Compare commits
No commits in common. "4741d1b67c5ce145bd5900306c866dd186b2c249" and "4e4edaa87bcb1f4b31152d742e34ca4dd5465944" have entirely different histories.
4741d1b67c
...
4e4edaa87b
16
.sops.yaml
16
.sops.yaml
@ -2,8 +2,6 @@ keys:
|
||||
- &admin_clerie DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
|
||||
- &admin_n0emis 6E10217E3187069E057DF5ABE0262A773B824745
|
||||
- &host_nerd age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu
|
||||
- &host_yate age10pxa70g3ekxdrk788l52s93a6ftavdw3r8x6d23gmsluudmwq3asmu6ah9\
|
||||
- &host_yate_dialup age14zsha5c5238v6hzchdfkjgjjwzc2qc79tl0ngmqrdquck5f945zs35vps4
|
||||
- &host_pre_yate_n0emis age1lrujyz4d48yjelmh6eufxjffuvfm9pusen3uxskyhnyf27xyucdqq3jza5
|
||||
creation_rules:
|
||||
- path_regex: hosts/nerd/.*
|
||||
@ -13,20 +11,6 @@ creation_rules:
|
||||
- *admin_n0emis
|
||||
age:
|
||||
- *host_nerd
|
||||
- path_regex: hosts/yate/.*
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *admin_clerie
|
||||
- *admin_n0emis
|
||||
age:
|
||||
- *host_yate
|
||||
- path_regex: hosts/yate-dialup/.*
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *admin_clerie
|
||||
- *admin_n0emis
|
||||
age:
|
||||
- *host_yate_dialup
|
||||
- path_regex: hosts/pre-yate-n0emis/.*
|
||||
key_groups:
|
||||
- pgp:
|
||||
|
@ -90,6 +90,4 @@
|
||||
};
|
||||
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
|
||||
sops.defaultSopsFile = (../. + "/hosts/${config.networking.hostName}/secrets.yaml");
|
||||
}
|
||||
|
@ -2,6 +2,7 @@
|
||||
|
||||
{
|
||||
sops.secrets.nerd_secret = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
owner = "nerd";
|
||||
restartUnits = [ "nerd.service" ];
|
||||
};
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
@ -35,34 +35,6 @@
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.enable = false;
|
||||
networking.nftables = {
|
||||
enable = true;
|
||||
ruleset = let
|
||||
tcpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedTCPPorts);
|
||||
in ''
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0; policy drop;
|
||||
|
||||
iifname lo accept
|
||||
ct state {established, related} accept
|
||||
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
||||
|
||||
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
|
||||
ip protocol icmp icmp type echo-request accept
|
||||
|
||||
tcp dport 22 accept
|
||||
tcp dport { ${tcpPorts} } accept
|
||||
|
||||
udp dport 5060 ip saddr { 10.42.10.6, 217.10.68.150 } accept
|
||||
udp dport 5060 ip6 saddr { 2a01:4f8:1c0c:8221::6, 2001:ab7::0/64 } accept
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
|
@ -1,53 +0,0 @@
|
||||
sipgate_user: ENC[AES256_GCM,data:LN+orRI7,iv:kiqcyMVTNQQI7kREr4DXT1P8lMq6Cq+E5zDSnTkCMM0=,tag:uKmxgnfaiFyeQw9d7i+AeA==,type:str]
|
||||
sipgate_password: ENC[AES256_GCM,data:vbWL/aqu,iv:h7N93PsQs/N3RSvgiSNZZ88cJFWLyNJmA+6v7rxO3gk=,tag:QU2YoiGWRBKc73mLZq4Png==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age14zsha5c5238v6hzchdfkjgjjwzc2qc79tl0ngmqrdquck5f945zs35vps4
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdzhabG9PclViWTFBbzFk
|
||||
