Add fieldpoc

.sops.yaml

@@ -0,0 +1,10 @@
+keys:
+  - &admin_jalr 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
+  - &host_pbx age16s0cyttcsp40jup9vnreck6mw500ae8j4ayrmf0tg79ukhgua3vsf4m5j4
+creation_rules:
+  - path_regex: hosts/pbx/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *admin_jalr
+      age:
+      - *host_pbx

docs/SUMMARY.md

@@ -1,3 +1,4 @@
 # Weinturm Open Air Infrastructure
 
+* [fieldpoc](fieldpoc.md)
 * [HP Switch](hp-switch.md)

docs/fieldpoc.md

@@ -0,0 +1,29 @@
+# FieldPOC
+
+A simple to use, good enough phone system for medium sized DECT networks.
+
+## Setup
+
+### Open AXI port on OMM
+
+```text
+ssh omm@$omm
+ommconsole
+cnf sys uap on
+```
+
+### Generate secrets
+
+example `secrets.yaml`:
+
+```yaml
+fieldpoc:
+    omm: s0m3Pa55w0rd
+    sip: 000102030405060708090a0b0c0d0e0f
+```
+
+sipsecret **must** be a 32 character long hexadecimal string.
+
+```bash
+nix run nixpkgs#openssl -- rand -hex 16
+```

docs/hp-switch.md

@@ -36,6 +36,8 @@ Change screen length: `screen-length 50`
 
 ### Bauwagen
 
+#### Ports
+
 ```text
 console baud-rate 115200
 write memory
@@ -45,39 +47,40 @@ conf t
 
 vlan 2 name jugendtreff
 vlan 2 qos priority 1
+vlan 2 tagged 23,24
 
 vlan 6 name public-event
 vlan 6 qos priority 0
+vlan 6 tagged 21-24
 
 vlan 7 name weinturm
 vlan 7 qos priority 1
+vlan 7 tagged 21-24
+vlan 7 untagged 1-12
 
 vlan 8 name voice
 vlan 8 qos priority 5
+vlan 8 tagged 21-24
+vlan 8 untagged 17,19
 vlan 8 voice
 
 interface ethernet 1-12 enable
-interface ethernet 1-12 untagged vlan 7
+
+interface ethernet 17,19 enable
+interface ethernet 17,19 name dect
 
 interface ethernet 21 name kleinturm-copper
 interface ethernet 22 name kleinturm-fiber
 interface ethernet 22 speed-duplex 1000-full
-interface ethernet 21,22 tagged vlan 6,7,8
 
 interface ethernet 23 name pbx
 interface ethernet 23 enable
 interface ethernet 23 speed-duplex auto-1000
-interface ethernet 23 tagged vlan 2,6,7,8
 
 interface ethernet 24 name uplink
 interface ethernet 24 speed-duplex 1000-full
-interface ethernet 23 tagged vlan 2,6,7,8
 
-
+vlan 1 forbid 1-12,17,19,21-24
-dhcp-snooping vlan 1-100
-dhcp-snooping trust 24
-dhcp-snooping authorized-server 192.168.96.1
-dhcp-snooping
 
 ```
 

flake.lock

@@ -28,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1752541678,
+        "lastModified": 1752718651,
-        "narHash": "sha256-dyhGzkld6jPqnT/UfGV2oqe7tYn7hppAqFvF3GZTyXY=",
+        "narHash": "sha256-PkaR0qmyP9q/MDN3uYa+RLeBA0PjvEQiM0rTDDBXkL8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "2bf3421f7fed5c84d9392b62dcb9d76ef09796a7",
+        "rev": "d5ad4485e6f2edcc06751df65c5e16572877db88",
         "type": "github"
       },
       "original": {
@@ -47,17 +47,17 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1711287766,
+        "lastModified": 1753041163,
-        "narHash": "sha256-2roymGPfsQZC1Lg/i3iffBQ8c86DLEXmuoKQIlbOg5o=",
+        "narHash": "sha256-tznTKkemDXlG/YuVeC+mxc9n6zU+48BQfjm8GrHf4fo=",
         "ref": "refs/heads/main",
-        "rev": "f707f212378f9d8de103ac96abcd9d377a2605a8",
+        "rev": "3d771daae7aef7f5d8556f4c754c50c2a76661d2",
-        "revCount": 56,
+        "revCount": 67,
         "type": "git",
-        "url": "https://git.clerie.de/clerie/fieldpoc.git"
+        "url": "https://git.jalr.de/jalr/fieldpoc.git"
       },
       "original": {
         "type": "git",
-        "url": "https://git.clerie.de/clerie/fieldpoc.git"
+        "url": "https://git.jalr.de/jalr/fieldpoc.git"
       }
     },
     "flake-compat": {
@@ -122,11 +122,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1752544374,
+        "lastModified": 1752780124,
-        "narHash": "sha256-ReX0NG6nIAEtQQjLqeu1vUU2jjZuMlpymNtb4VQYeus=",
+        "narHash": "sha256-5dn97vIYxn6VozKePOQSDxVCsrl38nDdMJXx86KIJH0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2e00ed310c218127e02ffcf28ddd4e0f669fde3e",
+        "rev": "c718918222bdb104397762dea67e6b397a7927fe",
         "type": "github"
       },
       "original": {
@@ -263,11 +263,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1752620740,
+        "lastModified": 1752866191,
-        "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=",
+        "narHash": "sha256-NV4S2Lf2hYmZQ3Qf4t/YyyBaJNuxLPyjzvDma0zPp/M=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e",
+        "rev": "f01fe91b0108a7aff99c99f2e9abbc45db0adc2a",
         "type": "github"
       },
       "original": {

flake.nix

@@ -5,7 +5,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
+    fieldpoc.url = "git+https://git.jalr.de/jalr/fieldpoc.git";
 
