Migrate from freeswitch to flexisip

10 files changed, 2578 insertions, 704 deletions

diff --git a/personal_infra/README.md b/personal_infra/README.md
index f2c50239..0ec015ec 100644
--- a/personal_infra/README.md
+++ b/personal_infra/README.md
@@ -13,7 +13,7 @@ See [HACKING](HACKING.md) for more "usage" instructions.
   * LXC container running a FreeIPA replica
   * LXC container running Miniflux
   * LXC container running Nextcloud
-  * LXC container running FreeSWITCH
+  * LXC container running Flexisip
   * LXC container running Vaultwarden
   * LXC container running ClickHouse
   * LXC container running SeaweedFS (for Takahe)
@@ -160,35 +160,24 @@ However, I need to provide calls between my home and another home using physical
 The key to this is the SIP protocol.
 You can get classical phones that work using the SIP protocol, or ATA devices that turn a regular phone into a SIP phone.
 
-I installed FreeSWITCH from the [OKay repo](https://okay.network/blog-news/rpm-repositories-for-centos-6-and-7.html).
-FreeSWITCH comes with a fairly complete default configuration.
-By default it will set up extensions in the 1000...1020 range, with a configurable single password for all extensions, plus some extensions for test calls, etc.
+I installed Flexisip.
 
 The major difficulty in setting a SIP server is networking.
-I run FreeSWITCH in an LXC container on Proxmox.
+I run Flexisip in an LXC container on Proxmox.
 I expose the SIP server's SSL TCP port to the Internet, plus a range of UDP ports, using iptables.
 (I consulted some SIP forums, and apparently there are no major hardening requirements in exposing a SIP server to the Internet, although I think maybe it's better to use a SIP proxy.)
 You can also use STUN/TURN servers, but I had lots of trouble getting that set up.
-Also by default, FreeSWITCH figures out a public IP- if you want to get FreeSWITCH working behind a VPN, you need to disable that.
 
 For the phones, I bought and set up two Grandstream HT801 ATA devices.
 Those are quite cheap (around 40€), but they are quite fancy professional network devices, with a rough but featureful UI (they can do OpenVPN, SNMP, etc.).
 They connect directly to FreeSWITCH over the Internet, autoconfiguring via DHCP, so in theory they could work anywhere in the world with a network connection.
 After configuration and assigning an extension, you only need to connect cheap wireless phones to them, and start making calls with the 1000...1020 extensions.
 
-For testing and occasional calls I use [Baresip](https://github.com/baresip/baresip) from F-Droid in my smartphone, and from Debian in my laptop.
+For testing and occasional calls I use [Baresip](https://github.com/baresip/baresip) and [Linphone](https://www.linphone.org/) from F-Droid in my smartphone, and from Debian in my laptop.
 For smartphones, SIP has the drawback that it requires a persistent connection to the SIP server to receive calls- thus draining the battery a bit.
-Some SIP setups use push notifications to get around that, but that seemed to be complex.
+Linphone/Flexisip are supposed to use mobile push, but I have not set this up.
 So the only devices that are connected 24/7 are the ATAs, I use my smartphone and my laptop occasionally.
 
-SIP allows many other interesting stuff such as:
-
-* Instant messaging
-* Videoconferencing
-* Advanced phone features (conferences, barging in, voicemail, automation)
-
-So you can do real fancy stuff with it, but I haven't looked at it, because really I just need calls over two households on physical classical wireless handsets.
-
 ## Possible improvements
 
 * Add a lab so I can experiment with things in isolated environments.
diff --git a/personal_infra/puppet/modules/freeswitch/README.md b/personal_infra/puppet/modules/flexisip/README.md
index f44a17bb..f44a17bb 100644
--- a/personal_infra/puppet/modules/freeswitch/README.md
+++ b/personal_infra/puppet/modules/flexisip/README.md
diff --git a/personal_infra/puppet/modules/flexisip/manifests/init.pp b/personal_infra/puppet/modules/flexisip/manifests/init.pp
new file mode 100644
index 00000000..9ed962de
--- /dev/null
+++ b/personal_infra/puppet/modules/flexisip/manifests/init.pp
@@ -0,0 +1,51 @@
+class flexisip($flexisip_sdp_port_range_min, $flexisip_sdp_port_range_max, $flexisip_user_database, $flexisip_domain) {
+    file {'/etc/yum.repos.d/BelledonneCom.repo':
+      content => @(EOT)
+      # keep this repository enabled even if you enable beta/alpha repositories
+      [Belledonne-stable]
+      name=Belledonne-stable
+      baseurl=http://www.linphone.org/snapshots/$contentdir/$releasever/stable
+      enabled=1
+      gpgcheck=0
+
+      # enable this if you want post-release patches
+      [Belledonne-hotfix]
+      name=Belledonne-hotfix
+      baseurl=http://www.linphone.org/snapshots/$contentdir/$releasever/hotfix
+      enabled=1
+      gpgcheck=0
+
+      # enable this if you want next release beta packages
+      [Belledonne-beta]
+      name=Belledonne-beta
+      baseurl=http://www.linphone.org/snapshots/$contentdir/$releasever/beta
+      enabled=0
+      gpgcheck=0
+
+      # enable this to have development (unstable) packages
+      [Belledonne-alpha]
+      name=Belledonne-alpha
+      baseurl=http://www.linphone.org/snapshots/$contentdir/$releasever/alpha
+      enabled=0
+      gpgcheck=0
+      | EOT
+      ,
+    }
+    ->
+    package {'bc-flexisip':}
+    ->
+    file {'/etc/flexisip/flexisip.conf':
+      content => template('flexisip/flexisip.conf'),
+    }
+    ~>
+    service {'flexisip-proxy':
+        ensure => running,
+        enable => true,
+    }
+
+    file {'/etc/flexisip/users.db.txt':
+      content => $flexisip_user_database,
+      require => Package['bc-flexisip'],
+      notify => Service['flexisip-proxy'],
+    }
+}
diff --git a/personal_infra/puppet/modules/flexisip/templates/flexisip.conf b/personal_infra/puppet/modules/flexisip/templates/flexisip.conf
new file mode 100644
index 00000000..3fde5125
--- /dev/null
+++ b/personal_infra/puppet/modules/flexisip/templates/flexisip.conf
@@ -0,0 +1,2477 @@
+##
+## This is the default Flexisip (v2.4.2-30-g42e30f2d) configuration
+## file
+##
+
+
+
+
+
+##
+## Some global settings of the flexisip proxy.
+##
+[global]
+
+# Servers started by default when '--server' is not specified in
+# the command line. Possible values are: 'proxy', 'presence', 'conference',
+# 'regevent' and 'b2bua'. Each value must be separated by a whitespace.
+# Default: proxy
+#default-servers=proxy
+
+# Automatically respawn Flexisip in case of abnormal termination
+# (crashes). This only has an effect if Flexisip is launched with
+# '--daemon' option
+# Default: true
+#auto-respawn=true
+
+# Path to the directory that contains plugins.
+# Default: /opt/belledonne-communications/lib64/flexisip/plugins
+#plugins-dir=/opt/belledonne-communications/lib64/flexisip/plugins
+
+# Plugins to load.
+# The list of installed plugins can be found at <prefix>/lib/flexisip/plugins.
+# The name of a plugin can be built from the corresponding library
+# name by removing the extension and the 'lib' prefix.
+# Example: 'jweauth' will load libjweauth.so at runtime.
+# Default: 
+#plugins=
+
+# Generate a core dump on crash.
+# On GNU/Linux, the action to do on core dump is defined by the
+# kernel file '/proc/sys/kernel/core_pattern'.
+# On recent distributions like RHEL 8, the generated core dumps
+# are given by default to the core manager of SystemD. Core dumps
+# can easily be listed by using the coredumpctl(1) command.
+# On older distributions, core dumps are often written in the root
+# ('/') directory. If your root directory has little available space,
+# it is recommended to relocate your core dumps in another place
+# by modifying the 'core_pattern' file on system boot. This can
+# be done by adding the following line in '/etc/rc.local':
+#     echo '/home/cores/core.%e.%t.%p' > /proc/sys/kernel/core_pattern
+# 
+# See core(5) manual for more information about core handling on
+# GNU/Linux.
+# Default: false
+#dump-corefiles=false
+
+# Enable SNMP.
+# Default: false
+#enable-snmp=false
+
+# Path to the directory where log files will be created.
+# WARNING: Flexisip has no embedded log rotation system but provides
+# a configuration file for logrotate.
+# Please make sure that logrotate is installed and running on your
+# system in order to have Flexisip's logs rotated. Log rotation
+# can be customized by editing /etc/logrotate.d/flexisip-logrotate.
+# Default: /var/opt/belledonne-communications/log/flexisip
+#log-directory=/var/opt/belledonne-communications/log/flexisip
+
+# Name of the log file
+# .The string '{server}' is a placeholder that is replaced with
+# the corresponding server type. If several server types are specified,
+# then '{server}' will be replaced by the concatenation of all server
+# types separated by a '+' character.
+# Example: 'proxy+presence'.
+# Default: flexisip-{server}.log
+#log-filename=flexisip-{server}.log
+
+# Logging verbosity.
+# Possible values are: 'debug', 'message', 'warning' and 'error'
+# Default: error
+#log-level=error
+
+# Syslog logging verbosity.
+# Possible values are: 'debug', 'message', 'warning' and 'error'
+# Default: error
+#syslog-level=error
+
+# Sofia-SIP logging verbosity.
+# These logs are only displayed if 'log-level' is set to 'debug'
+# or if the program is started with the '-d' (--debug) option. The
+# verbosity levels range from 1 to 9:
+#     1 -> Critical errors
+#     2 -> Non-critical errors
+#     3 -> Warnings and progress messages
+#     5 -> Signaling protocol actions
+#     7 -> Media protocol actions
+#     9 -> Entering/exiting functions
+# Default: 5
+#sofia-level=5
+
+# Log user errors (on a different logging domain).
+# Examples: authentication operations, registration events, requests
+# routing, etc...
+# Default: false
+#user-errors-logs=false
+
+# A boolean expression applied to the processing of all SIP requests.
+# When the expression evaluates to 'true', use the 'contextual-log-level'
+# logging level for all the logs generated during the processing
+# of the current request. This is useful to debug a certain scenario
+# on a production environment.
+# The definition of SIP boolean expressions is the same as for entry
+# filters of modules, which is documented here: https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#contextual-log-filter=
+
+# Logging verbosity of contextual logs.
+# Default: debug
+#contextual-log-level=debug
+
+# A boolean expression applied to the processing of all SIP requests.
+# When the expression evaluates to 'true', log the request body.
+# Cannot be empty, use 'true' or 'false' instead.
+# The definition of SIP boolean expressions is documented here:
+# https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Example: content-type == 'application/sdp' && request.method ==
+# 'MESSAGE'
+# Default: content-type == 'application/sdp'
+#show-body-for=content-type == 'application/sdp'
+
+# List of whitespace separated SIP URIs where the proxy must listen.
+# Wildcard (*) means 'all local ip addresses'. If the 'transport'
+# parameter is not specified, the server will listen on both UDP
+# and TCP transports. A local address to bind onto can be specified
+# using the 'maddr' SIP URI parameter. The domain part of SIP URIs
+# are used as public domain or ip address.
+# The 'sips' transport definition accepts some optional parameters:
+#  - 'tls-certificates-dir': path, has the same meaning as the 'tls-certificates-dir'
+#    parameter of this section (overriding only applies for the current
+#    SIP URI).
+#  - 'tls-certificates-file': file path, has the same meaning as
+#    the 'tls-certificates-file' parameter of this section (overriding
+#    only applies for the current SIP URI).
+#  - 'tls-certificates-private-key': file path, has the same meaning
+#    as the 'tls-certificates-private-key' parameter of this section
+#    (overriding only applies for the current SIP URI).
+#  - 'tls-certificates-ca-file': file path, has the same meaning
+#    as the 'tls-certificates-ca-file' parameter of this section (overriding
+#    only applies for the current SIP URI).
+#  - 'tls-verify-incoming': value in {'0', '1'}, indicates whether
+#    clients are required to present a valid client certificate or
+#    not (defaults to '0').
+#  - 'tls-allow-missing-client-certificate': value in {'0', '1'},
+#    allow connections from clients that have no certificate even if
+#    `tls-verify-incoming` is enabled (useful if you want Flexisip
+#    to ask for a client certificate but do not fail if the client
+#    cannot provide one).
+#  - 'tls-verify-outgoing': value in {'0', '1'}, whether Flexisip
+#    should verify the peer certificate when it creates an outgoing
+#    TLS connection to another server (defaults to '1').
