add config gor yate-dialup

.sops.yaml

@@ -2,6 +2,8 @@ keys:
   - &admin_clerie DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
   - &admin_n0emis 6E10217E3187069E057DF5ABE0262A773B824745
   - &host_nerd age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu
+  - &host_yate age10pxa70g3ekxdrk788l52s93a6ftavdw3r8x6d23gmsluudmwq3asmu6ah9\
+  - &host_yate_dialup age14zsha5c5238v6hzchdfkjgjjwzc2qc79tl0ngmqrdquck5f945zs35vps4
   - &host_pre_yate_n0emis age1lrujyz4d48yjelmh6eufxjffuvfm9pusen3uxskyhnyf27xyucdqq3jza5
 creation_rules:
   - path_regex: hosts/nerd/.*
@@ -11,6 +13,20 @@ creation_rules:
       - *admin_n0emis
       age:
       - *host_nerd
+  - path_regex: hosts/yate/.*
+    key_groups:
+    - pgp:
+      - *admin_clerie
+      - *admin_n0emis
+      age:
+      - *host_yate
+  - path_regex: hosts/yate-dialup/.*
+    key_groups:
+    - pgp:
+      - *admin_clerie
+      - *admin_n0emis
+      age:
+      - *host_yate_dialup
   - path_regex: hosts/pre-yate-n0emis/.*
     key_groups:
     - pgp:

common/default.nix

@@ -90,4 +90,6 @@
   };
 
   security.sudo.wheelNeedsPassword = false;
+
+  sops.defaultSopsFile = (../. + "/hosts/${config.networking.hostName}/secrets.yaml");
 }

hosts/nerd/nerd.nix

@@ -2,7 +2,6 @@
 
 {
   sops.secrets.nerd_secret = {
-    sopsFile = ./secrets.yaml;
     owner = "nerd";
     restartUnits = [ "nerd.service" ];
   };

hosts/yate-dialup/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports =
@@ -35,6 +35,34 @@
     };
   };
 
+  networking.firewall.enable = false;
+  networking.nftables = {
+    enable = true;
+    ruleset = let
+        tcpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedTCPPorts);
+    in ''
+      table inet filter {
+        chain input {
+          type filter hook input priority 0; policy drop;
+
+          iifname lo accept
+          ct state {established, related} accept
+          ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+          ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
+
+          ip6 nexthdr icmpv6 icmpv6 type echo-request accept
+          ip protocol icmp icmp type echo-request accept
+
+          tcp dport 22 accept
+          tcp dport { ${tcpPorts} } accept
+
+          udp dport 5060 ip saddr { 10.42.10.6, 217.10.68.150 } accept
+          udp dport 5060 ip6 saddr { 2a01:4f8:1c0c:8221::6, 2001:ab7::0/64 } accept
+        }
+      }
+    '';
+  };
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

hosts/yate-dialup/secrets.yaml

@@ -0,0 +1,53 @@
+sipgate_user: ENC[AES256_GCM,data:LN+orRI7,iv:kiqcyMVTNQQI7kREr4DXT1P8lMq6Cq+E5zDSnTkCMM0=,tag:uKmxgnfaiFyeQw9d7i+AeA==,type:str]
+sipgate_password: ENC[AES256_GCM,data:vbWL/aqu,iv:h7N93PsQs/N3RSvgiSNZZ88cJFWLyNJmA+6v7rxO3gk=,tag:QU2YoiGWRBKc73mLZq4Png==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14zsha5c5238v6hzchdfkjgjjwzc2qc79tl0ngmqrdquck5f945zs35vps4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdzhabG9PclViWTFBbzFk
+            WU1LTDZJaXVxNVVpeGdtOGZhcHlKS3B6SWhNClJrdEJ2NVA5c2VIUCtoajJMSitB
+            NFYwNlNmWTJPZWVnZWxiL1NFUTNzZXcKLS0tIHBETFg0UkNEcW13bEtGOFhBeXM4
+            WWZiOTdRS3pUdi9sb1hraHZ5aFFHUkUKCo+qUjs8zXH4PSIv8ONpkOFM+T4I94E8
+            Cf30aeB7OeViVTfV6+tg76zrbdJ0uyQVJcIfbQPlDflvbrS2/D28xQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-18T06:44:56Z"
+    mac: ENC[AES256_GCM,data:uAh1zM3J5w7ZAFgKk3sRQqs3AmjnRLUCD+aGo9XlsG0xGbwKM6uJ3DHXY2MUSJJNy09nDLXBg4Q20no9BBAhyY5/VY4cYLSlZt5RineplKnotAeAbaf/LmqoPcixwOuWWeHFtpZ0ny4DoBGOjI9zbKIrrg5Psqq/tKsL6uji6vA=,iv:hgRYwAn6mfhg4wtXzXdxpyYdRun7ytSkhV3aAPFhQvU=,tag:oNr/F0EOd9wccc5/FObhAg==,type:str]
+    pgp:
+        - created_at: "2022-07-18T06:44:35Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6BIUohpxMXcAQ/8Cocn4DGibz+JByFXxnlGFtyM3jf81CbSK9F883Wfl+pR
+            xFagZjA5oN3lOeGyKQjP2E9ALzfAorwbZWRKiWv9xqapgXlYAmhMgN4oMlY3VJto
+            xkGP8gpEDkO/H5WBoP/MN9CAqmmFWko1BR/yYHCHNg+os+nBQ9SK3Pk/ZEwmTSDy
+            Rk/2+edbBrRbk9Ucc7yTIQlJVcI7c4+uaEuhHOOOQGB/SxO0cz6ods8OYCiSLWQg
+            YJ9THGakZW9ki/Dl22dWZS3qUsyVFyjSULfjUXovPCn0a+EWernsoRlpLNJ5kFTf
+            3FqWPN8w2RpUasukwajuAiCEI0xgP3mNS3ZHovGhnEcSEVdVBh5jZulQEEY2rGfF
+            BOSdjko4uFcGB09EVTKYJWmMjHDWj2z5Fo9syvhKTIV5Rv3aFU9LcQ6lxY8Q3aIg
+            OiTWTJR6zFXJuHua2Aarz5nkL33Nsw6D3nbud72fKfSJnaidWXnYbvy1BLR/e5gt
+            07kjbghV5x1f2oSe0/AtY/vkn8tl0jAbuK0CT9guzdUZbPIve4omGSbjEbwBNSuj
+            mQkKdmYDPwTEUhzvYR/wUfU4ZnbUI5jIUeLek+5adwMIiq53mKuHVA3v1t++00fP
+            ZAeDeuTJ+RajB45xDkXaJP70RLi1KPUPT5e2QIIdOEw1ZYjaMa5zWeQuHPXhalLS
+            XgFvoqAgqVmolft0Au2z2sGCUOHSlcXyB1x4fChiNVMk9muoJtlGq8dKqjnVA7fF
+            10pxfb7rn9zhGxDdPqwqqole+ST13L3ZZ7Uh4PS5uHp9/pq/izAcp7Mm8gDk3ks=
+            =PHaL
+            -----END PGP MESSAGE-----
+          fp: DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
+        - created_at: "2022-07-18T06:44:35Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hE4D6iFd6webPCUSAQdAP67Vt9XQLyeHB5dxhTQPke7eKYKb6NPZ3c532BDsgSAg
+            D/6K9eDqbK6cnFnvtZ+Qa0zYS4wIexCgIRgLGA8omBXSXgHCPtGl/gBbdexcXXcL
+            cajDmIIOc7w8tPOg81CDVLT2hRPIWIOkbpFCqyKWqgCvPGHsHaMHdaEQh+E76HsS
+            qbURE+neOiNzKWzJrShPre7wtJyBQuGhXwyx4xmF6bc=
+            =1aA/
+            -----END PGP MESSAGE-----
+          fp: 6E10217E3187069E057DF5ABE0262A773B824745
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1

