From f15e212875a986b7c62713652c25aa8ee2d4d638 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Thu, 14 Dec 2023 11:30:26 +0000
Subject: [PATCH] totoro: enable freeswitch

---
 .hgignore                        |  3 +++
 ops/nixos/lib/common.nix         |  1 +
 ops/nixos/lib/freeswitch.nix     | 41 ++++++++++++++++++++++++++++++++
 ops/nixos/lib/freeswitch/.hgkeep |  0
 ops/nixos/totoro/default.nix     |  4 ++++
 third_party/default.nix          | 16 +++++++++++++
 6 files changed, 65 insertions(+)
 create mode 100644 ops/nixos/lib/freeswitch.nix
 create mode 100644 ops/nixos/lib/freeswitch/.hgkeep

diff --git a/.hgignore b/.hgignore
index dbac9f8bad..921543f5a7 100644
--- a/.hgignore
+++ b/.hgignore
@@ -4,6 +4,9 @@
 
 ops/secrets/
 
+# For now, ignore the freeswitch config until I have it in a good state.
+ops/nixos/lib/freeswitch/
+
 ops/vault/cfg/tf/
 ops/vault/cfg/secrets.nix
 
diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix
index 6ba2c3fe36..905fe2409f 100644
--- a/ops/nixos/lib/common.nix
+++ b/ops/nixos/lib/common.nix
@@ -167,6 +167,7 @@ in
       lukegb = {
         isNormalUser = true;
         uid = 1000;
+        homeMode = "711";
         extraGroups = [ "wheel" "audio" ];
         hashedPassword = secrets.passwordHashes.lukegb;
         openssh.authorizedKeys.keyFiles = [
diff --git a/ops/nixos/lib/freeswitch.nix b/ops/nixos/lib/freeswitch.nix
new file mode 100644
index 0000000000..4724f692e7
--- /dev/null
+++ b/ops/nixos/lib/freeswitch.nix
@@ -0,0 +1,41 @@
+{ lib, ... }:
+
+{
+  config.services.freeswitch = {
+    enable = true;
+    enableReload = true;
+    configTemplate = ./freeswitch;
+  };
+
+  config.environment.etc.freeswitch.source = lib.mkForce "/home/lukegb/depot/ops/nixos/lib/freeswitch";
+  config.systemd.services.freeswitch-config-reload.before = lib.mkForce [];
+  config.networking.firewall.extraCommands = lib.mkAfter ''
+    # STUN
+    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 3478 -j ACCEPT
+    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 3478 -j ACCEPT
+    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 3479 -j ACCEPT
+    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 3479 -j ACCEPT
+
+    # SIP
+    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 5060 -j ACCEPT
+    iptables -A nixos-fw -p tcp --dst 92.118.30.19 --dport 5060 -j ACCEPT
+    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 5060 -j ACCEPT
+    ip6tables -A nixos-fw -p tcp --dst 2a09:a443::1000 --dport 5060 -j ACCEPT
+
+    # SIP + TLS
+    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 5061 -j ACCEPT
+    iptables -A nixos-fw -p tcp --dst 92.118.30.19 --dport 5061 -j ACCEPT
+    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 5061 -j ACCEPT
+    ip6tables -A nixos-fw -p tcp --dst 2a09:a443::1000 --dport 5061 -j ACCEPT
+
+    # Trunk SIP
+    #iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 5080 -j ACCEPT
+    #iptables -A nixos-fw -p tcp --dst 92.118.30.19 --dport 5080 -j ACCEPT
+    #ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 5080 -j ACCEPT
+    #ip6tables -A nixos-fw -p tcp --dst 2a09:a443::1000 --dport 5080 -j ACCEPT
+
+    # RTP
+    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 16384:32768 -j ACCEPT
+    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 16384:32748 -j ACCEPT
+  '';
+}
diff --git a/ops/nixos/lib/freeswitch/.hgkeep b/ops/nixos/lib/freeswitch/.hgkeep
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/ops/nixos/totoro/default.nix b/ops/nixos/totoro/default.nix
index d36b859f6d..d4eafb6e99 100644
--- a/ops/nixos/totoro/default.nix
+++ b/ops/nixos/totoro/default.nix
@@ -17,6 +17,7 @@ in {
     ../lib/deluge.nix
     ../lib/plex.nix
     ../lib/tumblrandom.nix
+    ../lib/freeswitch.nix
     ./home-assistant.nix
     ./authentik.nix
     ./adsb.nix
@@ -99,6 +100,9 @@ in {
       ipv4.addresses = [
         { address = "192.168.1.40"; prefixLength = 24; }
       ];
+      ipv6.addresses = [
+        { address = "2a09:a443::1000"; prefixLength = 128; }
+      ];
     };
 
     interfaces.br-int = {
diff --git a/third_party/default.nix b/third_party/default.nix
index f27985a736..e2fce7cb7f 100644
--- a/third_party/default.nix
+++ b/third_party/default.nix
@@ -32,6 +32,22 @@ let
           platforms = oldAttrs.meta.platforms ++ [ "aarch64-linux" ];
         };
       });
+      sofia_sip = pkgs.sofia_sip.overrideAttrs (oldAttrs: {
+        src = pkgs.fetchFromGitHub {
+          owner = "lukegb";
+          repo = "sofia-sip";
+          rev = "2e1e3117f4ab1b7dff7e2a70b238ba2ff7a90d11";  # tls-sni branch
+          sha256 = "0llayw2a5nir0zx3hx4wf3kvyjfb5gksxv6wagwfbc0cca5qp1nc";
+        };
+      });
+      freeswitch = pkgs.freeswitch.overrideAttrs (oldAttrs: {
+        src = pkgs.fetchFromGitHub {
+          owner = "lukegb";
+          repo = "freeswitch";
+          rev = "4f5a64c7912364ccb1059c64463daf06aaf49745";  # rtp-avpf-moz-variable
+          sha256 = "1jdyk6d80jmsg6qn7hw58088yydn78g3kn3lmgg8argihb69pf2i";
+        };
+      });
     };
   };
   nixpkgs = import ./nixpkgs {