+#  - 'require-peer-certificate': (deprecated) same as 'tls-verify-incoming'
+# 
+# It is HIGHLY RECOMMENDED to specify a canonical name for 'sips'
+# transports, so that the proxy can advertise this information in
+# 'Record-Route' headers, which allows TLS cname verifications to
+# be performed by clients.
+# Specifying a SIP URI with 'transport=tls' is not allowed: the
+# 'sips' scheme must be used instead. As requested by SIP RFC, IPv6
+# addresses must be enclosed within brackets.
+# 
+# Here are some examples to understand:
+#  - listen on all local interfaces for UDP and TCP, on standard
+#    port:
+# 	transports=sip:*
+#  - listen on all local interfaces for UDP, TCP and TLS, on standard
+#    ports:
+# 	transports=sip:* sips:*
+#  - listen only a specific IPv6 interface, on standard ports, with
+#    UDP, TCP and TLS
+# 	transports=sip:[2a01:e34:edc3:4d0:7dac:4a4f:22b6:2083] sips:[2a01:e34:edc3:4d0:7dac:4a4f:22b6:2083]
+#  - listen on TLS localhost with 2 different ports and SSL certificates:
+# 	transports=sips:localhost:5061;tls-certificates-dir=path_a sips:localhost:5062;tls-certificates-dir=path_b
+#  - listen on TLS localhost with 2 peer certificate requirements:
+# 	transports=sips:localhost:5061;tls-verify-incoming=0 sips:localhost:5062;tls-verify-incoming=1
+#  - listen on 192.168.0.29:6060 with TLS, but public hostname is
+#    'sip.linphone.org' used in SIP requests. Bind address won't appear
+#    in requests:
+# 	transports=sips:sip.linphone.org:6060;maddr=192.168.0.29
+# Default: sip:*
+transports=sips:<%= @flexisip_domain %>;maddr=*
+
+# List of whitespace separated host names pointing to this machine.
+# This is to prevent loops while routing SIP requests.
+# Default: localhost
+aliases=<%= @flexisip_domain %>
+
+# Time interval after which inactive connections are closed.
+# Default: 3600
+# Default unit: second
+#idle-timeout=3600
+
+# Time interval for sending "\r\n\r\n" keepalive packets on inbound
+# and outbound connections.
+# The main purpose of sending keepalive packets is to keep connections
+# alive across NATs. It also helps to detect silently broken connections
+# which can reduce the number of socket descriptors used by Flexisip.
+# A value of zero deactivates this feature
+# Default: 1800
+# Default unit: second
+#keepalive-interval=1800
+
+# Time interval for sending "\r\n\r\n" keepalive packets for proxy-to-proxy
+# connections.
+# Indeed, while it is undesirable to send frequent keepalive packets
+# to mobile clients (it drains their battery), sending frequent
+# keepalive packets has proven to be helpful to keep connections
+# up between proxy nodes in a very popular US virtualized datacenter.
+# A value of zero deactivates this feature.
+# Default: 0
+# Default unit: second
+#proxy-to-proxy-keepalive-interval=0
+
+# SIP transaction timeout.
+# Set to T1*64 by default.
+# Default: 32000
+# Default unit: millisecond
+#transaction-timeout=32000
+
+# The UDP MTU.
+# Flexisip will fallback to TCP when sending a request whose size
+# exceeds the UDP MTU. Please read https://sofia-sip.sourceforge.net/refdocs/nta/nta__tag_8h.html#a6f51c1ff713ed4b285e95235c4cc999a
+# for more details. If sending large packets over UDP is not a problem,
+# then set a big value such as 65535. Unlike the recommendation
+# of the RFC, the default value of UDP MTU is 1460 in Flexisip (instead
+# of 1300).
+# Default: 1460
+#udp-mtu=1460
+
+# Maximum number of bytes read at once when extracting data from
+# a TCP socket. WARNING: a SIP request (headers + body) cannot exceed
+# this amount of bytes otherwise the parsing will fail
+# Default: 524288
+#tcp-max-read-size=524288
+
+# Bind address for all RTP streams (MediaRelay and Transcoder).
+# This parameter is only useful for some specific networks, keeping
+# the default value is recommended.
+# Default: 0.0.0.0 ::0
+#rtp-bind-address=0.0.0.0 ::0
+
+# Path to the file containing the server certificate chain.
+# The file must be in PEM format, see OpenSSL SSL_CTX_use_certificate_chain_file
+# documentation. If used, 'tls-certificates-private-key' MUST be
+# set.
+# Default: 
+tls-certificates-file=/etc/pki/tls/certs/localhost.crt
+
+# Path to the file containing the private key.
+# See OpenSSL SSL_CTX_use_PrivateKey_file documentation. If used,
+# 'tls-certificates-file' MUST be set.
+# Default: 
+tls-certificates-private-key=/etc/pki/tls/private/localhost.key
+
+# Path to the file containing CA certificates.
+# See OpenSSL SSL_CTX_load_verify_locations and SSL_CTX_set_client_CA_list
+# documentation. Can be empty.
+# Default: 
+#tls-certificates-ca-file=
+
+# Cipher strings to pass to OpenSSL in order to limit the cipher
+# suites to use while establishing TLS sessions.
+# Please take a look at ciphers(1) UNIX manual to get the list of
+# supported keywords by your current version of OpenSSL. You might
+# visit https://www.openssl.org/docs/manmaster/man1/ciphers.html
+# too. The default value set by Flexisip should provide a high level
+# of security while keeping an acceptable level of interoperability
+# with currently deployed clients on the market.
+# Default: HIGH:!SSLv2:!SSLv3:!TLSv1:!EXP:!ADH:!RC4:!3DES:!aNULL:!eNULL
+#tls-ciphers=HIGH:!SSLv2:!SSLv3:!TLSv1:!EXP:!ADH:!RC4:!3DES:!aNULL:!eNULL
+
+# Ask for client certificate on TLS session establishing.
+# Default: false
+#require-peer-certificate=false
+
+# Unique ID used to identify this Flexisip instance.
+# It must be a randomly generated 16-sized hexadecimal number. If
+# empty, it will be generated each time Flexisip starts.
+# Default: 
+#unique-id=
+
+# Number of SIP requests that Sofia-SIP can queue in a transport
+# (a connection). It is 64 by default, hardcoded in Sofia-SIP (Sofia-SIP
+# also used to hardcode a maximum value of 1000). This is not sufficient
+# for instant messaging applications.
+# Default: 1000
+#tport-message-queue-size=1000
+
+# Interval between logs about server memory usage.
+# This feature periodically logs the value occupied in RAM by the
+# process (VmRSS). These logs use debug level.
+# Only works on Linux.
+# Set to 0 in order to disable the feature.
+# Default: 0
+# Default unit: second
+#memory-usage-log-interval=0
+
+
+
+
+
+
+##
+## This section contains some parameters useful when the current
+## proxy is part of a network of proxies (cluster) which serve the
+## same domain.
+##
+[cluster]
+
+# Enable cluster mode.
+# If 'false', the parameters of the [cluster] section will not have
+# any effect.
+# Default: false
+#enabled=false
+
+# Domain name that enables external SIP agents to access to the
+# cluster.
+# Such domain is often associated to DNS SRV records for each proxy
+# of the cluster, so that DNS resolution returns the address of
+# a specific proxy randomly.
+# Flexisip uses that domain when it needs to insert a 'Path' or
+# 'Record-route' header addressing the cluster instead of itself.
+# Default: 
+#cluster-domain=
+
+# List of IP addresses of all the proxies present in the cluster.
+# SIP requests coming from these addresses won't be challenged by
+# the authentication module and will not be limited by the DosProtection
+# module.
+# Default: 
+#nodes=
+
+# Transport to use for communication with the other proxies of the
+# cluster.
+# This is only useful when no transport declared in 'global/transport'
+# parameter can be used to reach the other proxies (e.g. when inter-proxy
+# communications are to be made through a private network).
+# Example: sip:10.0.0.8:5059;transport=tcp
+# Default: 
+#internal-transport=
+
+
+
+
+
+
+##
+## Should the server be registered on a local domain, to be accessible
+## via multicast DNS.
+##
+[mdns-register]
+
+# Enable multicast DNS register
+# Default: false
+#enabled=false
+
+# Priority of this instance, lower value means more 'preferred'.
+# 'n': priority of n (example: 10)
+# 'n-m': random priority between n and m (example: 10-50)
+# Default: 0
+#mdns-priority=0
+
+# A relative weight for Flexisip instances with the same priority.
+# Higher values means more 'preferred'.
+# For example, if two Flexisip instances are registered on the same
+# local domain with one at '20' and the other at '80', then 20%
+# of the traffic will be redirected to the first instance and 80%
+# to the other one.
+# The sum of all the weights of Flexisip instances on the same local
+# domain must be 100.
+# Default: 100
+#mdns-weight=100
+
+# Time To Live of any mDNS query that will ask for this Flexisip
+# instance
+# Default: 3600
+# Default unit: millisecond
+#mdns-ttl=3600
+
+
+
+
+
+
+##
+## Event logs contain per domain and user information about processed
+## registrations, calls and messages.
+## See: https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Event%20logs%20and%20queries/
+## for architecture and queries.
+##
+[event-logs]
+
+# Enable event logs.
+# Default: false
+#enabled=false
+
+# Define logger for storing logs. It supports "filesystem", "database"
+# and "flexiapi".
+# Default: filesystem
+#logger=filesystem
+
+# Directory where event logs are written as a filesystem (case when
+# filesystem output is chosen).
+# Default: /var/log/flexisip
+#filesystem-directory=/var/log/flexisip
+
+# Type of backend that Soci will use for the connection.
+# Depending on your Soci package and the modules you installed,
+# the supported databases are:`mysql`, `sqlite3` and `postgresql`
+# Default: mysql
+#database-backend=mysql
+
+# Configuration parameters of the backend.
+# The basic format is "key=value key2=value2". For a mysql backend,
+# this is a valid config: "db=mydb user=user password='pass' host=myhost.com".
+# Please refer to the Soci documentation of your backend, for instance:
+# http://soci.sourceforge.net/doc/master/backends/#supported-backends-and-features
+# Default: db='mydb' user='myuser' password='mypass' host='myhost.com'
+#database-connection-string=db='mydb' user='myuser' password='mypass' host='myhost.com'
+
+# Amount of queries that will be allowed to be queued before bailing
+# password requests.
+# This value should be chosen accordingly with 'database-nb-threads-max',
+# so that you have a coherent behavior.
+# This limit is here mainly as a safeguard against out-of-control
+# growth of the queue in the event of a flood or big delays in the
+# database backend.
+# Default: 100
+#database-max-queue-size=100
+
+# Maximum number of threads for writing in database.
+# If you get a `database is locked` error with sqlite3, you must
+# set this variable to 1.
+# Default: 10
+#database-nb-threads-max=10
+
+# Domain name or IP address of the FlexiAPI host. This setting will
+# be used in combination with flexiapi-port and -prefix to contact
+# the API located at <flexiapi-host>:<flexiapi-port><flexiapi-prefix>
+# Default: localhost
+#flexiapi-host=localhost
+
+# Port on the FlexiAPI host. See `flexiapi-host` for details.
+# Default: 443
+#flexiapi-port=443
+
+# Path prefix for FlexiAPI requests. See `flexiapi-host` for details.
+# Default: /api/stats/
+#flexiapi-prefix=/api/stats/
+
+# API authentication key for the FlexiAPI
+# Default: 
+#flexiapi-api-key=
+
+
+
+
+
+
+##
+## STUN server parameters.
+##
+[stun-server]
+
+# Enable or disable stun server.
+# Default: true
+#enabled=true
+
+# Local ip address where to bind the socket.
+# Default: 0.0.0.0
+#bind-address=0.0.0.0
+
+# STUN server port number.
+# Default: 3478
+#port=3478
+
+
+
+
+
+
+##
+## Flexisip presence server parameters.
+##
+[presence-server]
+
+# Enable presence server
+# Default: true
+#enabled=true
+
+# List of white space separated SIP URIs where the presence server
+# must listen. Must not be tls.
+# Default: sip:127.0.0.1:5065;transport=tcp
+#transports=sip:127.0.0.1:5065;transport=tcp
+
+# Default expires of PUBLISH request.
+# Default: 600
+# Default unit: second
+#expires=600
+
+# Max number of presentity sent in a single NOTIFY by default.
+# Default: 200
+#notify-limit=200
+
+# Enable long-term presence notifies
+# Default: false
+#long-term-enabled=false
+
+# Soci connection string for the resource list database.
+# Default: 
+#rls-database-connection=
+
+# SQL request to obtain the list of the users corresponding to an
+# resource list subscription.