WU1LTDZJaXVxNVVpeGdtOGZhcHlKS3B6SWhNClJrdEJ2NVA5c2VIUCtoajJMSitB
|
||||
NFYwNlNmWTJPZWVnZWxiL1NFUTNzZXcKLS0tIHBETFg0UkNEcW13bEtGOFhBeXM4
|
||||
WWZiOTdRS3pUdi9sb1hraHZ5aFFHUkUKCo+qUjs8zXH4PSIv8ONpkOFM+T4I94E8
|
||||
Cf30aeB7OeViVTfV6+tg76zrbdJ0uyQVJcIfbQPlDflvbrS2/D28xQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-07-18T06:44:56Z"
|
||||
mac: ENC[AES256_GCM,data:uAh1zM3J5w7ZAFgKk3sRQqs3AmjnRLUCD+aGo9XlsG0xGbwKM6uJ3DHXY2MUSJJNy09nDLXBg4Q20no9BBAhyY5/VY4cYLSlZt5RineplKnotAeAbaf/LmqoPcixwOuWWeHFtpZ0ny4DoBGOjI9zbKIrrg5Psqq/tKsL6uji6vA=,iv:hgRYwAn6mfhg4wtXzXdxpyYdRun7ytSkhV3aAPFhQvU=,tag:oNr/F0EOd9wccc5/FObhAg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-07-18T06:44:35Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6BIUohpxMXcAQ/8Cocn4DGibz+JByFXxnlGFtyM3jf81CbSK9F883Wfl+pR
|
||||
xFagZjA5oN3lOeGyKQjP2E9ALzfAorwbZWRKiWv9xqapgXlYAmhMgN4oMlY3VJto
|
||||
xkGP8gpEDkO/H5WBoP/MN9CAqmmFWko1BR/yYHCHNg+os+nBQ9SK3Pk/ZEwmTSDy
|
||||
Rk/2+edbBrRbk9Ucc7yTIQlJVcI7c4+uaEuhHOOOQGB/SxO0cz6ods8OYCiSLWQg
|
||||
YJ9THGakZW9ki/Dl22dWZS3qUsyVFyjSULfjUXovPCn0a+EWernsoRlpLNJ5kFTf
|
||||
3FqWPN8w2RpUasukwajuAiCEI0xgP3mNS3ZHovGhnEcSEVdVBh5jZulQEEY2rGfF
|
||||
BOSdjko4uFcGB09EVTKYJWmMjHDWj2z5Fo9syvhKTIV5Rv3aFU9LcQ6lxY8Q3aIg
|
||||
OiTWTJR6zFXJuHua2Aarz5nkL33Nsw6D3nbud72fKfSJnaidWXnYbvy1BLR/e5gt
|
||||
07kjbghV5x1f2oSe0/AtY/vkn8tl0jAbuK0CT9guzdUZbPIve4omGSbjEbwBNSuj
|
||||
mQkKdmYDPwTEUhzvYR/wUfU4ZnbUI5jIUeLek+5adwMIiq53mKuHVA3v1t++00fP
|
||||
ZAeDeuTJ+RajB45xDkXaJP70RLi1KPUPT5e2QIIdOEw1ZYjaMa5zWeQuHPXhalLS
|
||||
XgFvoqAgqVmolft0Au2z2sGCUOHSlcXyB1x4fChiNVMk9muoJtlGq8dKqjnVA7fF
|
||||
10pxfb7rn9zhGxDdPqwqqole+ST13L3ZZ7Uh4PS5uHp9/pq/izAcp7Mm8gDk3ks=
|
||||
=PHaL
|
||||
-----END PGP MESSAGE-----
|
||||
fp: DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
|
||||
- created_at: "2022-07-18T06:44:35Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hE4D6iFd6webPCUSAQdAP67Vt9XQLyeHB5dxhTQPke7eKYKb6NPZ3c532BDsgSAg
|
||||
D/6K9eDqbK6cnFnvtZ+Qa0zYS4wIexCgIRgLGA8omBXSXgHCPtGl/gBbdexcXXcL
|
||||
cajDmIIOc7w8tPOg81CDVLT2hRPIWIOkbpFCqyKWqgCvPGHsHaMHdaEQh+E76HsS
|
||||
qbURE+neOiNzKWzJrShPre7wtJyBQuGhXwyx4xmF6bc=
|
||||
=1aA/
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 6E10217E3187069E057DF5ABE0262A773B824745
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.1
|
@ -3,39 +3,5 @@
|
||||
{
|
||||
services.yate = {
|
||||
enable = true;
|
||||
config = {
|
||||
regfile.yate.password = "yate";
|
||||
regexroute = "[default]
|
||||
^4933921999799\\(.*\\)$=lateroute/yate;osip_x-called=\\1
|
||||
\${sip_x-dialout-allowed}^1$=goto dialout
|
||||
|
||||
[dialout]
|
||||
\${username}^$=-;error=noauth
|
||||
^.*$=sip/sip:\\0;line=sipgate;osip_P-Preferred-Identity=<sip:4933921999799\${caller}@sipconnect.sipgate.de>;caller=3400888t0;domain=sipconnect.sipgate.de;";
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets.sipgate_password = {
|
||||
owner = "yate";
|
||||
restartUnits = [ "yate.service" ];
|
||||
};
|
||||
|
||||
systemd.services.yate = {
|
||||
preStart = let
|
||||
accfile = pkgs.writeText "accfile.conf" (lib.generators.toINI { } {
|
