gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

project-wide: Cleanup and services + private overhaul

Browse source
This commit is contained in:
kat witch 2021-04-28 04:01:11 +01:00
parent 5f2309c773
commit f4b4ab2b28
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
36 changed files with 70 additions and 408 deletions
Download patch file Download diff file Expand all files Collapse all files

224
services/asterisk.nix
View file

@ -1,224 +0,0 @@
{ config, pkgs, witch, ... }:
{
katnet.public.tcp.ports = [ 5160 5060 ];
katnet.public.udp.ports = [ 5160 5060 ];
katnet.public.tcp.ranges = [{
from = 10000;
to = 20000;
}];
katnet.public.udp.ranges = [{
from = 10000;
to = 20000;
}];
services.fail2ban.jails = {
asterisk = ''
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
logpath = /var/log/asterisk/messages
maxretry = 4
'';
};
services.asterisk = {
enable = true;
confFiles = {
"rtp.conf" = ''
[general]
rtpstart=10000
rtpend=20000
'';
"extensions.conf" = ''
[from-twilio]
exten => _.,1,Dial(SIP/1337,20)
[from-signalwire]
exten => s,1,Set(numb=''${CUT(CUT(PJSIP_HEADER(read,To),@,1),:,2)})
same => n,Dial(SIP/1337,20)
[from-internal]
exten => _1X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.us}>)
same => n,Dial(PJSIP/''${EXTEN:1}@signalwire)
same => n(end),Hangup()
exten => _2X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.canada}>)
same => n,Dial(PJSIP/''${EXTEN:1}@signalwire)
same => n(end),Hangup()
exten => _3X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.uk}>)
same => n,Dial(PJSIP/+''${EXTEN:1}@twilio-ie)
same => n(end),Hangup()
'';
"pjproject.conf" = ''
; Common pjproject options
;
;========================LOG_MAPPINGS SECTION OPTIONS===============================
;[log_mappings]
; SYNOPSIS: Provides pjproject to Asterisk log level mappings.
; NOTES: The name of this section in the pjproject.conf configuration file must
; remain log_mappings or the configuration will not be applied.
; The defaults mentioned below only apply if this file or the 'log_mappings'
; object can'tbe found. If the object is found, there are no defaults. If
; you don't specify an entry, nothing will be logged for that level.
;
;asterisk_error = ; A comma separated list of pjproject log levels to map to
; Asterisk errors.
; (default: "0,1")
;asterisk_warning = ; A comma separated list of pjproject log levels to map to
; Asterisk warnings.
; (default: "2")
;asterisk_notice = ; A comma separated list of pjproject log levels to map to
; Asterisk notices.
; (default: "")
;asterisk_verbose = ; A comma separated list of pjproject log levels to map to
; Asterisk verbose.
; (default: "")
;asterisk_debug = ; A comma separated list of pjproject log levels to map to
; Asterisk debug
; (default: "3,4,5")
;type= ; Must be of type log_mappings (default: "")
'';
"sip.conf" = ''
[general]
;; Only uncomment this if you want to connect to a different SIP server and receive calls from it
context=public
allowguest=no
udpbindaddr=0.0.0.0:5160
tcpbindaddr=0.0.0.0:5160
tcpenable=yes
transport=udp,tcp
disallow=all
allow=speex32
allow=g722
allow=ulaw
allow=alaw
allow=gsm
allow=g726
[1337]
type=friend
context=from-internal
host=dynamic
secret=${witch.secrets.hosts.athame.phone.password}
nat=force_rport,comedia
'';
"pjsip_wizard.conf" = ''
[user_defaults](!)
type = wizard
accepts_registrations = yes
sends_registrations = no
accepts_auth = yes
sends_auth = no
endpoint/context = from-internal
endpoint/tos_audio=ef
endpoint/tos_video=af41
endpoint/cos_audio=5
endpoint/cos_video=4
endpoint/allow = !all,ulaw
endpoint/dtmf_mode= rfc4733
endpoint/aggregate_mwi = yes
endpoint/use_avpf = no
endpoint/rtcp_mux = no
endpoint/bundle = no
endpoint/ice_support = no
endpoint/media_use_received_transport = no
endpoint/trust_id_inbound = yes
endpoint/media_encryption = no
endpoint/timers = yes
endpoint/media_encryption_optimistic = no
endpoint/send_pai = yes
endpoint/rtp_symmetric = yes
endpoint/rewrite_contact = yes
endpoint/force_rport = yes
endpoint/language = en
[trunk_defaults](!)
type = wizard
endpoint/transport=0.0.0.0-udp
endpoint/allow = !all,ulaw
endpoint/t38_udptl=no
endpoint/t38_udptl_ec=none
endpoint/fax_detect=no
endpoint/trust_id_inbound=no
endpoint/t38_udptl_nat=no
endpoint/direct_media=no
endpoint/rewrite_contact=yes
endpoint/rtp_symmetric=yes
endpoint/dtmf_mode=rfc4733
endpoint/allow_subscribe = no
aor/qualify_frequency = 60
[twilio-ie](trunk_defaults)
sends_auth = yes
sends_registrations = no
remote_hosts = kat-asterisk.pstn.dublin.twilio.com
outbound_auth/username = asterisk
outbound_auth/password = ${witch.secrets.hosts.athame.phone.endpoint.password.twilio}
endpoint/context = from-twilio
aor/qualify_frequency = 60
'';
"pjsip.conf" = ''
[global]
type=global
[0.0.0.0-udp]
type=transport
protocol=udp
bind=0.0.0.0:5060
allow_reload=no
tos=cs3
cos=3
[signalwire]
type=auth
auth_type=userpass
username=asterisk ; Your username
password=${witch.secrets.hosts.athame.phone.endpoint.password.signalwire}
[signalwire]
type=aor
contact=sip:${witch.secrets.hosts.athame.phone.endpoint.url}
[signalwire]
type=endpoint
transport=transport-udp
outbound_auth=signalwire ; Note that there is only an outbound_auth, as we do not challenge when a call arrives inbound
aors=signalwire
disallow=all
allow=speex32
allow=g722
allow=ulaw
allow=alaw
allow=gsm
allow=g726
from_user=asterisk
from_domain=${witch.secrets.hosts.athame.phone.endpoint.url}
media_encryption=sdes ; Note that we are using encryption
context=from-signalwire
[signalwire]
type=registration
server_uri=sip:${witch.secrets.hosts.athame.phone.endpoint.url}
client_uri=sip:asterisk@${witch.secrets.hosts.athame.phone.endpoint.url}; Your full SIP URI
outbound_auth=signalwire
[signalwire]
type=identify
endpoint=signalwire
match=${witch.secrets.hosts.athame.phone.endpoint.url}
'';
"logger.conf" = ''
[general]
dateformat=%F %T
[logfiles]
; Add debug output to log
messages => security, notice,warning,error
syslog.local0 => notice,warning,error,debug
'';
};
};
}