+# Named parameters are:
+#  * ':from' : the URI of the sender of the SUBSCRIBE. (mandatory)
+#  * ':to' : the URI of the users list which the sender want to
+#    subscribe to. (mandatory)
+#    
+# Default: 
+#rls-database-request=
+
+# Max number of threads.
+# Default: 50
+#rls-database-max-thread=50
+
+# Max legnth of threads queue.
+# Default: 50
+#rls-database-max-thread-queue-size=50
+
+# Soci SQL request used to obtain the username associated with a
+# phone alias.
+# The string MUST contains the ':phone' keyword which will be replaced
+# by the phone number to look for.
+# The result of the request is a 1x1 table containing the name of
+# the user associated with the phone number.
+# 
+# Example: select login from accounts where phone = :phone 
+# Default: 
+#soci-user-with-phone-request=
+
+# Same as 'soci-user-with-phone-request' but allows to fetch several
+# users by a unique SQL request.
+# The string MUST contains the ':phones' keyword which will be replaced
+# by the list of phone numbers to look for. Each element of the
+# list is seperated by a comma character and is protected by simple
+# quotes (e.g. '0336xxxxxxxx','0337yyyyyyyy','034zzzzzzzzz').
+# If you use phone number linked accounts you'll need to select
+# login, domain, phone in your request for flexisip to work.
+# Example: select login, domain, phone from accounts where phone
+# in (:phones)
+# Default: 
+#soci-users-with-phones-request=
+
+# Maximum number of presence element by identity saved in memory.
+# Default: 10
+#max-presence-elements=10
+
+# Duration in milliseconds during which the last activity is kept
+# in memory. Default is 1 day.
+# Default: 86400000
+#last-activity-retention-time=86400000
+
+
+
+
+
+
+##
+## Flexisip conference server parameters.
+## The Flexisip conference server manages group chat and audio/video
+## conferences.
+## It follows the concepts of RFC4579 for conference establishment
+## and management. Factory and focus URIs must be configured.
+## The server requires a MariaDB/MySQL database in order to store
+## chatroom or conference states (participants and their devices).
+## For chatting capabilities, the server requires a Registrar backend
+## (see section module::Registrar) to discover devices (or client
+## instances) of each participant. This requirement creates an explicit
+## dependency on the Flexisip proxy server. Please note that this
+## dependency is not required for audio/video conferences.
+##
+[conference-server]
+
+# Enable conference server
+# Default: true
+#enabled=true
+
+# Unique SIP URI on which the server is listening.
+# Default: sip:127.0.0.1:6064;transport=tcp
+#transport=sip:127.0.0.1:6064;transport=tcp
+
+# List of SIP URIs used by clients to create conferences. This implicitly
+# defines the list of SIP domains managed by the conference server.
+# Example:
+# sip:conference-factory@sip.linphone.org sip:conference-factory@sip.linhome.org
+# Default: 
+#conference-factory-uris=
+
+# List of template focus URIs to use when conferences are created
+# through the conference factory.
+# Focus URIs are unique SIP URIs targeting a specific conference.
+# A 'conf-id' URI parameter providing uniqueness is automatically
+# appended at runtime. Example, setting:
+# conference-focus-uris=sip:conference-focus@sip.linphone.org
+# instructs the server to generate conference URIs in the form of
+# 'sip:conference-focus@sip.linphone.org;conf-id=<random string>'
+# when a client requests to create a conference.
+# Default: 
+#conference-focus-uris=
+
+# The SIP proxy URI to which the server will send all outgoing requests.
+# Default: sip:127.0.0.1:5060;transport=tcp
+#outbound-proxy=sip:127.0.0.1:5060;transport=tcp
+
+# Domains managed by the local SIP service, i.e. domains for which
+# user registration information can be found directly in the local
+# registrar database (Redis database).
+# For external domains (not in this list), a 'reg' SUBSCRIBE (RFC3680)
+# will be emitted. It is not necessary to list domains that appear
+# in the 'conference-factory-uris' property. They are assumed to
+# be local domains already.
+# Example: sip.linphone.org conf.linphone.org linhome.org
+# Default: 
+#local-domains=
+
+# Audio port to use for RTP and RTCP traffic. You can set a specific
+# port, a range of ports or let the server ask the kernel for an
+# available port (special value: 0).
+# Examples: 'audio-port=0' or 'audio-port=12345' or 'audio-port=1024-65535'
+# Default: 0
+#audio-port=0
+
+# Video port to use for RTP and RTCP traffic. You can set a specific
+# port, a range of ports or let the server ask the kernel for an
+# available port (special value: 0).
+# Examples: 'video-port=0' or 'video-port=12345' or 'video-port=1024-65535'
+# Default: 0
+#video-port=0
+
+# Type of database the server will use to store chat room and conference
+# data. Provided that the required Soci modules are installed, the
+# supported databases are: `mysql`, `sqlite3`
+# Default: mysql
+#database-backend=mysql
+
+# Configuration parameters of the database to store chat room and
+# conference data.
+# The basic format is "key=value key2=value2".For MySQL, the following
+# is a valid configuration: db='mydb' user='myuser' password='mypass'
+# host='myhost.com'.
+# Please refer to the Soci documentation of your selected backend:
+# https://soci.sourceforge.net/doc/release/3.2/backends/mysql.html
+# https://soci.sourceforge.net/doc/release/3.2/backends/sqlite3.html
+# Default: db='mydb' user='myuser' password='mypass' host='myhost.com'
+#database-connection-string=db='mydb' user='myuser' password='mypass' host='myhost.com'
+
+# True to make the server check device capabilities before inviting
+# them to a session.
+# The capability check is currently limited to Linphone clients
+# that put a '+org.linphone.specs' contact parameter. This parameter
+# indicates whether they support group chat and secured group chat
+# or not.
+# Default: true
+#check-capabilities=true
+
+# List of media types supported by the server.
+# This allows to specify if this instance is able to provide chat
+# services or audio/video conference services, or both.
+# Valid values: audio, video, text.
+# Example: audio video text
+# Default: text
+#supported-media-types=text
+
+# Type of media encryption the server will offer when calling participants
+# to an audio or video conference.
+# Valid values: none, sdes, zrtp, dtls.
+# Default: none
+#encryption=none
+
+# Public host name or IP addresses of the server.
+# Setting this parameter is required when the conference server
+# is deployed behind a firewall. This way, public IP address (v4,
+# v6) can be advertised in SDP, as ICE server-reflexive candidates
+# in order for the server to receive RTP media packets from clients.
+# If no hostname is given, the v4 and v6 IP addresses can be listed,
+# in any order. It is not possible to configure several v4 addresses
+# or several v6 addresses.
+# Example:
+# nat-addresses=conference.linphone.org
+# nat-addresses=5.135.31.160   2001:41d0:303:3aee::1
+# Default: 
+#nat-addresses=
+
+# Server shall delete chat rooms that have no registered participants.
+# Default: true
+#empty-chat-room-deletion=true
+
+# Directory where the server state files are stored.
+# 
+# Default: /var/opt/belledonne-communications/lib/flexisip
+#state-directory=/var/opt/belledonne-communications/lib/flexisip
+
+# Server will kill all incoming calls that last longer than the
+# defined value.
+# Special value 0 disables this feature.
+# Default: 0
+# Default unit: second
+#call-timeout=0
+
+
+
+
+
+
+##
+## Flexisip RegEvent server parameters.
+## This server is in charge of responding to SIP SUBSCRIBE requests
+## for the 'reg' event as defined by RFC3680 (https://tools.ietf.org/html/rfc3680).
+## It relies on the registrar database setup in the 'module::Registrar'
+## section to generate outgoing NOTIFY requests
+##
+[regevent-server]
+
+# SIP URI on which the server is listening on.
+# WARNING: only 'TCP' transport is supported.
+# Default: sip:127.0.0.1:6065;transport=tcp
+#transport=sip:127.0.0.1:6065;transport=tcp
+
+
+
+
+
+
+##
+## Flexisip back-to-back user agent (B2BUA) server parameters.
+##
+[b2bua-server]
+
+# The type of application that will handle calls bridged through
+# the server. Possible values:
+# - `trenscrypter` Bridge different encryption types on both ends
+# transparently.
+# - `sip-bridge` Bridge calls through an external SIP provider.
+# (e.g. for PSTN gateways)
+# Default: trenscrypter
+#application=trenscrypter
+
+# Unique SIP URI on which the server is listening.
+# Default: sip:127.0.0.1:6067;transport=tcp
+#transport=sip:127.0.0.1:6067;transport=tcp
+
+# Audio port to use for RTP and RTCP traffic. You can set a specific
+# port, a range of ports or let the server ask the kernel for an
+# available port (special value: 0).
+# Examples: 'audio-port=0' or 'audio-port=12345' or 'audio-port=1024-65535'
+# Default: 0
+#audio-port=0
+
+# Video port to use for RTP and RTCP traffic. You can set a specific
+# port, a range of ports or let the server ask the kernel for an
+# available port (special value: 0).
+# Examples: 'video-port=0' or 'video-port=12345' or 'video-port=1024-65535'
+# Default: 0
+#video-port=0
+
+# Value of User-Agent header. Use the following syntax: <name>[/<version>]
+# where <version> can bet set to '{version}' that is a placeholder
+# for the Flexisip version.
+# It is also used by the module::B2bua to decide if requests should
+# be forwarded to the B2BUA server or not.
+# Default: Flexisip-B2BUA/{version}
+#user-agent=Flexisip-B2BUA/{version}
+
+# Directory where to store server local files
+# 
+# Default: /var/opt/belledonne-communications/flexisip/b2b
+#data-directory=/var/opt/belledonne-communications/flexisip/b2b
+
+# The SIP proxy URI to which the server will send all outgoing requests.
+# Default: sip:127.0.0.1:5060;transport=tcp
+#outbound-proxy=sip:127.0.0.1:5060;transport=tcp
+
+# Duration after which the server will terminate a call if no RTP
+# packets are received from the other call participant. For performance
+# reasons, this parameter cannot be disabled.
+# Default: 30
+# Default unit: second
+#no-rtp-timeout=30
+
+# The server will terminate any bridged call that has been running
+# for longer than this amount of time.
+# Set to 0 to disable and let calls run unbounded.
+# Default: 0
+# Default unit: second
+#max-call-duration=0
+
+# Force outgoing video call to use the specified codec. Leave empty
+# to disable this feature.
+# Warning: all outgoing calls will only list this codec, which means
+# incoming calls must use it too.
+# Default: 
+#video-codec=
+
+# The server shall use a separate connection (port) for each (external)
+# account it manages.
+# This can be used to work around DoS protection and rate-limiting
+# systems on external proxies.
+# Default: false
+#one-connection-per-account=false
+
+
+
+
+
+
+##
+## External SIP Provider Bridge parameters.
+##
+[b2bua-server::sip-bridge]
+
+# Path to a file containing the accounts to use for external SIP
+# bridging, organised by provider, in JSON format.
