totoro: enable freeswitch

.hgignore

@@ -4,6 +4,9 @@
 
 ops/secrets/
 
+# For now, ignore the freeswitch config until I have it in a good state.
+ops/nixos/lib/freeswitch/
+
 ops/vault/cfg/tf/
 ops/vault/cfg/secrets.nix
 

ops/nixos/lib/common.nix

@@ -167,6 +167,7 @@ in
       lukegb = {
         isNormalUser = true;
         uid = 1000;
+        homeMode = "711";
         extraGroups = [ "wheel" "audio" ];
         hashedPassword = secrets.passwordHashes.lukegb;
         openssh.authorizedKeys.keyFiles = [

ops/nixos/lib/freeswitch.nix

@@ -0,0 +1,41 @@
+{ lib, ... }:
+
+{
+  config.services.freeswitch = {
+    enable = true;
+    enableReload = true;
+    configTemplate = ./freeswitch;
+  };
+
+  config.environment.etc.freeswitch.source = lib.mkForce "/home/lukegb/depot/ops/nixos/lib/freeswitch";
+  config.systemd.services.freeswitch-config-reload.before = lib.mkForce [];
+  config.networking.firewall.extraCommands = lib.mkAfter ''
+    # STUN
+    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 3478 -j ACCEPT
+    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 3478 -j ACCEPT
+    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 3479 -j ACCEPT
+    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 3479 -j ACCEPT
+
+    # SIP
+    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 5060 -j ACCEPT
+    iptables -A nixos-fw -p tcp --dst 92.118.30.19 --dport 5060 -j ACCEPT
+    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 5060 -j ACCEPT
+    ip6tables -A nixos-fw -p tcp --dst 2a09:a443::1000 --dport 5060 -j ACCEPT
+
+    # SIP + TLS
+    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 5061 -j ACCEPT
+    iptables -A nixos-fw -p tcp --dst 92.118.30.19 --dport 5061 -j ACCEPT
+    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 5061 -j ACCEPT
+    ip6tables -A nixos-fw -p tcp --dst 2a09:a443::1000 --dport 5061 -j ACCEPT
+
+    # Trunk SIP
+    #iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 5080 -j ACCEPT
+    #iptables -A nixos-fw -p tcp --dst 92.118.30.19 --dport 5080 -j ACCEPT
+    #ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 5080 -j ACCEPT
+    #ip6tables -A nixos-fw -p tcp --dst 2a09:a443::1000 --dport 5080 -j ACCEPT
+
+    # RTP
+    iptables -A nixos-fw -p udp --dst 92.118.30.19 --dport 16384:32768 -j ACCEPT
+    ip6tables -A nixos-fw -p udp --dst 2a09:a443::1000 --dport 16384:32748 -j ACCEPT
+  '';
+}

ops/nixos/totoro/default.nix

@@ -17,6 +17,7 @@ in {
     ../lib/deluge.nix
     ../lib/plex.nix
     ../lib/tumblrandom.nix
+    ../lib/freeswitch.nix
     ./home-assistant.nix
     ./authentik.nix
     ./adsb.nix
@@ -99,6 +100,9 @@ in {
       ipv4.addresses = [
         { address = "192.168.1.40"; prefixLength = 24; }
       ];
+      ipv6.addresses = [
+        { address = "2a09:a443::1000"; prefixLength = 128; }
+      ];
     };
 
     interfaces.br-int = {

third_party/default.nix

@@ -32,6 +32,22 @@ let
           platforms = oldAttrs.meta.platforms ++ [ "aarch64-linux" ];
         };
       });
+      sofia_sip = pkgs.sofia_sip.overrideAttrs (oldAttrs: {
+        src = pkgs.fetchFromGitHub {
+          owner = "lukegb";
+          repo = "sofia-sip";
+          rev = "2e1e3117f4ab1b7dff7e2a70b238ba2ff7a90d11";  # tls-sni branch
+          sha256 = "0llayw2a5nir0zx3hx4wf3kvyjfb5gksxv6wagwfbc0cca5qp1nc";
+        };
+      });
+      freeswitch = pkgs.freeswitch.overrideAttrs (oldAttrs: {
+        src = pkgs.fetchFromGitHub {
+          owner = "lukegb";
+          repo = "freeswitch";
+          rev = "4f5a64c7912364ccb1059c64463daf06aaf49745";  # rtp-avpf-moz-variable
+          sha256 = "1jdyk6d80jmsg6qn7hw58088yydn78g3kn3lmgg8argihb69pf2i";
+        };
+      });
     };
   };
   nixpkgs = import ./nixpkgs {