add config gor yate-dialup

2022-07-20 09:07:32 +02:00
parent 4e4edaa87b
commit a70b6b35f1
8 changed files with 158 additions and 3 deletions
--- a/hosts/yate-dialup/configuration.nix
+++ b/hosts/yate-dialup/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:

 {
  imports =
@@ -35,6 +35,34 @@
    };
  };

+  networking.firewall.enable = false;
+  networking.nftables = {
+    enable = true;
+    ruleset = let
+        tcpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedTCPPorts);
+    in ''
+      table inet filter {
+        chain input {
+          type filter hook input priority 0; policy drop;
+
+          iifname lo accept
+          ct state {established, related} accept
+          ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+          ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
+
+          ip6 nexthdr icmpv6 icmpv6 type echo-request accept
+          ip protocol icmp icmp type echo-request accept
+
+          tcp dport 22 accept
+          tcp dport { ${tcpPorts} } accept
+
+          udp dport 5060 ip saddr { 10.42.10.6, 217.10.68.150 } accept
+          udp dport 5060 ip6 saddr { 2a01:4f8:1c0c:8221::6, 2001:ab7::0/64 } accept
+        }
+      }
+    '';
+  };
+
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/hosts/yate-dialup/secrets.yaml
+++ b/hosts/yate-dialup/secrets.yaml
@@ -0,0 +1,53 @@
+sipgate_user: ENC[AES256_GCM,data:LN+orRI7,iv:kiqcyMVTNQQI7kREr4DXT1P8lMq6Cq+E5zDSnTkCMM0=,tag:uKmxgnfaiFyeQw9d7i+AeA==,type:str]
+sipgate_password: ENC[AES256_GCM,data:vbWL/aqu,iv:h7N93PsQs/N3RSvgiSNZZ88cJFWLyNJmA+6v7rxO3gk=,tag:QU2YoiGWRBKc73mLZq4Png==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14zsha5c5238v6hzchdfkjgjjwzc2qc79tl0ngmqrdquck5f945zs35vps4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdzhabG9PclViWTFBbzFk
+            WU1LTDZJaXVxNVVpeGdtOGZhcHlKS3B6SWhNClJrdEJ2NVA5c2VIUCtoajJMSitB
+            NFYwNlNmWTJPZWVnZWxiL1NFUTNzZXcKLS0tIHBETFg0UkNEcW13bEtGOFhBeXM4
+            WWZiOTdRS3pUdi9sb1hraHZ5aFFHUkUKCo+qUjs8zXH4PSIv8ONpkOFM+T4I94E8
+            Cf30aeB7OeViVTfV6+tg76zrbdJ0uyQVJcIfbQPlDflvbrS2/D28xQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-18T06:44:56Z"
+    mac: ENC[AES256_GCM,data:uAh1zM3J5w7ZAFgKk3sRQqs3AmjnRLUCD+aGo9XlsG0xGbwKM6uJ3DHXY2MUSJJNy09nDLXBg4Q20no9BBAhyY5/VY4cYLSlZt5RineplKnotAeAbaf/LmqoPcixwOuWWeHFtpZ0ny4DoBGOjI9zbKIrrg5Psqq/tKsL6uji6vA=,iv:hgRYwAn6mfhg4wtXzXdxpyYdRun7ytSkhV3aAPFhQvU=,tag:oNr/F0EOd9wccc5/FObhAg==,type:str]
+    pgp:
+        - created_at: "2022-07-18T06:44:35Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6BIUohpxMXcAQ/8Cocn4DGibz+JByFXxnlGFtyM3jf81CbSK9F883Wfl+pR
+            xFagZjA5oN3lOeGyKQjP2E9ALzfAorwbZWRKiWv9xqapgXlYAmhMgN4oMlY3VJto
+            xkGP8gpEDkO/H5WBoP/MN9CAqmmFWko1BR/yYHCHNg+os+nBQ9SK3Pk/ZEwmTSDy