+# Here is a template of what should be in this file:
+# {
+# 	"schemaVersion": 2,
+# 	"providers": [
+# 		{
+# 			"name": "<user-friendly provider name for CLI output>",
+# 			"accountPool": "<name of an account pool described below>",
+# 			"triggerCondition": {
+# 				"strategy": "<MatchRegex|Always>"
+# 				"pattern": "<MatchRegexParam: regex>"
+# 			},
+# 			"accountToUse": {
+# 				"strategy": "FindInPool|Random",
+# 				"by": "<FindInPoolParam: alias|uri>",
+# 				"source": "<FindInPoolParam: {from}|{to}|{sip:{incoming.to.user}@{account.sipIdentity.hostport}{incoming.to.uriParameters}}>"
+# 			},
+# 			"onAccountNotFound": "nextProvider|decline",
+# 			"outgoingInvite": {
+# 				"to": "<{account.alias}|sip:{incoming.to.user}@{account.sipIdentity.hostport}{incoming.to.uriParameters}>",
+# 				"from": "<optional: {account.sipIdentity}|{sip:{incoming.from.user}@{account.sipIdentity.hostport}{incoming.from.uriParameters}>",
+# 				"outboundProxy": "<optional: sip:flexisip.example.org;transport=tcp>",
+# 				"enableAvpf": <optional: true|false>,
+# 				"mediaEncryption": "<optional: zrtp|sdes|dtls-srtp|none>"
+# 			}
+# 		}
+# 	],
+# 	"accountPools": {
+# 		"<name of account pool>": {
+# 			"outboundProxy": "<sip:some.provider.example.com;transport=tls>",
+# 			"registrationRequired": <true,false>,
+# 			"registrationThrottlingRateMs": <optional: number>,
+# 			"unregisterOnServerShutdown": <optional: true|false>,
+# 			"maxCallsPerLine": <number>,
+# 			"loader": {
+# 				"dbBackend": "<mysql|sqlite3>",
+# 				"initQuery": "<SQL query>"
+# 				"updateQuery": "<SQL query>",
+# 				"connection": "<db=sip_accounts user='flexisip-b2bua' password='secret'
+# host=db.example.org>"
+# 			}
+# 		},
+# 		"<name of another account pool>": {
+# 			"outboundProxy": "<sip:some.provider.example.com;transport=tls>",
+# 			"registrationRequired": <true,false>,
+# 			"registrationThrottlingRateMs": <optional: number>,
+# 			"unregisterOnServerShutdown": <optional: true|false>,
+# 			"maxCallsPerLine": <number>,
+# 			"loader": [
+# 				{
+# 					"uri": "<sip:account1@some.provider.example.com>",
+# 					"userid": "<optional: (e.g. an API key)>"
+# 					"secretType": "<registrationRequiredParam: ha1|clrtxt>",
+# 					"secret": "<registrationRequiredParam: password or API token>"
+# 					"realm": "<optional: realm.some.provider.example.com>"
+# 					"alias": "<optional: sip:anotherAccount1@some.provider.example.com>
+# 					"outboundProxy": "<optional: sip:another.providerOverridingPreviousOne.example.com;transport=tls>",
+# 				}
+# 			]
+# 		}
+# 	}
+# }
+# Full documentation is available here: https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Back-to-back%20User%20Agent%20%28b2bua%29/SIP%20Bridge/#sip-bridge
+# 
+# Default: example-path.json
+#providers=example-path.json
+
+
+
+
+
+
+##
+## Encryption transcoder bridge parameters.
+##
+[b2bua-server::trenscrypter]
+
+# Select the call outgoing encryption mode, this is a list of regular
+# expressions and encryption mode.
+# Valid encryption modes are: zrtp, dtls-srtp, sdes, none.
+# 
+# The list is formatted in the following mode:
+# mode1 regex1 mode2 regex2 ... moden regexn
+# regex use posix syntax, any invalid one is skipped
+# Each regex is applied, in the given order, on the callee sip uri(including
+# parameters if any). First match found determines the encryption
+# mode. if no regex matches, the incoming call encryption mode is
+# used.
+# 
+# Example: zrtp .*@sip\.secure-example\.org dtsl-srtp .*dtls@sip\.example\.org
+# zrtp .*zrtp@sip\.example\.org sdes .*@sip\.example\.org
+# In this example: the address is matched in order with
+# .*@sip\.secure-example\.org so any call directed to an address
+# on domain sip.secure-example-org uses zrtp encryption mode
+# .*dtls@sip\.example\.org any call on sip.example.org to a username
+# ending with dtls uses dtls-srtp encryption mode
+# .*zrtp@sip\.example\.org any call on sip.example.org to a username
+# ending with zrtp uses zrtp encryption mode
+# The previous example will fail to match if the call is directed
+# to a specific device(having a GRUU as callee address)
+# To ignore sip URI parameters, use (;.*)? at the end of the regex.
+# Example: .*@sip\.secure-example\.org(;.*)?
+# Default:Selected encryption mode(if any) is enforced and the call
+# will fail if the callee does not support this mode
+# Default: 
+#outgoing-enc-regex=
+
+# Outgoing SRTP crypto suite in SDES encryption mode:
+# Select the call outgoing SRTP crypto suite when outgoing encryption
+# mode is SDES, this is a list of regular expressions and crypto
+# suites list.
+# Valid srtp crypto suites are :
+# AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32
+# AES_192_CM_HMAC_SHA1_80, AES_192_CM_HMAC_SHA1_32 // currently
+# not supported
+# AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_80
+# AEAD_AES_128_GCM, AEAD_AES_256_GCM
+# 
+# The list is formatted in the following mode:
+# cryptoSuiteList1 regex1 cryptoSuiteList2 regex2 ... crytoSuiteListn
+# regexn
+# with cryptoSuiteList being a ; separated list of crypto suites.
+# 
+# Regex use posix syntax, any invalid one is skipped
+# Each regex is applied, in the given order, on the callee sip uri(including
+# parameters if any). First match found determines the crypto suite
+# list used.
+# 
+# if no regex matches, core setting is applied
+# or default to AES_CM_128_HMAC_SHA1_80;AES_CM_128_HMAC_SHA1_32;AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32
+# when no core setting is available
+# 
+# Example:
+# AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32 .*@sip\.secure-example\.org
+# AES_CM_128_HMAC_SHA1_80 .*@sip\.example\.org
+# 
+# In this example: the address is matched in order with
+# .*@sip\.secure-example\.org so any call directed to an address
+# on domain sip.secure-example-org uses AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32
+# suites (in that order)
+# .*@sip\.example\.org any call directed to an address on domain
+# sip.example.org use AES_CM_128_HMAC_SHA1_80 suite
+# The previous example will fail to match if the call is directed
+# to a specific device(having a GRUU as callee address)
+# To ignore sip URI parameters, use (;.*)? at the end of the regex.
+# Example: .*@sip\.secure-example\.org(;.*)?
+# Default:
+# Default: 
+#outgoing-srtp-regex=
+
+
+
+
+
+
+##
+## Ban users when they send too much packets within a given timeframe.
+## Execute "iptables -L" to see the list of currently banned IPs/ports.
+##
+[module::DoSProtection]
+
+# Indicate whether the module is activated.
+# Default: true
+enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# Time to consider to compute the packet rate
+# Default: 3000
+# Default unit: millisecond
+#time-period=3000
+
+# Maximum packet rate in packets/seconds, averaged over [time-period]
+# millisecond(s) to consider it as a DoS attack.
+# Default: 20
+#packet-rate-limit=20
+
+# Time duration for which an ip/port is banned.
+# Default: 2
+# Default unit: minute
+#ban-time=2
+
+# Name of the chain the server will create to store banned IPs
+# Default: FLEXISIP
+#iptables-chain=FLEXISIP
+
+# List of IP addresses or hostnames for which no DoS protection
+# is applied. This is typically for trusted servers from which it
+# is planned to receive high traffic. Please note that nodes from
+# the local Flexisip cluster (see [cluster] section) are automatically
+# added to the white list, as well as 127.0.0.1 and ::1.
+# Example:
+# white-list=sip.example.org sip.linphone.org 15.128.128.93
+# Default: 
+#white-list=
+
+
+
+
+
+
+##
+## The SanitChecker module checks that required fields of a SIP message
+## are present to avoid unecessary checking while processing message
+## further.
+## If the message doesn't meet these sanity check criterias, then
+## it is stopped and bad request response is sent.
+##
+[module::SanityChecker]
+
+# Indicate whether the module is activated.
+# Default: true
+#enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+
+
+
+
+
+##
+## The GarbageIn module collects incoming garbage and prevent any
+## further processing.
+##
+[module::GarbageIn]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: false
+#filter=false
+
+
+
+
+
+
+##
+## Enable this module in order the proxy replies to OPTION requests
+## by “200 Ok”. Today, no supported header is added in the response,
+## so this mechanism cannot be used for capabilities introspection.
+## If the module is disabled, the request will be silently discarded.
+##
+[module::Capabilities]
+
+# Indicate whether the module is activated.
+# Default: true
+#enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+
+
+
+
+
+##
+## The NatHelper module executes small tasks to make SIP work smoothly
+## despite firewalls and NATs. There are two strategies available:
+## "contact-correction" and "flow-token".
+## Contact-Correction: corrects Contact headers that contain obviously
+## inconsistent addresses.
+## Flow-Token: add routing information in the Record-Routes as defined
+## in RFC 5626.
+## Both methods ensure that subsequent requests are correctly routed
+## by the proxy through the same UDP or TCP channel used for the
+## initial request.
+##
+[module::NatHelper]
+
+# Indicate whether the module is activated.
+# Default: true
+#enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# Strategy to manage client-initiated connections when SIP messages
+# are routed through NATs. You can choose between "contact-correction"
+# and "flow-token".
+# Default: contact-correction
+#nat-traversal-strategy=contact-correction
+
+# Boolean expression in order to force the use of flow-token under
+# specific conditions. This expression is only evaluated if the
+# "flow-token" strategy is used.
+# 
+# Default: user-agent contains 'Linphone'
+#force-flow-token=user-agent contains 'Linphone'
+
+# Path to the file containing the hash key used to hash flow tokens.
+# Default: /var/opt/belledonne-communications/lib/flexisip/flow-token-hash-key
+#flow-token-path=/var/opt/belledonne-communications/lib/flexisip/flow-token-hash-key
+
+# Internal URI parameter added to response contact by first proxy
+# and cleaned by last one. It indicates if the contact was already
+# verified and corrected.
+# Default: verified
+#contact-correction-param=verified
+
+# Fix record-routes, to workaround proxies behind firewalls but
+# not aware of it.
+# Default: false
+#fix-record-routes=false
+
+# Policy to recognize NATed record-route and fix them. There are
+# two modes: 'safe' and 'always'
+# Default: safe
+#fix-record-routes-policy=safe
+
+
+
+
+
+
+##
+## The authentication module challenges and authenticates SIP requests
+## using two possible methods:
+##  * if the request is received via a TLS transport and 'require-peer-certificate'
+##    is set in transport definition in [Global] section for this transport,
+##    then the From header of the request is matched with the CN claimed
+##    by the client certificate. The CN must contain sip:user@domain
+##    or alternate name with URI=sip:user@domain corresponding to the
+##    URI in the from header for the request to be accepted. Optionnaly,
+##    the property tls-client-certificate-required-subject may contain
+##    a regular expression for additional checks to execute on certificate
+##    subjects.
+##  * if no TLS client based authentication can be performed, or
+##    has failed, then a SIP digest authentication is performed. The
+##    password verification is made by querying a database or a password
+##    file on disk.
+##
+[module::Authentication]
+
+# Indicate whether the module is activated.
+# Default: false
+enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# List of whitespace-separated IP addresses which will be judged
+# as trustful. Messages coming from these addresses won't be challenged.
+# Default: 
+#trusted-hosts=
+
+# List of whitespace separated domains to challenge. Others are
+# automatically denied. The wildcard domain '*' is accepted, which
+# means that requests are challenged whatever the originating domain
+# is. This is convenient for a proxy serving multiple SIP domains.
+# 
+# Default: localhost
+auth-domains=<%= @flexisip_domain %>
+
+# List of digest algorithms to use for password hashing. Think this
+# setting as filter applied after fetching the credentials of a
+# user from the user database. For example, if a user has its password
+# hashed by MD5 and SHA-256 but 'available-algorithms' only has
+# MD5, then only a MD5-based challenged will be submitted to the
+# UAC.
+# Furthermore, should a user have several hashed passwords and these
+# are present in the list, then a challenge header will be put in
+# the 401 response for each fetched password in the order given
+# by the list.
+# Supported algorithms are MD5 and SHA-256.
+# Default: MD5
+#available-algorithms=MD5
+
+# Disable the QOP authentication method. Default is to use it, use
+# this flag to disable it if needed.
+# Default: false
+#disable-qop-auth=false
+
+# Don't reply 403 when authentication fails. Instead, generate a
+# new 401 (or 407) response containing a new challenge.
+# Default: false
+#no-403=false
+
+# Expiration time before generating a new nonce.
+# Default: 3600
+# Default unit: second
+#nonce-expires=3600
+
+# The realm to use for digest authentication. It will used whatever
+# the domain of the From-URI.
+# If the value starts with 'regex:', then this parameter will have
+# the same effect than 'realm-regex', using all the remaining string
+# as regular expression.
+# WARNING: this parameter is exclusive with 'realm-regex'
+# 
+# Examples:
+# 	realm=sip.example.org
+# 	realm=regex:sip:.*@sip\.(.*)\.com
+# 
+# Default: 
+#realm=
+
+# Extraction regex applied on the URI of the 'from' header (or P-Preferred-Identity
+# header if present) in order to extract the realm. The realm is
+# found out by getting the first slice of the URI that matches the
+# regular expression. If it has one or more capturing parentheses,
+# the content of the first one is used as realm.
+# If no regex is specified, then the realm will be the domain part
+# of the URI.
+# 
+# For instance, given auth-domains=sip.example.com, you might use
+# 'sip:.*@sip\.(.*)\.com' in order to use 'example' as realm.
+# 
+# WARNING: this parameter is exclusive with 'realm'
+# Default: 
+#realm-regex=
+
+# If set to true, the module will simply reject with "403 forbidden"
+# any request coming from clients which have presented a bad TLS
+# certificate (regardless of reason: improper signature, unmatched
+# subjects). Otherwise, the module will fallback to a digest authentication.