     flake-utils.url = "github:numtide/flake-utils";
 

hosts/default.nix

@@ -1,5 +1,6 @@
 _inputs: {
   pbx = {
     system = "x86_64-linux";
+    targetHost = "192.168.96.1";
   };
 }

hosts/pbx/configuration.nix

@@ -2,6 +2,7 @@
   imports = [
     ./disko.nix
     ../../users/jalr
+    ./services
   ];
 
   weinturm = {

hosts/pbx/secrets.yaml

@@ -0,0 +1,30 @@
+fieldpoc:
+    omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str]
+    sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str]
+sops:
+    age:
+        - recipient: age16s0cyttcsp40jup9vnreck6mw500ae8j4ayrmf0tg79ukhgua3vsf4m5j4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzYWFhQUIwVXpRYmtPVlpC
+            VGF1VnhqcU9DWFVnbEI3dU44KytGeWV0ZERvCnpxd2c2MWlOYzlhNW85OG1ySy95
+            UXk4Um4vV29IdmNTb0FGNmw5ZGtIQ0EKLS0tIDFXK2RsMjFwSFRVR0V3S0FTcVBk
+            TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO
+            JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-20T18:36:56Z"
+    mac: ENC[AES256_GCM,data:Muf4j7qXlS2T09nEsC4qEk+CnuzlHiUTq6OAcSbYkEH3xh+g/L4Ez9liBgAnp/1oMt375T643dcQIgo3e90rqiutoDfPHiJr7/XBWLE+7GxFgdzIO1n/5EOt0uEhs4az3JDY2d+Ec7m4uStJHLyNveOC29D9HM7bClxj/NmV/b8=,iv:5sFDtrM/7MqsFYjL6WTJP5LVpI8U9R/DAomHt1Cf/NI=,tag:aItzmIdB8NorZj8n90tyqA==,type:str]
+    pgp:
+        - created_at: "2025-07-18T23:14:45Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DY/xpNY5WhB0SAQdA5BD/2H3ei7/9sJa1ANVXMF1hqugGXCVnQl818nkziRww
+            0WVMtGXiGpwlNYmDX6XVX7s232/PhGPWfpgjjlC/FVnj8wfgs5+LEc/qjRPFD0Vg
+            0lwBbdyMeq1B5GeyHwlHLsl1T2PZR5401gyoUH0cvdUGby3NKLNNStJBSVCeUjKP
+            5lyRdroUp3e9qqLrItgZylyXY5I3c8MUjYSRc9/LWi6rXr9gvw2VHQITuRe1GQ==
+            =0PlX
+            -----END PGP MESSAGE-----
+          fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

hosts/pbx/services/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./fieldpoc.nix
+  ];
+}

hosts/pbx/services/fieldpoc.nix

@@ -0,0 +1,106 @@
+{config, ...}: let
+  ommIp = "192.168.98.11";
+  rtpPorts = {
+    from = 11000;
+    to = 11250;
+  };
+in {
+  sops.secrets."fieldpoc/omm" = {
+    sopsFile = ../secrets.yaml;
+    owner = "fieldpoc";
+  };
+  sops.secrets."fieldpoc/sip" = {
+    sopsFile = ../secrets.yaml;
+    owner = "fieldpoc";
+  };
+
+  networking.firewall.interfaces.voice = {
+    allowedUDPPorts = [53 5060];
+    allowedUDPPortRanges = [
+      {
+        inherit (rtpPorts) from;
+        inherit (rtpPorts) to;
+      }
+    ];
+  };
+  networking.firewall.interfaces.jugendtreff = {
+    allowedUDPPortRanges = [
+      {
+        inherit (rtpPorts) from;
+        inherit (rtpPorts) to;
+      }
+    ];
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/fieldpoc";
+      user = "fieldpoc";
+      group = "fieldpoc";
+      mode = "u=rwx,g=,o=";
+    }
+    {
+      directory = "/var/lib/postgresql";
+      user = "postgres";
+      group = "postgres";
+      mode = "u=rwx,g=rx,o=";
+    }
+  ];
+
+  services = {
+    yate.config.yrtpchan.general = {
+      minport = rtpPorts.from;
+      maxport = rtpPorts.to;
+    };
+
+    dnscache = {
+      enable = true;
+      clientIps = ["192.168.98"];
+    };
+
+    fieldpoc = {
+      enable = true;
+      inherit ommIp;
+      ommUser = "omm";
+      ommPasswordPath = config.sops.secrets."fieldpoc/omm".path;
+      sipsecretPath = config.sops.secrets."fieldpoc/sip".path;
+
+      dhcp = {
+        enable = true;
+        interface = "voice";
+        subnet = "192.168.98.0/24";
+        pool = "192.168.98.100 - 192.168.98.250";
+        router = "192.168.98.1";
+        dnsServers = "192.168.98.1";
+        omm = ommIp;
+        reservations = [
+          {
+            name = "rfp-01";
+            macAddress = "00:30:42:1b:23:ed";
+            ipAddress = ommIp;
+          }
+          {
+            name = "rfp-02";
+            macAddress = "00:30:42:1b:21:c1";
+            ipAddress = "192.168.98.12";
+          }
+          {
+            name = "rfp-03";
+            macAddress = "00:30:42:1b:26:f6";
+            ipAddress = "192.168.98.13";
+          }
+          {
+            name = "rfp-04";
+            macAddress = "00:30:42:1b:22:3b";
+            ipAddress = "192.168.98.14";
+          }
+          {
+            name = "rfp-05";
+            macAddress = "00:30:42:1b:22:7c";
+            ipAddress = "192.168.98.15";
+          }
+        ];
+      };
+    };
+  };
+}