totoro: enable freeswitch

2023-12-14 11:30:26 +00:00 · 2023-12-14 11:30:26 +00:00 · f15e212875
commit f15e212875
parent bfa589889f
6 changed files with 65 additions and 0 deletions
--- a/.hgignore
+++ b/.hgignore
@ -4,6 +4,9 @@
 ops/secrets/
 # For now, ignore the freeswitch config until I have it in a good state.
 ops/nixos/lib/freeswitch/
 ops/vault/cfg/tf/
 ops/vault/cfg/secrets.nix
--- a/ops/nixos/lib/common.nix
+++ b/ops/nixos/lib/common.nix
@ -167,6 +167,7 @@ in
      lukegb = {
        isNormalUser = true;
        uid = 1000;
        homeMode = "711";
        extraGroups = [ "wheel" "audio" ];
        hashedPassword = secrets.passwordHashes.lukegb;
        openssh.authorizedKeys.keyFiles = [
--- a/ops/nixos/lib/freeswitch.nix
+++ b/ops/nixos/lib/freeswitch.nix
@ -0,0 +1,41 @@
 { lib, ... }:
 {
  config.services.freeswitch = {
    enable = true;
    enableReload = true;
    configTemplate = ./freeswitch;
  };
  config.environment.etc.freeswitch.source = lib.mkForce "/home/lukegb/depot/ops/nixos/lib/freeswitch";
  config.systemd.services.freeswitch-config-reload.before = lib.mkForce [];
  config.networking.firewall.extraCommands = lib.mkAfter ''
    # STUN
    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 3478 -j ACCEPT
    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 3478 -j ACCEPT
    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 3479 -j ACCEPT
    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 3479 -j ACCEPT
    # SIP
    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 5060 -j ACCEPT
    iptables -A nixos-fw -p tcp --dst 92.118.30.19 --dport 5060 -j ACCEPT
    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 5060 -j ACCEPT
    ip6tables -A nixos-fw -p tcp --dst 2a09:a443::1000 --dport 5060 -j ACCEPT
    # SIP + TLS
    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 5061 -j ACCEPT
    iptables -A nixos-fw -p tcp --dst 92.118.30.19 --dport 5061 -j ACCEPT
    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 5061 -j ACCEPT
    ip6tables -A nixos-fw -p tcp --dst 2a09:a443::1000 --dport 5061 -j ACCEPT
    # Trunk SIP
    #iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 5080 -j ACCEPT
    #iptables -A nixos-fw -p tcp --dst 92.118.30.19 --dport 5080 -j ACCEPT
    #ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 5080 -j ACCEPT
    #ip6tables -A nixos-fw -p tcp --dst 2a09:a443::1000 --dport 5080 -j ACCEPT
    # RTP
    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 16384:32768 -j ACCEPT
    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 16384:32748 -j ACCEPT
  '';
 }
--- a/ops/nixos/lib/freeswitch/.hgkeep
+++ b/ops/nixos/lib/freeswitch/.hgkeep
--- a/ops/nixos/totoro/default.nix
+++ b/ops/nixos/totoro/default.nix
@ -17,6 +17,7 @@ in {
    ../lib/deluge.nix
    ../lib/plex.nix
    ../lib/tumblrandom.nix
    ../lib/freeswitch.nix
    ./home-assistant.nix
    ./authentik.nix
    ./adsb.nix
@ -99,6 +100,9 @@ in {
      ipv4.addresses = [
        { address = "192.168.1.40"; prefixLength = 24; }
      ];
      ipv6.addresses = [
        { address = "2a09:a443::1000"; prefixLength = 128; }
      ];
    };
    interfaces.br-int = {
--- a/third_party/default.nix
+++ b/third_party/default.nix
@ -32,6 +32,22 @@ let
          platforms = oldAttrs.meta.platforms ++ [ "aarch64-linux" ];
        };
      });
      sofia_sip = pkgs.sofia_sip.overrideAttrs (oldAttrs: {
        src = pkgs.fetchFromGitHub {
          owner = "lukegb";
          repo = "sofia-sip";
          rev = "2e1e3117f4ab1b7dff7e2a70b238ba2ff7a90d11";  # tls-sni branch
          sha256 = "0llayw2a5nir0zx3hx4wf3kvyjfb5gksxv6wagwfbc0cca5qp1nc";
        };
      });
      freeswitch = pkgs.freeswitch.overrideAttrs (oldAttrs: {
        src = pkgs.fetchFromGitHub {
          owner = "lukegb";
          repo = "freeswitch";
          rev = "4f5a64c7912364ccb1059c64463daf06aaf49745";  # rtp-avpf-moz-variable
          sha256 = "1jdyk6d80jmsg6qn7hw58088yydn78g3kn3lmgg8argihb69pf2i";
        };
      });
    };
  };
  nixpkgs = import ./nixpkgs {