+# This policy applies only for transports configured which have
+# 'required-peer-certificate=1' parameter; indeed no certificate
+# is requested to the client otherwise. 
+# Default: false
+#reject-wrong-client-certificates=false
+
+# An optional regular expression used to accept or deny a request
+# basing on subject fields of the client certificate. The request
+# is allowed if one of the subjects matches the regular expression.
+# The list of subjects to check is built by extracting the following
+# fields, in order:
+# 	subjectAltNames.DNS, subjectAltNames.URI, subjectAltNames.IP
+# and CN
+# Default: 
+#tls-client-certificate-required-subject=
+
+# Accept requests which the client certificate enables to trust
+# the domaine of its Request-URI.
+# Default: false
+#trust-domain-certificates=false
+
+# When receiving a proxy authenticate challenge, generate a new
+# challenge for this proxy.
+# Default: false
+#new-auth-on-407=false
+
+# Database backend implementation for digest authentication [soci,file].
+# Default: file
+db-implementation=file
+
+# Duration of the validity of the credentials added to the cache.
+# Default: 1800
+# Default unit: second
+#cache-expire=1800
+
+# Path of the file in which user credentials are stored.
+# The file must start with 'version:1' as the first line, and then
+# contains lines in the form of:
+# user@domain clrtxt:clear-text-password md5:md5-password sha256:sha256-password
+# ;
+# For example: 
+# bellesip@sip.linphone.org clrtxt:secret ;
+# bellesip@sip.linphone.org md5:97ffb1c6af18e5687bf26cdf35e45d30
+# ;
+# bellesip@sip.linphone.org clrtxt:secret md5:97ffb1c6af18e5687bf26cdf35e45d30
+# sha256:d7580069de562f5c7fd932cc986472669122da91a0f72f30ef1b20ad6e4f61a3
+# ;
+# Default: 
+file-path=/etc/flexisip/users.db.txt
+
+# Choose the type of backend that Soci will use for the connection.
+# Depending on your Soci package and the modules you installed,
+# this could be 'mysql', 'oracle', 'postgresql' or something else.
+# Default: mysql
+#soci-backend=mysql
+
+# The configuration parameters of the Soci backend.
+# The basic format is "key=value key2=value2". For a mysql backend,
+# this is a valid config: "db=mydb user=user password='pass' host=myhost.com".
+# Please refer to the Soci documentation of your backend, for intance:
+# http://soci.sourceforge.net/doc/release/4.0/backends/mysql/
+# Default: db=mydb user=myuser password='mypass' host=myhost.com
+#soci-connection-string=db=mydb user=myuser password='mypass' host=myhost.com
+
+# Soci SQL request used to obtain the password of a given user.
+# Each keywords starting with ':' character will be replaced by
+# strings extracted from the SIP request to authenticate.
+# 
+# Only these keywords are supported: - ':id'     : the user found
+# in the from header (mandatory)
+#  - ':domain' : the authorization realm
+#  - ':authid' : the authorization username
+# 
+# The request MUST returns a two-columns table, which columns are
+# defined as follow:
+#  - 1st column: hashed password of the user or plain password if
+#    the associated algorithm is CLRTXT.
+#  - 2nd column: the algorithm used to hash the associated password.
+#    Supported values: 'CLRTXT', 'MD5', 'SHA-256'
+# 
+# Examples:
+#  - the password and algorithm are both available in the database
+# 	select password, algorithm from accounts where login = :id and
+# domain = :domain
+# 
+#  - all the passwords from the database are MD5
+# 	select password, 'MD5' from accounts where login = :id and domain
+# = :domain
+# Default: select password, 'MD5' from accounts where login = :id and domain = :domain
+#soci-password-request=select password, 'MD5' from accounts where login = :id and domain = :domain
+
+# Amount of queries that will be allowed to be queued before bailing
+# password requests.
+# This value should be chosen accordingly with 'soci-poolsize',
+# so that you have a coherent behavior.
+# This limit is here mainly as a safeguard against out-of-control
+# growth of the queue in the event of a flood or big delays in the
+# database backend.
+# Default: 1000
+#soci-max-queue-size=1000
+
+# Size of the pool of connections that Soci will use. A thread is
+# opened for each DB query, and this pool will allow each thread
+# to get a connection.
+# The threads are blocked until a connection is released back to
+# the pool, so increasing the pool size will allow more connections
+# to occur simultaneously.
+# On the other hand, you should not keep too many open connections
+# to your DB at the same time.
+# Default: 100
+#soci-poolsize=100
+
+
+
+
+
+
+##
+## This module redirect sip requests with a 302 move temporarily.
+##
+[module::Redirect]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# A contact where to redirect requests. ex: <sip:127.0.0.1:5065>;expires=100
+# Default: 
+#contact=
+
+
+
+
+
+
+##
+## This module is in charge of routing 'reg' event SUBSCRIBE requests
+## to the flexisip-regevent server.
+##
+[module::RegEvent]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# A sip uri where to send all the reg-event related requests.
+# Default: sip:127.0.0.1:6065;transport=tcp
+#regevent-server=sip:127.0.0.1:6065;transport=tcp
+
+
+
+
+
+
+##
+## This module is in charge of intercepting requests and routing
+## them to the back-to-back user agent server.
+## Requests filtering is based on the "User-Agent" header value,
+## thus 'b2bua-server/user-agent' values must match both on Proxy
+## and B2BUA servers.
+##
+[module::B2bua]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# A sip uri where to send all the relevant requests.
+# Default: sip:127.0.0.1:6067;transport=tcp
+#b2bua-server=sip:127.0.0.1:6067;transport=tcp
+
+
+
+
+
+
+##
+## This module transfers SIP presence messages, like subscribe/notify/publish
+## to a presence server.
+##
+[module::Presence]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: is_request && (request.method-name == 'PUBLISH' || request.method-name == 'NOTIFY' || request.method-name == 'SUBSCRIBE')
+#filter=is_request && (request.method-name == 'PUBLISH' || request.method-name == 'NOTIFY' || request.method-name == 'SUBSCRIBE')
+
+# A SIP URI where to send all presence related requests.
+# Default: sip:127.0.0.1:5065;transport=tcp
+#presence-server=sip:127.0.0.1:5065;transport=tcp
+
+# If true, only manage list subscription.
+# Default: false
+#only-list-subscription=false
+
+# When getting the list of users with phones, if this setting is
+# enabled, it will limit the results to the ones that have the same
+# domain.
+# Default: false
+#check-domain-in-presence-results=false
+
+
+
+
+
+
+##
+## The Registrar module handles REGISTER requests for domains it
+## is in charge of. It stores the address of record (AOR) in order
+## to allow routing requests intended to the client who registered.
+## REGISTER requests for other domains are simply ignored and transferred
+## to the next module.
+##
+[module::Registrar]
+
+# Indicate whether the module is activated.
+# Default: true
+enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# List of whitespace separated domain names which the registar is
+# in charge of. It can eventually be the '*' (wildcard) in order
+# to match any domain name.
+# Default: localhost
+reg-domains=<%= @flexisip_domain %>
+
+# Register users based on response obtained from a back-end server.
+# This mode is for using flexisip as a front-end server to hold
+# client connections but registeracceptance is deferred to backend
+# server to which the REGISTER is routed.
+# Default: false
+#reg-on-response=false
+
+# Maximum number of registered contacts per address of record.
+# Default: 12
+#max-contacts-by-aor=12
+
+# Limits the number of authorized "Contact:" headers in a REGISTER
+# request. If the number of "Contact:" headers exceeds this limit,
+# the request is rejected.
+# Default: 12
+#max-contacts-per-registration=12
+
+# List of contact URI parameters that can be used to identify a
+# user's device. The contact parameters are searched in the order
+# of the list, the first matching parameter is used and the others
+# ignored.
+# Default: +sip.instance pn-tok line
+#unique-id-parameters=+sip.instance pn-tok line
+
+# When supported by the client, assign a pub-gruu address to the
+# client, returned in the response. 
+# Default: true
+#enable-gruu=true
+
+# Maximum expiry value for a REGISTER.
+# Default: 86400
+# Default unit: second
+#max-expires=86400
+
+# Minimum expiry value for a REGISTER.
+# Default: 60
+# Default unit: second
+#min-expires=60
+
+# Default expiry value to be used if no value has been found in
+# the request headers or in 'Contact' header parameters.
+# Default: 10min
+# Default unit: millisecond
+#default-expires=10min
+
+# Set a value that will override expiry values indicated in a 'REGISTER'
+# request. A null or negative value disables this feature. If enabled,
+# 'max-expires', 'min-expires' and 'default-expires' will not have
+# any effect.
+# Default: 0
+# Default unit: second
+#force-expires=0
+
+# File containing the static records to add to database on startup.
+# Format: one 'sip_uri contact_header' by line. Example:
+# <sip:contact@domain> <sip:127.0.0.1:5460>,<sip:192.168.0.1:5160>
+# Default: 
+#static-records-file=
+
+# Timeout after which the static records file is re-read and the
+# contacts updated.
+# Default: 600
+# Default unit: second
+#static-records-timeout=600
+
+# Implementation used for storing the contact URIs of each address
+# of record. Two backends are available:
+#  - redis : contacts are stored in a Redis database, which allows
+#    persistent and shared storage accross multiple Flexisip instances.
+#  - internal : contacts are stored in RAM. Of course, if flexisip
+#    is restarted, all the contact URIs are lost until clients update
+#    their registration.
+# The redis backend is recommended, the internal being more adapted
+# to very small deployments.
+# Default: internal
+db-implementation=internal
+
+# Hostname or address of the Redis server. 
+# Default: localhost
+#redis-server-domain=localhost
+
+# Port of the Redis server.
+# Default: 6379
+#redis-server-port=6379
+
+# ACL username used to authenticate on Redis. Empty to disable.
+# Setting this but not `redis-auth-password` is a misconfiguration,
+# and will be ignored.
+# Default: 
+#redis-auth-user=
+
+# Authentication password for Redis. Empty to disable. If set but
+# `redis-auth-user` is left unset or empty, Flexisip will attempt
+# to register in legacy mode.
+# Default: 
+#redis-auth-password=
+
+# When Redis is configured in master-slave, Flexisip will periodically
+# ask which Redis instances are the slaves and the master. This
+# is the period at which it will query the server. It will then
+# determine whether it is connected to the master, and if not, will
+# terminate the connection and migrate to the master.
+# Note: This requires that all Redis instances have the same password.
+# Otherwise authentication will fail.
+# Default: 60
+# Default unit: second
+#redis-slave-check-period=60
+
+# Tell if Flexisip should try to connect to Redis slaves if master
+# went down. Can be disabled if slaves hostname info are on private
+# network for example.
+# Default: true
+#redis-use-slaves-as-backup=true
+
+# The frequency of activation of the subscription session keep alive
+# mechanism. Flexisip will periodically ping Redis subscription
+# session. It will then determine whether it is connected, and if
+# not, will try to reconnect.
+# Default: 60
+# Default unit: second
+#redis-subscription-keep-alive-check-period=60
+
+# Sequence of proxies (space-separated) where requests will be redirected
+# through (RFC3608)
+# Default: 
+#service-route=
+
+# Name of the custom Contact header parameter which is to indicate
+# the expire time for chat message delivery.
+# Default: message-expires
+#message-expires-param-name=message-expires
+
+# If not zero, the expire time put in the 200 OK response won't
+# be the one required by the user agent, but will be slightly modified
+# by subtracting a random value. The value given by this parameter
+# is the maximum percentage of the initial expire that can be subtracted.
+# If zero, no randomization is applied. Value must be in [0, 100].
+# Default: 0
+#register-expire-randomizer-max=0
+
+
+
+
+
+
+##
+## The purpose of the StatisticsCollector module is to collect call
+## statistics (RFC 6035) and store them on the server.
+##
+[module::StatisticsCollector]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: is_request && request.method-name == 'PUBLISH'
+#filter=is_request && request.method-name == 'PUBLISH'
+
+# SIP URI of the statistics collector. Note that application/vq-rtcpxr
+# messages for this address will be deleted by this module and thus
+# not be delivered.
+# Default: 
+#collector-address=
+
+
+
+
+
+
+##
+## The Router module routes requests for domains it manages.
+## The routing algorithm is as follows: 
+##  - first skip route headers that directly point to this proxy.
+##  - if a route header is found that doesn't point to this proxy,
+##    then the request is not processed by the Router module, and will
+##    be handled by the Forward module at the end of the processing
+##    chain.
