pbx = {
    system = "x86_64-linux";
+    targetHost = "192.168.96.1";
  };
 }
--- a/hosts/pbx/configuration.nix
+++ b/hosts/pbx/configuration.nix
@ -2,6 +2,7 @@
  imports = [
    ./disko.nix
    ../../users/jalr
+    ./services
  ];

  weinturm = {
--- a/hosts/pbx/secrets.yaml
+++ b/hosts/pbx/secrets.yaml
@ -0,0 +1,30 @@
+fieldpoc:
+    omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str]
+    sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str]
+sops:
+    age:
+        - recipient: age16s0cyttcsp40jup9vnreck6mw500ae8j4ayrmf0tg79ukhgua3vsf4m5j4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzYWFhQUIwVXpRYmtPVlpC
+            VGF1VnhqcU9DWFVnbEI3dU44KytGeWV0ZERvCnpxd2c2MWlOYzlhNW85OG1ySy95
+            UXk4Um4vV29IdmNTb0FGNmw5ZGtIQ0EKLS0tIDFXK2RsMjFwSFRVR0V3S0FTcVBk
+            TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO
+            JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-20T18:36:56Z"
+    mac: ENC[AES256_GCM,data:Muf4j7qXlS2T09nEsC4qEk+CnuzlHiUTq6OAcSbYkEH3xh+g/L4Ez9liBgAnp/1oMt375T643dcQIgo3e90rqiutoDfPHiJr7/XBWLE+7GxFgdzIO1n/5EOt0uEhs4az3JDY2d+Ec7m4uStJHLyNveOC29D9HM7bClxj/NmV/b8=,iv:5sFDtrM/7MqsFYjL6WTJP5LVpI8U9R/DAomHt1Cf/NI=,tag:aItzmIdB8NorZj8n90tyqA==,type:str]
+    pgp:
+        - created_at: "2025-07-18T23:14:45Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DY/xpNY5WhB0SAQdA5BD/2H3ei7/9sJa1ANVXMF1hqugGXCVnQl818nkziRww
+            0WVMtGXiGpwlNYmDX6XVX7s232/PhGPWfpgjjlC/FVnj8wfgs5+LEc/qjRPFD0Vg
+            0lwBbdyMeq1B5GeyHwlHLsl1T2PZR5401gyoUH0cvdUGby3NKLNNStJBSVCeUjKP
+            5lyRdroUp3e9qqLrItgZylyXY5I3c8MUjYSRc9/LWi6rXr9gvw2VHQITuRe1GQ==
+            =0PlX
+            -----END PGP MESSAGE-----
+          fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/hosts/pbx/services/default.nix
+++ b/hosts/pbx/services/default.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ./fieldpoc.nix
+  ];
+}
--- a/hosts/pbx/services/fieldpoc.nix
+++ b/hosts/pbx/services/fieldpoc.nix
@ -0,0 +1,106 @@
+{config, ...}: let
+  ommIp = "192.168.98.11";
+  rtpPorts = {
+    from = 11000;
+    to = 11250;
+  };
+in {
+  sops.secrets."fieldpoc/omm" = {
+    sopsFile = ../secrets.yaml;
+    owner = "fieldpoc";
+  };
+  sops.secrets."fieldpoc/sip" = {
+    sopsFile = ../secrets.yaml;
+    owner = "fieldpoc";
+  };
+
+  networking.firewall.interfaces.voice = {
+    allowedUDPPorts = [53 5060];
+    allowedUDPPortRanges = [
+      {
+        inherit (rtpPorts) from;
+        inherit (rtpPorts) to;
+      }
+    ];
+  };
+  networking.firewall.interfaces.jugendtreff = {
+    allowedUDPPortRanges = [
+      {
+        inherit (rtpPorts) from;
+        inherit (rtpPorts) to;
+      }
+    ];
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/fieldpoc";
+      user = "fieldpoc";
+      group = "fieldpoc";
+      mode = "u=rwx,g=,o=";
+    }
+    {
+      directory = "/var/lib/postgresql";
+      user = "postgres";
+      group = "postgres";
+      mode = "u=rwx,g=rx,o=";
+    }
+  ];
+
+  services = {
+    yate.config.yrtpchan.general = {
+      minport = rtpPorts.from;
+      maxport = rtpPorts.to;
+    };
+
+    dnscache = {
+      enable = true;
+      clientIps = ["192.168.98"];
+    };
+
+    fieldpoc = {
+      enable = true;
+      inherit ommIp;
+      ommUser = "omm";
+      ommPasswordPath = config.sops.secrets."fieldpoc/omm".path;
+      sipsecretPath = config.sops.secrets."fieldpoc/sip".path;
+
+      dhcp = {
+        enable = true;
+        interface = "voice";
+        subnet = "192.168.98.0/24";
+        pool = "192.168.98.100 - 192.168.98.250";
+        router = "192.168.98.1";
+        dnsServers = "192.168.98.1";
+        omm = ommIp;
+        reservations = [
+          {
+            name = "rfp-01";
+            macAddress = "00:30:42:1b:23:ed";
+            ipAddress = ommIp;
+          }
+          {
+            name = "rfp-02";
+            macAddress = "00:30:42:1b:21:c1";
+            ipAddress = "192.168.98.12";
+          }
+          {
+            name = "rfp-03";
+            macAddress = "00:30:42:1b:26:f6";
+            ipAddress = "192.168.98.13";
+          }
+          {
+            name = "rfp-04";
+            macAddress = "00:30:42:1b:22:3b";
+            ipAddress = "192.168.98.14";
+          }
+          {
+            name = "rfp-05";
+            macAddress = "00:30:42:1b:22:7c";
+            ipAddress = "192.168.98.15";
+          }
+        ];
+      };
+    };
+  };
+}