||||
sipgate = {
|
||||
enabled = "yes";
|
||||
protocol = "sip";
|
||||
username = "3400888t0";
|
||||
authname = "3400888t0";
|
||||
password = "!!sipgate_password!!";
|
||||
registrar = "sipconnect.sipgate.de";
|
||||
localaddress = "yes";
|
||||
};
|
||||
});
|
||||
in ''
|
||||
${pkgs.gnused}/bin/sed -e "s/!!sipgate_password!!/$(cat ${config.sops.secrets.sipgate_password.path})/g" ${accfile} > /etc/yate/accfile.conf
|
||||
'';
|
||||
serviceConfig.PermissionsStartOnly = true;
|
||||
};
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
@ -91,52 +91,6 @@
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.enable = false;
|
||||
networking.nftables = {
|
||||
enable = true;
|
||||
ruleset = let
|
||||
tcpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedTCPPorts);
|
||||
in ''
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0; policy drop;
|
||||
|
||||
iifname lo accept
|
||||
ct state {established, related} accept
|
||||
|
||||
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
||||
|
||||
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
|
||||
ip protocol icmp icmp type echo-request accept
|
||||
|
||||
tcp dport 22 accept
|
||||
tcp dport { ${tcpPorts} } accept
|
||||
|
||||
iif {vlan132, vlan133} accept
|
||||
|
||||
udp dport 5060 ip saddr { 10.42.10.9 } accept
|
||||
udp dport 5060 ip6 saddr { 2a01:4f8:1c0c:8221::9 } accept
|
||||
}
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority 0; policy drop;
|
||||
|
||||
ct state {established, related} accept
|
||||
iif {vlan132, vlan133} accept
|
||||
|
||||
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
||||
|
||||
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
|
||||
ip protocol icmp icmp type echo-request accept
|
||||
|
||||
ip saddr 10.42.201.0/24 accept
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
|
@ -10,13 +10,8 @@
|
||||
pool = "10.42.132.200 - 10.42.132.250";
|
||||
router = "10.42.132.1";
|
||||
dnsServers = "10.42.10.8";
|
||||
omm = "10.42.132.2";
|
||||
omm = "10.42.132.11";
|
||||
reservations = [
|
||||
{
|
||||
name = "omm";
|
||||
macAddress = "AA:C3:A9:26:1F:77";
|
||||
ipAddress = "10.42.132.2";
|
||||
}
|
||||
{
|
||||
name = "rfp-01";
|
||||
macAddress = "00:30:42:1B:8C:7A";
|
||||
@ -25,21 +20,4 @@
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.yate.config = {
|
||||
accfile.dialout = {
|
||||
enabled = "yes";
|
||||
protocol = "sip";
|
||||
username = "yate";
|
||||
password = "yate";
|
||||
registrar = "yate-dialup.bula22.de";
|
||||
};
|
||||
regexroute = "[default]
|
||||
\${username}^$=-;error=noauth
|
||||
^yate$=goto dialin
|
||||
^.*$=line/\\0;line=dialout
|
||||
|
||||
[dialin]
|
||||
\${sip_x-called}^.*$=lateroute/\\1";
|
||||
};
|
||||
}
|
||||
|
@ -41,7 +41,6 @@ in {
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||
RuntimeDirectory = "yate";
|
||||
RuntimeDirectoryMode = "0755";
|
||||
ConfigurationDirectory = "yate";
|
||||
StateDirectory = "yate";
|
||||
StateDirectoryMode = "0700";
|
||||
PIDFile = "/run/yate/yate.pid";
|
||||
|
Loading…
Reference in New Issue
Block a user