+##  - examine the request-uri: if it is part of the domains managed
+##    by this proxy (according to Registrar module 'reg-domains' definition,
+##    then attempt to resolve the request-uri from the Registrar database.
+##  - the results from the registrar database, in the form of contact
+##    headers, are sorted by priority (q parameter), if any.
+##  - for each set of contact with equal priorities, the request
+##    is forked, and sent to their corresponding sip URI. After a timeout
+##    defined by property 'call-fork-current-branches-timeout', a next
+##    set of contact header is determined.
+##  - responses are received from all attempted branches, and sent
+##    back to the request originator, according to the procedure of
+##    RFC3261 16.7 Response processing.
+## The router module offers different variations of the routing logic,
+## depending on whether it is an INVITE, a MESSAGE, or another type
+## of request. The processing of MESSAGE request essentially differs
+## from others because it allows to keep the MESSAGE for a later
+## delivery, in which case the incoming transaction will be terminated
+## with a 202 Accepted response.
+##
+[module::Router]
+
+# Indicate whether the module is activated.
+# Default: true
+#enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# Store and retrieve contacts without using the domain.
+# Default: false
+#use-global-domain=false
+
+# Fork invites to late registers.
+# Default: false
+#fork-late=false
+
+# All the forked have to decline in order to decline the caller
+# invite.
+# Default: false
+#fork-no-global-decline=false
+
+# Treat 603 Declined answers as urgent. Only relevant if fork-no-global-decline
+# is set to true.
+# Default: false
+#treat-decline-as-urgent=false
+
+# During a fork procedure, treat all failure response as urgent.
+# Default: false
+#treat-all-as-urgent=false
+
+# Maximum time for a call fork to try to reach a callee.
+# Default: 90
+# Default unit: second
+#call-fork-timeout=90
+
+# Maximum time before delivering urgent responses during a call
+# fork. The typical fork process requires to wait the best response
+# from all branches before transmitting it to the client. However
+# some error responses are retryable immediately (like 415 unsupported
+# media, 401, 407) thus it is painful for the client to need to
+# wait the end of the transaction time (32 seconds) for these error
+# codes.
+# Default: 5
+# Default unit: second
+#call-fork-urgent-timeout=5
+
+# Maximum time before trying the next set of lower priority contacts.
+# Default: 10
+# Default unit: second
+#call-fork-current-branches-timeout=10
+
+# Fork MESSAGE requests to client registering lately.
+# Default: true
+#message-fork-late=true
+
+# Maximum duration for delivering a MESSAGE request. This property
+# applies only if message-fork-late is 'true'; otherwise, the duration
+# can't exceed the normal transaction duration.
+# Default: 604800
+# Default unit: second
+#message-delivery-timeout=604800
+
+# Maximum duration for accepting a MESSAGE request if no response
+# is received from any recipients. This property is meaningful when
+# message-fork-late is set to true.
+# Default: 5
+# Default unit: second
+#message-accept-timeout=5
+
+# If 'true', the message that are waiting for delivery will be stored
+# in database instead of memory.
+# Default: false
+#message-database-enabled=false
+
+# Choose the type of backend that Soci will use for the connection.
+# Depending on your Soci package and the modules you installed,
+# the supported databases are:`mysql` (and `sqlite3` soon)
+# Default: mysql
+#message-database-backend=mysql
+
+# The configuration parameters of the backend. The basic format
+# is "key=value key2=value2". For a mysql backend, this is a valid
+# config: "db=mydb user=user password='pass' host=myhost.com". Please
+# refer to the Soci documentation of your backend, for instance:
+# http://soci.sourceforge.net/doc/master/backends/#supported-backends-and-features
+# Default: db='mydb' user='myuser' password='mypass' host='myhost.com'
+#message-database-connection-string=db='mydb' user='myuser' password='mypass' host='myhost.com'
+
+# Size of the pool of connections that Soci will use for accessing
+# the message database.
+# Default: 100
+#message-database-pool-size=100
+
+# Default route to apply when the recipient is unreachable or when
+# when all attempted destination have failed.It is given as a SIP
+# URI, for example: sip:example.org;transport=tcp (without surrounding
+# brackets)
+# Default: 
+#fallback-route=
+
+# During a call forking, allow several INVITEs going to the same
+# next hop to be grouped into a single one. A proprietary custom
+# header 'X-target-uris' is added to the INVITE to indicate the
+# final targets of the INVITE.
+# Default: false
+#allow-target-factorization=false
+
+# Whether the proxy is allowed to generate and send provisional
+# responses during a call forking process. A typical example for
+# this is the '110 Push sent' emitted by the proxy when at least
+# one push notification has been sent to a target UA while routing
+# an INVITE. Some old versions of Linphone (below linphone-sdk 4.2)
+# suffer from an issue when receiving such kind of provisional responses
+# that don't come from a remote client. This setting is mainly intended
+# to temporarily workaround this situation.
+# Default: true
+#permit-self-generated-provisional-response=true
+
+# Whether or not to resolve next hop in route header against registrar
+# database. This is an extension to RFC3261, and should not be used
+# unless in some specific deployment cases. A next hope in route
+# header is otherwise resolved through standard DNS procedure by
+# the Forward module.
+# Default: false
+#resolve-routes=false
+
+# Whether or not to fallback to the parent domain if there is no
+# fallback route set and the recipient is unreachable. For example,
+# if routing to sip:bob@a.b.com returns no result, route the request
+# to b.com. This is also a non-standard behavior.
+# Default: false
+#parent-domain-fallback=false
+
+# Only use the fallback route if the expression is true.
+# Default: true
+#fallback-route-filter=true
+
+# Max time the proxy will retain a request in order to maintain
+# order.
+# Default: 30
+# Default unit: second
+#max-request-retention-time=30
+
+# List of sip addresses that are always added to the list of contacts
+# fetched from the registrar database when routing INVITE and MESSAGE
+# requests.
+# Default: 
+#static-targets=
+
+
+
+
+
+
+##
+## The PushNotification module sends push notifications to mobile
+## phone notification systems: apple, firebase (android), as well
+## as generic HTTP GET/POST APIs (custom server to which actual sending
+## of the notification is delegated). Push notifications are sent
+## when an INVITE or MESSAGE request is not answered by thedestination
+## of the request within a certain period of time (configurable hereunder
+## by 'timeout' parameter). This module has an implicit dependency
+## on the Router module, which is in charge of creating the incoming
+## and outgoing transactions as well as the context associated with
+## the request forking process. No push notification can be sent
+## if the Router module is not enabled. The time-to-live (ttl) of
+## the push notification depends on the type of event for which the
+## push notification is sent:
+##  - If it is for a call (INVITE), ttl will be set equal to 'module::Router/call-fork-timeout',
+##    which corresponds to the maximum time for a call attempt.
+##  - If it is for an IM (MESSAGE or INVITE for a text session),
+##    ttl will be set equal to 'message-time-to-live'.
+##
+[module::PushNotification]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# Time to wait before sending a push notification to a device.
+# A negative or zero value will cause the push notification to be
+# sent immediately. This behavior is recommended as mobile devices
+# do not have a permanent connection with Flexisip most of the time.
+# Default: 0
+# Default unit: second
+#timeout=0
+
+# Time to live for the push notifications related to IM messages.
+# The default value zero is interpreted as using the same value
+# as for 'module::Router/message-delivery-timeout'.
+# Default: 0
+# Default unit: second
+#message-time-to-live=0
+
+# Maximum number of push notifications queued for each push notification
+# service.
+# Default: 100
+#max-queue-size=100
+
+# Number of push notification request retransmissions sent to a
+# client for a same event (call or message).
+# Retransmissions cease when a response is received from the client.
+# The value zero disables retransmissions.
+# Default: 0
+#retransmission-count=0
+
+# Retransmission interval for push notification requests, when a
+# 'retransmission-count' has been specified above.
+# Default: 5
+# Default unit: second
+#retransmission-interval=5
+
+# Default interval between two subsequent push notifications when
+# remote push notifications are used to notify a call invitation
+# to a client that has not published any token for VoIP and background
+# push notifications.
+# In that case, several push notifications are sent subsequently
+# until the call is picked up, declined or canceled. This parameter
+# can be overridden by the client by using the 'pn-call-remote-push-interval'
+# push parameter.
+# A value of zero deactivates push notification repetitions and
+# the sending of the final notification. Thus, only the first push
+# notification will be sent. The value must be in [0;30].
+# Default: 0
+# Default unit: second
+#call-remote-push-interval=0
+
+# If true, the following key in the payload of the push request
+# will be set:
+#  * 'from-uri': the SIP URI of the caller or the message sender.
+#  * 'display-name': the display name of the caller or the message
+#    sender.
+#  * 'loc-args': the display name if not empty or the SIP URI instead.
+# 
+# If false, the keys will be set empty.
+# Default: false
+#display-from-uri=false
+
+# Enable push notification for Apple devices.
+# Default: true
+#apple=true
+
+# Path to directory where Apple Push Notification service certificates
+# are located.
+# The file names MUST bear the appid of the application, suffixed
+# by the release mode and '.pem' extension. Examples: org.linphone.dev.pem,
+# org.linphone.prod.pem, com.somephone.dev.pem, etc... The files
+# MUST be '.pem' format, and made of certificates followed by the
+# private key.
+# This directory may also contain Voice Over IP certificates (certificates
+# to use PushKit). They MUST bear the appid of the application,
+# suffixed by the release mode and '.pem' extension, and made of
+# certificate followed by the private key. Examples: org.linphone.voip.dev.pem,
+# org.linphone.voip.prod.pem, com.somephone.voip.dev.pem, etc...
+# Default: /etc/flexisip/apn
+#apple-certificate-dir=/etc/flexisip/apn
+
+# Set the badge value to 0 for Apple push notifications.
+# Default: false
+#no-badge=false
+
+# Enable push notification for Android devices.
+# Default: true
+#firebase=true
+
+# List of pairs of <Firebase Project Number>:<Firebase Cloud Messaging
+# API (Legacy) Server Key> for each Android project that supports
+# push notifications.
+# Default: 
+#firebase-projects-api-keys=
+
+# List of pairs of <Firebase Project Number>:<Path to service account
+# json file> for each Android project that supports push notifications.
+# Default: 
+#firebase-service-accounts=
+
+# Time to execute the access token refresh operation just before
+# the current access token expires. This parameter is used to control
+# overlapping access token lifetimes.
+# Default: 300
+# Default unit: second
+#firebase-token-expiration-anticipation-time=300
+
+# Default interval to execute the access token refresh operation
+# in the event that the access token has not been successfully obtained.
+# Default: 60
+# Default unit: second
+#firebase-default-refresh-interval=60
+
+# Allows you to route push notification requests through a designated
+# server instead of directly communicating with Apple and Google
+# servers.
+# Using this setup, the server sends an HTTP request to the specified
+# server, embedding all required information within the URL. Various
+# placeholders can be used within the HTTP request URI:
+# 
+#  - $type: Type of push notification, distinguishing between Apple
+#    ('apple') and Android ('firebase') notifications.
+#  - $token: Value of the 'pn-prid' push parameter. For Apple devices,
+#    'pn-prid' may contain multiple tokens depending on the notification
+#    type ('remote' or 'voip'). In such cases, $token is replaced by
+#    the relevant token matching the notification type.
+#  - $api-key: Deprecated placeholder for the Firebase API key.
+#    It is advised that the designated server manages the authentication
+#    credentials.
+#  - $app-id: Application identifier. On Android, it matches the
+#    value of 'pn-param'. On Apple, it matches the string between the
+#    first and last dot ('.') of 'pn-param'. For example, if 'pn-param'
+#    is 'ABCD1234.org.my-app.remote&voip', $app-id becomes 'org.my-app'.
+#  - $from-name: Display name in the 'From' header of the triggering
+#    request for the push notification. Replaced by an empty string
+#    if 'display-from-uri' is false.
+#  - $from-uri: SIP URI in the 'From' header of the triggering request.
+#    Replaced by an empty string if 'display-from-uri' is false.
+#  - $from-tag: Tag of the 'From' header in the triggering request.
+#  - $to-uri: SIP URI in the 'To' header.
+#  - $call-id: Call-ID of the INVITE or MESSAGE request.
+#  - $event: Type of event that triggered the push notification
+#    ('call' for call invites, 'message' for message delivery or chatroom
+#    invitation).
+#  - $sound: For iOS only, if $event is 'call', it is the value
+#    of 'pn-call-snd' contact parameter; otherwise, it represents 'pn-msg-snd'.
+#    This allows customization of the push notification sound. If 'pn-call-snd'
+#    or 'pn-msg-snd' contact parameters were not set during user agent
+#    registration, the placeholder is replaced with 'empty'.