hosts/yate-dialup/voip.nix

@@ -3,5 +3,39 @@
 {
   services.yate = {
     enable = true;
+    config = {
+      regfile.yate.password = "yate";
+      regexroute = "[default]
+^4933921999799\\(.*\\)$=lateroute/yate;osip_x-called=\\1
+\${sip_x-dialout-allowed}^1$=goto dialout
+
+[dialout]
+\${username}^$=-;error=noauth
+^.*$=sip/sip:\\0;line=sipgate;osip_P-Preferred-Identity=<sip:4933921999799\${caller}@sipconnect.sipgate.de>;caller=3400888t0;domain=sipconnect.sipgate.de;";
+    };
+  };
+
+  sops.secrets.sipgate_password = {
+    owner = "yate";
+    restartUnits = [ "yate.service" ];
+  };
+
+  systemd.services.yate = {
+    preStart = let
+      accfile = pkgs.writeText "accfile.conf" (lib.generators.toINI { } {
+        sipgate = {
+          enabled = "yes";
+          protocol = "sip";
+          username = "3400888t0";
+          authname = "3400888t0";
+          password = "!!sipgate_password!!";
+          registrar = "sipconnect.sipgate.de";
+          localaddress = "yes";
+        };
+      });
+    in ''
+      ${pkgs.gnused}/bin/sed -e "s/!!sipgate_password!!/$(cat ${config.sops.secrets.sipgate_password.path})/g" ${accfile} > /etc/yate/accfile.conf
+    '';
+    serviceConfig.PermissionsStartOnly = true;
   };
 }

hosts/yate/voip.nix

@@ -10,8 +10,13 @@
       pool = "10.42.132.200 - 10.42.132.250";
       router = "10.42.132.1";
       dnsServers = "10.42.10.8";
-      omm = "10.42.132.11";
+      omm = "10.42.132.2";
       reservations = [
+        {
+          name = "omm";
+          macAddress = "AA:C3:A9:26:1F:77";
+          ipAddress = "10.42.132.2";
+        }
         {
           name = "rfp-01";
           macAddress = "00:30:42:1B:8C:7A";
@@ -20,4 +25,21 @@
       ];
     };
   };
+
+  services.yate.config = {
+    accfile.dialout = {
+      enabled = "yes";
+      protocol = "sip";
+      username = "yate";
+      password = "yate";
+      registrar = "yate-dialup.bula22.de";
+    };
+    regexroute = "[default]
+\${username}^$=-;error=noauth
+^yate$=goto dialin
+^.*$=line/\\0;line=dialout
+
+[dialin]
+\${sip_x-called}^.*$=lateroute/\\1";
+  };
 }

modules/yate/default.nix

@@ -41,6 +41,7 @@ in {
         AmbientCapabilities = "CAP_NET_BIND_SERVICE";
         RuntimeDirectory = "yate";
         RuntimeDirectoryMode = "0755";
+        ConfigurationDirectory = "yate";
         StateDirectory = "yate";
         StateDirectoryMode = "0700";
         PIDFile = "/run/yate/yate.pid";