1
0

Compare commits

..

No commits in common. "4741d1b67c5ce145bd5900306c866dd186b2c249" and "4e4edaa87bcb1f4b31152d742e34ca4dd5465944" have entirely different histories.

9 changed files with 4 additions and 205 deletions

View File

@ -2,8 +2,6 @@ keys:
- &admin_clerie DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
- &admin_n0emis 6E10217E3187069E057DF5ABE0262A773B824745
- &host_nerd age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu
- &host_yate age10pxa70g3ekxdrk788l52s93a6ftavdw3r8x6d23gmsluudmwq3asmu6ah9\
- &host_yate_dialup age14zsha5c5238v6hzchdfkjgjjwzc2qc79tl0ngmqrdquck5f945zs35vps4
- &host_pre_yate_n0emis age1lrujyz4d48yjelmh6eufxjffuvfm9pusen3uxskyhnyf27xyucdqq3jza5
creation_rules:
- path_regex: hosts/nerd/.*
@ -13,20 +11,6 @@ creation_rules:
- *admin_n0emis
age:
- *host_nerd
- path_regex: hosts/yate/.*
key_groups:
- pgp:
- *admin_clerie
- *admin_n0emis
age:
- *host_yate
- path_regex: hosts/yate-dialup/.*
key_groups:
- pgp:
- *admin_clerie
- *admin_n0emis
age:
- *host_yate_dialup
- path_regex: hosts/pre-yate-n0emis/.*
key_groups:
- pgp:

View File

@ -90,6 +90,4 @@
};
security.sudo.wheelNeedsPassword = false;
sops.defaultSopsFile = (../. + "/hosts/${config.networking.hostName}/secrets.yaml");
}

View File

@ -2,6 +2,7 @@
{
sops.secrets.nerd_secret = {
sopsFile = ./secrets.yaml;
owner = "nerd";
restartUnits = [ "nerd.service" ];
};

View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, ... }:
{
imports =
@ -35,34 +35,6 @@
};
};
networking.firewall.enable = false;
networking.nftables = {
enable = true;
ruleset = let
tcpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedTCPPorts);
in ''
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept
ct state {established, related} accept
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
ip protocol icmp icmp type echo-request accept
tcp dport 22 accept
tcp dport { ${tcpPorts} } accept
udp dport 5060 ip saddr { 10.42.10.6, 217.10.68.150 } accept
udp dport 5060 ip6 saddr { 2a01:4f8:1c0c:8221::6, 2001:ab7::0/64 } accept
}
}
'';
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

View File

@ -1,53 +0,0 @@
sipgate_user: ENC[AES256_GCM,data:LN+orRI7,iv:kiqcyMVTNQQI7kREr4DXT1P8lMq6Cq+E5zDSnTkCMM0=,tag:uKmxgnfaiFyeQw9d7i+AeA==,type:str]
sipgate_password: ENC[AES256_GCM,data:vbWL/aqu,iv:h7N93PsQs/N3RSvgiSNZZ88cJFWLyNJmA+6v7rxO3gk=,tag:QU2YoiGWRBKc73mLZq4Png==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14zsha5c5238v6hzchdfkjgjjwzc2qc79tl0ngmqrdquck5f945zs35vps4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdzhabG9PclViWTFBbzFk
WU1LTDZJaXVxNVVpeGdtOGZhcHlKS3B6SWhNClJrdEJ2NVA5c2VIUCtoajJMSitB
NFYwNlNmWTJPZWVnZWxiL1NFUTNzZXcKLS0tIHBETFg0UkNEcW13bEtGOFhBeXM4
WWZiOTdRS3pUdi9sb1hraHZ5aFFHUkUKCo+qUjs8zXH4PSIv8ONpkOFM+T4I94E8
Cf30aeB7OeViVTfV6+tg76zrbdJ0uyQVJcIfbQPlDflvbrS2/D28xQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-18T06:44:56Z"
mac: ENC[AES256_GCM,data:uAh1zM3J5w7ZAFgKk3sRQqs3AmjnRLUCD+aGo9XlsG0xGbwKM6uJ3DHXY2MUSJJNy09nDLXBg4Q20no9BBAhyY5/VY4cYLSlZt5RineplKnotAeAbaf/LmqoPcixwOuWWeHFtpZ0ny4DoBGOjI9zbKIrrg5Psqq/tKsL6uji6vA=,iv:hgRYwAn6mfhg4wtXzXdxpyYdRun7ytSkhV3aAPFhQvU=,tag:oNr/F0EOd9wccc5/FObhAg==,type:str]
pgp:
- created_at: "2022-07-18T06:44:35Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6BIUohpxMXcAQ/8Cocn4DGibz+JByFXxnlGFtyM3jf81CbSK9F883Wfl+pR
xFagZjA5oN3lOeGyKQjP2E9ALzfAorwbZWRKiWv9xqapgXlYAmhMgN4oMlY3VJto
xkGP8gpEDkO/H5WBoP/MN9CAqmmFWko1BR/yYHCHNg+os+nBQ9SK3Pk/ZEwmTSDy
Rk/2+edbBrRbk9Ucc7yTIQlJVcI7c4+uaEuhHOOOQGB/SxO0cz6ods8OYCiSLWQg
YJ9THGakZW9ki/Dl22dWZS3qUsyVFyjSULfjUXovPCn0a+EWernsoRlpLNJ5kFTf
3FqWPN8w2RpUasukwajuAiCEI0xgP3mNS3ZHovGhnEcSEVdVBh5jZulQEEY2rGfF
BOSdjko4uFcGB09EVTKYJWmMjHDWj2z5Fo9syvhKTIV5Rv3aFU9LcQ6lxY8Q3aIg
OiTWTJR6zFXJuHua2Aarz5nkL33Nsw6D3nbud72fKfSJnaidWXnYbvy1BLR/e5gt
07kjbghV5x1f2oSe0/AtY/vkn8tl0jAbuK0CT9guzdUZbPIve4omGSbjEbwBNSuj
mQkKdmYDPwTEUhzvYR/wUfU4ZnbUI5jIUeLek+5adwMIiq53mKuHVA3v1t++00fP
ZAeDeuTJ+RajB45xDkXaJP70RLi1KPUPT5e2QIIdOEw1ZYjaMa5zWeQuHPXhalLS
XgFvoqAgqVmolft0Au2z2sGCUOHSlcXyB1x4fChiNVMk9muoJtlGq8dKqjnVA7fF
10pxfb7rn9zhGxDdPqwqqole+ST13L3ZZ7Uh4PS5uHp9/pq/izAcp7Mm8gDk3ks=
=PHaL
-----END PGP MESSAGE-----
fp: DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
- created_at: "2022-07-18T06:44:35Z"
enc: |
-----BEGIN PGP MESSAGE-----
hE4D6iFd6webPCUSAQdAP67Vt9XQLyeHB5dxhTQPke7eKYKb6NPZ3c532BDsgSAg
D/6K9eDqbK6cnFnvtZ+Qa0zYS4wIexCgIRgLGA8omBXSXgHCPtGl/gBbdexcXXcL
cajDmIIOc7w8tPOg81CDVLT2hRPIWIOkbpFCqyKWqgCvPGHsHaMHdaEQh+E76HsS
qbURE+neOiNzKWzJrShPre7wtJyBQuGhXwyx4xmF6bc=
=1aA/
-----END PGP MESSAGE-----
fp: 6E10217E3187069E057DF5ABE0262A773B824745
unencrypted_suffix: _unencrypted
version: 3.7.1