+#  - $msgid: For iOS only, replaced by respective contact parameter
+#    values ('pn-call-str', 'pn-msg-str', or 'pn-groupchat-str') if
+#    the triggering SIP message is a call invite, pending message,
+#    or groupchat invitation. If these parameters were not set during
+#    user agent registration, placeholders are replaced by 'IC_MSG',
+#    'IM_MSG', or 'IG_MSG'. This allows customization of the push notification
+#    title.
+#  - $uid: UUID present in the '+sip.instance' parameter value when
+#    the recipient of the push notification registered to the registrar.
+# 
+# Additionally, the text message content is included in the HTTP
+# request body as text/plain if available. Example: http://292.168.0.2/$type/$event?from-uri=$from-uri&tag=$from-tag&callid=$callid&to=$to-uri
+# Default: 
+#external-push-uri=
+
+# Method for reaching external-push-uri (typically GET or POST).
+# Default: GET
+#external-push-method=GET
+
+# Protocol used for reaching external-push-uri ('http2' or 'http'
+# (deprecated)).
+# Default: http2
+#external-push-protocol=http2
+
+# Send service push notification periodically to all devices that
+# are about to expire and should wake up to REGISTER back. The zero
+# value disables this feature. Recommended value: 30
+# Default: 0
+# Default unit: minute
+#register-wakeup-interval=0
+
+# Start sending wake-up push notifications to contacts when they
+# pass the provided percentage of their lifetime. The value MUST
+# be in [0;100]
+# Default: 50
+#register-wakeup-threshold=50
+
+
+
+
+
+
+##
+## The MediaRelay module masquerades SDP message so that all RTP
+## and RTCP streams go through the proxy. When the client has set
+## ICE candidates in the SDP offer, then the MediaRelay module will
+## automatically add ICE relay candidates. The RTP and RTCP streams
+## are then routed so that each client receives the stream of the
+## other. MediaRelay makes sure that RTP is ALWAYS established, even
+## with uncooperative firewalls.
+##
+[module::MediaRelay]
+
+# Indicate whether the module is activated.
+# Default: true
+#enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# The name of the SDP attribute to set by the first proxy to forbid
+# subsequent proxies to provide relay. Use 'disable' to disable.
+# Default: nortpproxy
+#nortpproxy=nortpproxy
+
+# The minimal value of SDP port range
+# Default: 1024
+sdp-port-range-min=<%= @flexisip_sdp_port_range_min %>
+
+# The maximal value of SDP port range
+# Default: 65535
+sdp-port-range-max=<%= @flexisip_sdp_port_range_max %>
+
+# Sends a ACK and BYE to 200Ok for INVITEs not belonging to any
+# established call. This is to solve the race condition that happens
+# when two callees answer the same call at the same time. According
+# to RFC3261, the caller is expected to send an ACK followed by
+# a BYE to the loser callee. This is not the case in RFC2543, where
+# the proxy was supposed to do this. When set to true, the MediaRelay
+# module will implement the RFC2543 behavior. Note that it may sound
+# inappropriate to bundle this property with the media relay feature.
+# However the MediaRelay module is the only one in Flexisip that
+# has the visibility of SIP dialogs, which is necessary to implement
+# this feature.
+# Default: false
+#bye-orphan-dialogs=false
+
+# Maximum concurrent calls processed by the media-relay. Calls arriving
+# when the limit is exceed will be rejected. A value of 0 means
+# no limit.
+# Default: 0
+#max-calls=0
+
+# When true, the 'c=' line and port number are set to the relay
+# ip/port even if ICE candidates are present in the request, while
+# the standard behavior is to leave the c= line and port number
+# as they are in the original offer sent by the client. This variation
+# allows callees that do not support ICE at all to benefit from
+# the media relay service.
+# Default: true
+#force-relay-for-non-ice-targets=true
+
+# Prevent media-relay ports to loop between them, which can cause
+# 100% cpu on the media relay thread. You need to set this property
+# to false if you are running test calls from clients running on
+# the same IP address as the flexisip server
+# Default: true
+#prevent-loops=true
+
+# In case multiples '183 Early media' responses are received for
+# a call, only the first one will have RTP streams forwarded back
+# to caller. This feature prevents the caller to receive 'mixed'
+# streams, but it breaks scenarios where multiple servers play early
+# media announcement in sequence.
+# Default: true
+#early-media-relay-single=true
+
+# Maximum number of relayed early media streams per call. This is
+# useful to limit the cpu usage due to early media relaying on embedded
+# systems. A value of 0 stands for unlimited.
+# Default: 0
+#max-early-media-per-call=0
+
+# Period of time after which a relayed call without any activity
+# is considered as no longer running. Activity counts RTP/RTCP packets
+# exchanged through the relay and SIP messages.
+# Default: 3600
+# Default unit: second
+#inactivity-period=3600
+
+# Force the media relay to use the public address of Flexisip to
+# relay calls. It not enabled, Flexisip will deduce a suitable IP
+# address by basing on data from SIP messages, which could fail
+# in tricky situations e.g. when Flexisip is behind a TCP proxy.
+# Default: false
+#force-public-ip-for-sdp-masquerading=false
+
+
+
+
+
+
+##
+## The purpose of the Transcoder module is to transparently transcode
+## from one audio codec to another to make the communication possible
+## between clients that do not share the same set of supported codecs.
+## Concretely, it adds all missing codecs into the INVITEs it receives,
+## and adds codecs matching the original INVITE into the 200Ok. Rtp
+## ports and addresses are masqueraded so that the streams can be
+## processed by the proxy. The transcoding job is done in the background
+## by the Mediastreamer2 library, as consequence the set of supported
+## codecs is exactly the the same as the codec set supported by Mediastreamer2,
+## including the possible plugins you may installed to extend Mediastreamer2.
+## 
+## WARNING: this module can conflict with the MediaRelay module as
+## they are both changing the SDP. Make sure to configure them with
+## different to-domains or from-domains filter if you want to enable
+## both of them.
+##
+[module::Transcoder]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# Nominal size of RTP jitter buffer. A value of 0 means no jitter
+# buffer (packet processing).
+# Default: 0
+# Default unit: millisecond
+#jb-nom-size=0
+
+# Whitespace separated list of user-agent strings for which audio
+# rate control is performed.
+# Default: 
+#rc-user-agents=
+
+# Whitespace seprated list of audio codecs, in order of preference.
+# The 'telephone-event' codec is necessary for inband DTMF processing.
+# Default: speex/8000 amr/8000 iLBC/8000 gsm/8000 pcmu/8000 pcma/8000 telephone-event/8000
+#audio-codecs=speex/8000 amr/8000 iLBC/8000 gsm/8000 pcmu/8000 pcma/8000 telephone-event/8000
+
+# Remove the bandwidth limitations from SDP offers and answers
+# Default: false
+#remove-bw-limits=false
+
+# If true, retransmissions of INVITEs will be blocked. The purpose
+# of this option is to limit bandwidth usage and server load on
+# reliable networks.
+# Default: false
+#block-retransmissions=false
+
+
+
+
+
+
+##
+## This module executes the basic routing task of SIP requests and
+## pass them to the transport layer. It must always be enabled.
+##
+[module::Forward]
+
+# Indicate whether the module is activated.
+# Default: true
+#enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# A path to a configuration file describing routes to be prepended
+# before forwarding a request, when specific conditions for the
+# SIP request being forwarded are met. The condition is described
+# using flexisip's filter syntax, as described on 
+# https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# The configuration file comprises lines using the following syntax:
+# <sip route>   <condition expressed as a filter expression> 
+# Comments are allowed with '#'.
+# Conditions can spread over multiples lines provided that the continuation
+# line starts with either spaces or tabs.
+# The special condition '*' matches every request.
+# The conditions are matched in the order they appear in the configuration
+# file. The first fulfilled condition determines the route that
+# is prepended.If the request does not match any condition, no route
+# is prepended.
+# The file may be empty, or no path may be specified, in which case
+# no route is preprended either. Here is a an example of a valid
+# routes configuration file:
+# <sip:example.org;transport=tls>     request.uri.domain == 'example.org'
+# <sip:10.0.0.2:5070;transport=tcp>   request.uri.params contains
+# 'user=phone'
+# 
+# Beware: that is not just a SIP URI, but a route. As a result,
+# when the URI has parameters, brackets must enclose the URI, otherwise
+# the parameters will be parsed as route parameters.
+# Default: 
+#routes-config-path=
+
+# Add a path header of this proxy
+# Default: true
+#add-path=true
+
+# For SIP URIs, in asbsence of transport parameter, assume the given
+# transport is to be used. Possible values are udp, tcp or tls.
+# Default: udp
+#default-transport=udp
+
+# List of URL and contact params to remove
+# Default: pn-tok pn-type app-id pn-msg-str pn-call-str pn-call-snd pn-msg-snd pn-timeout pn-silent pn-provider pn-prid pn-param
+#params-to-remove=pn-tok pn-type app-id pn-msg-str pn-call-str pn-call-snd pn-msg-snd pn-timeout pn-silent pn-provider pn-prid pn-param
+
+
+
+
+
+
+##
+## Inter domain connections is a set of feature allowing to dynamically
+## connect several Flexisip servers together in order to manage SIP
+## routing at local and global scope. Let's suppose you have two
+## SIP network a.example.net and b.example.net run privately and
+## independently (no one from a.example.net needs to call someone
+## at b.example.net). However, when people from a and b are outside
+## of their network, they register to a worldwide available Flexisip
+## instance running on 'global.example.net'. It is then possible
+## to:
+##  * have calls made within a.example.net routed locally and sent
+##    to global.example.net in order to reach users inside and outside
+##    of a's network. Example: 1@a.example.net calls 2@a.example.net.
+##    If 2 is registered on a.example.net then the call is routed locally.
+##    On the contrary if 2 is absent and registered, the call is then
+##    sent to global.example.net and then routed by the global proxy.
+##  * when global.example.net receives a call from a user not within
+##    its native network (ex: 1@a.example.net calls 2@a.example.net),
+##    it can route this call to the proxy that is responsible for managing
+##    the local domain (a.example.net).
+## 
+## This system is dynamic: the physical IP address of a and b network
+## can change (dynamic ip address allocation)
+## .This scenario is achieved with two key features:
+##  * a.example.net sends a REGISTER to global.example.net to indicate
+##    that it is the responsible for the entire domain a.example.net.
+##    The global.example.net authenticates this REGISTER thanks to TLS
+##    client certificate presented by a.example.net.
+##  * global.example.net is configured to accept this domain registration
+##    and route all calls it receives directly and destinated to a.example.net
+##    domain through the connection established by a.example.net during
+##    the domain registration.
+##
+[inter-domain-connections]
+
+# Whether Flexisip shall accept registrations for entire domains
+# Default: false
+#accept-domain-registrations=false
+
+# Whether Flexisip shall assume that there is a unique server per
+# registered domain, which allows to clean old registrations and
+# simplifies the routing logic.
+# Default: false
+#assume-unique-domains=false
+
+# Path to a text file describing the domain registrations to make.
+# This file must contains lines like:
+#  <local domain name> <SIP URI of proxy/registrar where to send
+# the domain REGISTER> [password]>
+#  where:
+#  <local domain name> is a domain name managed locally by this
+# proxy
+#  <SIP URI of proxy/registrar> is the SIP URI where the domain
+# registration will be sent. The special uri parameter 'tls-certificates-dir'
+# is understood in order to specify a TLS client certificate to
+# present to the remote proxy.
+#  [password] is the password to use if the remote proxy/registrar
+# requests a digest authentication. It is optional.
+#  If the file is absent or empty, no registrations are done.An
+# example of such line is:
+# belledonne.linphone.org <sips:sip.linphone.org;tls-certificates-dir=/etc/flexisip/client-cert>
+# gghhiioozz
+# Default: /etc/flexisip/domain-registrations.conf
+#domain-registrations=/etc/flexisip/domain-registrations.conf
+
+# When submitting a domain registration to a server over TLS, verify
+# the certificate presented by the server. Disabling this option
+# is only for test, because it is a security flaw
+# Default: true
+#verify-server-certs=true
+
+# Interval for sending \r\n\r\n keepalives through the outgoing
+# domain registration connection.A value of zero disables keepalives.
+# Default: 30
+# Default unit: second
+#keepalive-interval=30
+
+# Delay after which TCP/TLS connections will be considered as broken
+# if no CRLF pong has been received from the registrar. A delay
+# of 0 means that no pong is expected after ping. The registrar
+# must advertise the 'outbound' option tag in a Supported header
+# for this detection to be active.
+# Warning: This parameter must be strictly lower than “keepalive-interval”.