3
services/bitwarden.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, witch, ... }:
{ config, pkgs, ... }:
{
services.postgresql = {
@ -16,7 +16,6 @@
rocketPort = 4000;
websocketEnabled = true;
signupsAllowed = false;
adminToken = witch.secrets.hosts.athame.bitwarden_secret;
domain = "https://vault.kittywit.ch";
databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs";
};

10
services/mail.nix
View file

@ -1,4 +1,4 @@
{ config, lib, tf, pkgs, witch, sources, ... }:
{ config, lib, tf, pkgs, sources, ... }:
with lib;
@ -82,14 +82,6 @@ with lib;
txt.value = tf.variables.domainkey_kitty.ref;
};
secrets.files = {
kat_mail_hash = {
source = ../private/files/mail/kat-pw-hash;
owner = "kat";
group = "users";
};
};
mailserver = {
enable = true;
fqdn = "athame.kittywit.ch";

8
services/matrix.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, witch, ... }:
{ config, pkgs, ... }:
{
environment.systemPackages = [ pkgs.mx-puppet-discord pkgs.mautrix-whatsapp ];
@ -13,7 +13,6 @@
services.matrix-synapse = {
enable = true;
registration_shared_secret = witch.secrets.hosts.athame.matrix_secret;
max_upload_size = "512M";
server_name = "kittywit.ch";
app_service_config_files = [
@ -34,10 +33,6 @@
}];
};
secrets.files = {
telegram-env = { source = ../private/files/matrix/mautrix-telegram.env; };
};
services.mautrix-telegram = {
enable = true;
settings = {
@ -62,7 +57,6 @@
};
};
};
environmentFile = config.secrets.files.telegram-env.path;
};
systemd.services.mx-puppet-discord = {

4
services/nginx.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, witch, tf, ... }:
{ config, lib, pkgs, tf, ... }:
with lib;
@ -37,7 +37,7 @@ with lib;
};
security.acme = {
email = witch.secrets.unscoped.acme.email;
email = "acme@kittywit.ch";
acceptTerms = true;
};
}

26
services/syncplay.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, witch, ... }:
{ config, lib, pkgs, tf, ... }:
with lib;
@ -21,16 +21,32 @@ with lib;
cname.target = "athame.kittywit.ch.";
};
deploy.tf.variables.syncplay_pass = {
type = "string";
value.shellCommand = "bitw get infra/syncplay-server -f password";
};
deploy.tf.variables.syncplay_salt = {
type = "string";
value.shellCommand = "bitw get infra/syncplay-salt -f password";
};
secrets.files.syncplay-env = {
text = ''
SYNCPLAY_PASSWORD=${tf.variables.syncplay_pass.ref}
SYNCPLAY_SALT=${tf.variables.syncplay_salt.ref}
'';
owner = "syncplay";
group = "sync-cert";
};
systemd.services.syncplay = {
environment = {
SYNCPLAY_PASSWORD = witch.secrets.hosts.athame.syncplay.password;
SYNCPLAY_SALT = witch.secrets.hosts.athame.syncplay.salt;
};
description = "Syncplay Service";
wantedBy = singleton "multi-user.target";
after = singleton "network-online.target";
serviceConfig = {
EnvironmentFile = config.secrets.files.syncplay-env.path;
ExecStart =
"${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/acme/sync.kittywit.ch/ --disable-ready";
User = "syncplay";

40
services/znc.nix
View file

@ -1,40 +0,0 @@
{ config, lib, pkgs, witch, ... }:
with lib;
{
katnet.public.tcp.ports = singleton 5001;
services.znc = {
enable = true;
mutable = false;
useLegacyConfig = false;
openFirewall = false;
config = {
Listener.l = {
Port = 5000;
SSL = false;
AllowWeb = true;
};
Listener.j = {
Port = 5001;
SSL = true;
AllowWeb = false;
};
modules = [ "webadmin" "adminlog" ];
User = witch.secrets.hosts.athame.znc;
};
};
services.nginx.virtualHosts."znc.kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations = { "/".proxyPass = "http://127.0.0.1:5000"; };
};
deploy.tf.dns.records.kittywitch_znc = {
tld = "kittywit.ch.";
domain = "znc";
cname.target = "athame.kittywit.ch.";
};
}