View File

@ -3,39 +3,5 @@
{
services.yate = {
enable = true;
config = {
regfile.yate.password = "yate";
regexroute = "[default]
^4933921999799\\(.*\\)$=lateroute/yate;osip_x-called=\\1
\${sip_x-dialout-allowed}^1$=goto dialout
[dialout]
\${username}^$=-;error=noauth
^.*$=sip/sip:\\0;line=sipgate;osip_P-Preferred-Identity=<sip:4933921999799\${caller}@sipconnect.sipgate.de>;caller=3400888t0;domain=sipconnect.sipgate.de;";
};
};
sops.secrets.sipgate_password = {
owner = "yate";
restartUnits = [ "yate.service" ];
};
systemd.services.yate = {
preStart = let
accfile = pkgs.writeText "accfile.conf" (lib.generators.toINI { } {
sipgate = {
enabled = "yes";
protocol = "sip";
username = "3400888t0";
authname = "3400888t0";
password = "!!sipgate_password!!";
registrar = "sipconnect.sipgate.de";
localaddress = "yes";
};
});
in ''
${pkgs.gnused}/bin/sed -e "s/!!sipgate_password!!/$(cat ${config.sops.secrets.sipgate_password.path})/g" ${accfile} > /etc/yate/accfile.conf
'';
serviceConfig.PermissionsStartOnly = true;
};
}

View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, ... }:
{
imports =
@ -91,52 +91,6 @@
};
};
networking.firewall.enable = false;
networking.nftables = {
enable = true;
ruleset = let
tcpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedTCPPorts);
in ''
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept
ct state {established, related} accept
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
ip protocol icmp icmp type echo-request accept
tcp dport 22 accept
tcp dport { ${tcpPorts} } accept
iif {vlan132, vlan133} accept
udp dport 5060 ip saddr { 10.42.10.9 } accept
udp dport 5060 ip6 saddr { 2a01:4f8:1c0c:8221::9 } accept
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state {established, related} accept
iif {vlan132, vlan133} accept
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
ip protocol icmp icmp type echo-request accept
ip saddr 10.42.201.0/24 accept
}
}
'';
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

View File

@ -10,13 +10,8 @@
pool = "10.42.132.200 - 10.42.132.250";
router = "10.42.132.1";
dnsServers = "10.42.10.8";
omm = "10.42.132.2";
omm = "10.42.132.11";
reservations = [
{
name = "omm";
macAddress = "AA:C3:A9:26:1F:77";
ipAddress = "10.42.132.2";
}
{
name = "rfp-01";
macAddress = "00:30:42:1B:8C:7A";
@ -25,21 +20,4 @@
];
};
};
services.yate.config = {
accfile.dialout = {
enabled = "yes";
protocol = "sip";
username = "yate";
password = "yate";
registrar = "yate-dialup.bula22.de";
};
regexroute = "[default]
\${username}^$=-;error=noauth
^yate$=goto dialin
^.*$=line/\\0;line=dialout
[dialin]
\${sip_x-called}^.*$=lateroute/\\1";
};
}

View File

@ -41,7 +41,6 @@ in {
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
RuntimeDirectory = "yate";
RuntimeDirectoryMode = "0755";
ConfigurationDirectory = "yate";
StateDirectory = "yate";
StateDirectoryMode = "0700";
PIDFile = "/run/yate/yate.pid";