+            Rk/2+edbBrRbk9Ucc7yTIQlJVcI7c4+uaEuhHOOOQGB/SxO0cz6ods8OYCiSLWQg
+            YJ9THGakZW9ki/Dl22dWZS3qUsyVFyjSULfjUXovPCn0a+EWernsoRlpLNJ5kFTf
+            3FqWPN8w2RpUasukwajuAiCEI0xgP3mNS3ZHovGhnEcSEVdVBh5jZulQEEY2rGfF
+            BOSdjko4uFcGB09EVTKYJWmMjHDWj2z5Fo9syvhKTIV5Rv3aFU9LcQ6lxY8Q3aIg
+            OiTWTJR6zFXJuHua2Aarz5nkL33Nsw6D3nbud72fKfSJnaidWXnYbvy1BLR/e5gt
+            07kjbghV5x1f2oSe0/AtY/vkn8tl0jAbuK0CT9guzdUZbPIve4omGSbjEbwBNSuj
+            mQkKdmYDPwTEUhzvYR/wUfU4ZnbUI5jIUeLek+5adwMIiq53mKuHVA3v1t++00fP
+            ZAeDeuTJ+RajB45xDkXaJP70RLi1KPUPT5e2QIIdOEw1ZYjaMa5zWeQuHPXhalLS
+            XgFvoqAgqVmolft0Au2z2sGCUOHSlcXyB1x4fChiNVMk9muoJtlGq8dKqjnVA7fF
+            10pxfb7rn9zhGxDdPqwqqole+ST13L3ZZ7Uh4PS5uHp9/pq/izAcp7Mm8gDk3ks=
+            =PHaL
+            -----END PGP MESSAGE-----
+          fp: DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
+        - created_at: "2022-07-18T06:44:35Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hE4D6iFd6webPCUSAQdAP67Vt9XQLyeHB5dxhTQPke7eKYKb6NPZ3c532BDsgSAg
+            D/6K9eDqbK6cnFnvtZ+Qa0zYS4wIexCgIRgLGA8omBXSXgHCPtGl/gBbdexcXXcL
+            cajDmIIOc7w8tPOg81CDVLT2hRPIWIOkbpFCqyKWqgCvPGHsHaMHdaEQh+E76HsS
+            qbURE+neOiNzKWzJrShPre7wtJyBQuGhXwyx4xmF6bc=
+            =1aA/
+            -----END PGP MESSAGE-----
+          fp: 6E10217E3187069E057DF5ABE0262A773B824745
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1
--- a/hosts/yate-dialup/voip.nix
+++ b/hosts/yate-dialup/voip.nix
@@ -3,5 +3,39 @@
 {
  services.yate = {
    enable = true;
+    config = {
+      regfile.yate.password = "yate";
+      regexroute = "[default]
+^4933921999799\\(.*\\)$=lateroute/yate;osip_x-called=\\1
+\${sip_x-dialout-allowed}^1$=goto dialout
+
+[dialout]
+\${username}^$=-;error=noauth
+^.*$=sip/sip:\\0;line=sipgate;osip_P-Preferred-Identity=<sip:4933921999799\${caller}@sipconnect.sipgate.de>;caller=3400888t0;domain=sipconnect.sipgate.de;";
+    };
+  };
+
+  sops.secrets.sipgate_password = {
+    owner = "yate";
+    restartUnits = [ "yate.service" ];
+  };
+
+  systemd.services.yate = {
+    preStart = let
+      accfile = pkgs.writeText "accfile.conf" (lib.generators.toINI { } {
+        sipgate = {
+          enabled = "yes";
+          protocol = "sip";
+          username = "3400888t0";
+          authname = "3400888t0";
+          password = "!!sipgate_password!!";
+          registrar = "sipconnect.sipgate.de";
+          localaddress = "yes";
+        };
+      });
+    in ''
+      ${pkgs.gnused}/bin/sed -e "s/!!sipgate_password!!/$(cat ${config.sops.secrets.sipgate_password.path})/g" ${accfile} > /etc/yate/accfile.conf
+    '';
+    serviceConfig.PermissionsStartOnly = true;
  };
 }