+# Default: 0
+# Default unit: second
+#ping-pong-timeout-delay=0
+
+# Delay before creating a new connection after connection is known
+# as broken. Set '0' in order the connection be recreated immediately.
+# Default: 5
+# Default unit: second
+#reconnection-delay=5
+
+# Whether Flexisip shall only send a domain registration when a
+# device is registered
+# Default: false
+#reg-when-needed=false
+
+# Route received REGISTER request to the server in charge of the
+# domain, according to accepted domain registrations. This option
+# is intended to be used with 'reg-on-response' mode of Registrar
+# module, and 'accept-domain-registrations' enabled too.The 'reg-on-response'
+# mode typically allows Flexisip to forward an incoming REGISTER
+# to an upstream server, and record the client's contact address
+# upon receiving the 200 Ok response from the upstream server. When
+# 'relay-reg-to-domains' is enabled, the routing to the upstream
+# server is performed according to the domain registrations received
+# previously by flexisip, instead of usual DNS-based procedures.
+# Default: false
+#relay-reg-to-domains=false
+
+# regex to match domain names (host part of URL) for which the register
+# requests should be routed to the upstream server.This option is
+# intended to be used with 'relay-reg-to-domains' mode enabled.
+# Default: 
+#relay-reg-to-domains-regex=
+
diff --git a/personal_infra/puppet/modules/freeswitch/manifests/init.pp b/personal_infra/puppet/modules/freeswitch/manifests/init.pp
deleted file mode 100644
index 2323e832..00000000
--- a/personal_infra/puppet/modules/freeswitch/manifests/init.pp
+++ /dev/null
@@ -1,24 +0,0 @@
-class freeswitch($freeswitch_password, $freeswitch_address, $freeswitch_rtp_start_port, $freeswitch_rtp_end_port) {
-  package {'okay-release':
-    source => 'http://repo.okay.com.mx/centos/9/x86_64/release/okay-release-1-10.el9.noarch.rpm',
-  }
-  ->
-  package {['freeswitch-config-vanilla', 'freeswitch-systemd', 'freeswitch-sounds-en-us-callie-all']:}
-  ->
-  service {'freeswitch':
-    enable => true,
-    ensure => running,
-  }
-
-  file {'/etc/freeswitch/vars.xml':
-      content => template('freeswitch/vars.xml'),
-      require => Package['freeswitch-config-vanilla'],
-      notify => Service['freeswitch'],
-  }
-
-  file {'/etc/freeswitch/autoload_configs/switch.conf.xml':
-      content => template('freeswitch/switch.conf.xml'),
-      require => Package['freeswitch-config-vanilla'],
-      notify => Service['freeswitch'],
-  }
-}
diff --git a/personal_infra/puppet/modules/freeswitch/templates/switch.conf.xml b/personal_infra/puppet/modules/freeswitch/templates/switch.conf.xml
deleted file mode 100644
index 36891f9b..00000000
--- a/personal_infra/puppet/modules/freeswitch/templates/switch.conf.xml
+++ /dev/null
@@ -1,208 +0,0 @@
-<configuration name="switch.conf" description="Core Configuration">
-
-  <cli-keybindings>
-    <key name="1" value="help"/>
-    <key name="2" value="status"/>
-    <key name="3" value="show channels"/>
-    <key name="4" value="show calls"/>
-    <key name="5" value="sofia status"/>
-    <key name="6" value="reloadxml"/>
-    <key name="7" value="console loglevel 0"/>
-    <key name="8" value="console loglevel 7"/>
-    <key name="9" value="sofia status profile internal"/>
-    <key name="10" value="sofia profile internal siptrace on"/>
-    <key name="11" value="sofia profile internal siptrace off"/>
-    <key name="12" value="version"/>
-  </cli-keybindings> 
-  
-  <default-ptimes>
-    <!-- Set this to override the 20ms assumption of various codecs in the sdp with no ptime defined -->
-    <!-- <codec name="G729" ptime="40"/> -->
-  </default-ptimes>
-  
-  <settings>
-    <!-- Colorize the Console -->
-    <param name="colorize-console" value="true"/>
-
-    <!--Include full timestamps in dialplan logs -->
-    <param name="dialplan-timestamps" value="false"/>
-
-    <!-- Run the timer at 20ms by default and drop down as needed unless you set 1m-timer=true which was previous default -->
-    <!-- <param name="1ms-timer" value="true"/> -->
-
-    <!--
-	Set the Switch Name for HA environments.
-	When setting the switch name, it will override the system hostname for all DB and CURL requests
-	allowing cluster environments such as RHCS to have identical FreeSWITCH configurations but run
-	as different hostnames.
-    -->
-    <!-- <param name="switchname" value="freeswitch"/> -->
-    <!-- <param name="cpu-idle-smoothing-depth" value="30"/> -->
-
-
-    <!-- Maximum number of simultaneous DB handles open -->
-    <param name="max-db-handles" value="50"/>
-    <!-- Maximum number of seconds to wait for a new DB handle before failing -->
-    <param name="db-handle-timeout" value="10"/>
-
-    <!-- Minimum idle CPU before refusing calls -->
-    <!-- <param name="min-idle-cpu" value="25"/> -->
-
-    <!-- Interval between heartbeat events -->
-    <!-- <param name="event-heartbeat-interval" value="20"/> -->
-
-    <!--
-	Max number of sessions to allow at any given time.
-	
-	NOTICE: If you're driving 28 T1's in a single box you should set this to 644*2 or 1288
-	this will ensure you're able to use the entire DS3 without a problem.  Otherwise you'll
-	be 144 channels short of always filling that DS3 up which can translate into waste.
-    -->
-    <param name="max-sessions" value="1000"/>
-    <!--Most channels to create per second -->
-    <param name="sessions-per-second" value="30"/>
-    <!-- Default Global Log Level - value is one of debug,info,notice,warning,err,crit,alert -->
-    <param name="loglevel" value="debug"/>
-
-    <!-- Set the core DEBUG level (0-10) -->
-    <!-- <param name="debug-level" value="10"/> -->
-
-    <!-- SQL Buffer length within rage of 32k to 10m -->
-    <!-- <param name="sql-buffer-len" value="1m"/> -->
-    <!-- Maximum SQL Buffer length must be greater than sql-buffer-len -->
-    <!-- <param name="max-sql-buffer-len" value="2m"/> -->
-
-    <!-- 
-	 The min-dtmf-duration specifies the minimum DTMF duration to use on 
-	 outgoing events. Events shorter than this will be increased in duration
-	 to match min_dtmf_duration. You cannot configure a dtmf duration on a 
-	 profile that is less than this setting. You may increase this value,
-	 but cannot set it lower than 400. This value cannot exceed 
-	 max-dtmf-duration. -->
-    <!-- <param name="min-dtmf-duration" value="400"/> -->
-
-    <!-- 
-	 The max-dtmf-duration caps the playout of a DTMF event at the specified
-	 duration. Events exceeding this duration will be truncated to this
-	 duration. You cannot configure a duration on a profile that exceeds
-	 this setting. This setting can be lowered, but cannot exceed 192000. 
-	 This setting cannot be set lower than min_dtmf_duration. -->
-    <!-- <param name="max-dtmf-duration" value="192000"/> -->
-
-    <!-- 
-	 The default_dtmf_duration specifies the DTMF duration to use on
-	 originated DTMF events or on events that are received without a
-	 duration specified. This value can be increased or lowered. This
-	 value is lower-bounded by min_dtmf_duration and upper-bounded by
-	 max-dtmf-duration\. -->
-    <!-- <param name="default-dtmf-duration" value="2000"/> -->
-
-    <!--
-	If you want to send out voicemail notifications via Windows you'll need to change the mailer-app
-	variable to the setting below:
-	
-	<param name="mailer-app" value="msmtp"/>
-	
-	Do not change mailer-app-args.
-	You will also need to download a sendmail clone for Windows (msmtp). This version works without issue:
-	http://msmtp.sourceforge.net/index.html. Download and copy the .exe to %winddir%\system32.
-	You'll need to create a small config file for smtp credentials (host name, authentication, tls, etc.) in
-	%USERPROFILE%\Application Data\ called "msmtprc.txt". Below is a sample copy of this file:
-	
-	###################################
-	# The SMTP server of the provider.
-	account provider
-	host smtp.myisp.com
-	from john@myisp.com
-	auth login
-	user johndoe
-	password mypassword
-	
-	# Set a default account
-	account default : provider
-	###################################
-	
-    -->    
-
-    <param name="mailer-app" value="sendmail"/>
-    <param name="mailer-app-args" value="-t"/>
-    <param name="dump-cores" value="yes"/>
-
-    <!-- Enable verbose channel events to include every detail about a channel on every event  -->
-    <!-- <param name="verbose-channel-events" value="no"/> -->
-
-    <!-- Enable clock nanosleep -->
-    <!-- <param name="enable-clock-nanosleep" value="true"/> -->
-
-    <!-- Enable monotonic timing -->
-    <!-- <param name="enable-monotonic-timing" value="true"/> -->
-
-    <!-- NEEDS DOCUMENTATION -->
-    <!-- <param name="enable-softtimer-timerfd" value="true"/> -->
-    <!-- <param name="enable-cond-yield" value="true"/> -->
-    <!-- <param name="enable-timer-matrix" value="true"/> -->
-    <!-- <param name="threaded-system-exec" value="true"/> -->
-    <!-- <param name="tipping-point" value="0"/> -->
-    <!-- <param name="timer-affinity" value="disabled"/> -->
-    <!-- NEEDS DOCUMENTATION -->
-
-    <!-- RTP port range -->
-    <param name="rtp-start-port" value="<%= @freeswitch_rtp_start_port %>"/>
-    <param name="rtp-end-port" value="<%= @freeswitch_rtp_end_port %>"/>
-
-    <!-- Test each port to make sure it is not in use by some other process before allocating it to RTP -->
-    <!-- <param name="rtp-port-usage-robustness" value="true"/> -->
-
-    <param name="rtp-enable-zrtp" value="false"/>
-
-    <!--
-	 Store encryption keys for secure media in channel variables and call CDRs. Default: false.
-	 WARNING: If true, anyone with CDR access can decrypt secure media!
-    -->
-    <!-- <param name="rtp-retain-crypto-keys" value="true"/> -->
-
-    <!--
-	 Native PostgreSQL support was removed from the FreeSWITCH Core!
-	 =================================
-	 NOTICE: You MUST enable mod_pgsql        
-	 =================================
-	 According to https://www.postgresql.org/docs/9.6/libpq-connect.html#LIBPQ-CONNSTRING
-	 There are two accepted formats for connection strings supported by the libpq library: 
-	 * For plain keyword = value strings use pgsql://
-	   pgsql://hostaddr=127.0.0.1 dbname=freeswitch user=freeswitch password='' options='-c client_min_messages=NOTICE'
-	 * For RFC 3986 URIs use postgresql:// or postgres://
-	   postgresql://
-	   postgresql://localhost
-	   postgresql://localhost:5433
-	   postgresql://localhost/mydb
-	   postgresql://user@localhost
-	   postgresql://user:secret@localhost
-	   postgresql://other@localhost/otherdb?connect_timeout=10&application_name=myapp
-	   postgresql:///mydb?host=localhost&port=5433
-    -->
-    <!-- <param name="core-db-dsn" value="pgsql://hostaddr=127.0.0.1 dbname=freeswitch user=freeswitch password='' options='-c client_min_messages=NOTICE'" /> -->
-    <!-- <param name="core-db-dsn" value="postgresql://freeswitch:@127.0.0.1/freeswitch?options=-c%20client_min_messages%3DNOTICE" /> -->
-    <!-- <param name="core-db-dsn" value="mariadb://Server=localhost;Database=freeswitch;Uid=freeswitch;Pwd=pass;" /> -->
-    <!-- <param name="core-db-dsn" value="dsn:username:password" /> -->
-    <!-- 
-	 Allow to specify the sqlite db at a different location (In this example, move it to ramdrive for
-	 better performance on most linux distro (note, you loose the data if you reboot))
-    -->
-    <!-- <param name="core-db-name" value="/dev/shm/core.db" /> -->
-
-    <!-- The system will create all the db schemas automatically, set this to false to avoid this behaviour -->
-    <!-- <param name="auto-create-schemas" value="true"/> -->
-    <!-- <param name="auto-clear-sql" value="true"/> -->
-    <!-- <param name="enable-early-hangup" value="true"/> -->
-
-    <!-- <param name="core-dbtype" value="MSSQL"/> -->
-
-    <!-- Allow multiple registrations to the same account in the central registration table -->
-    <!-- <param name="multiple-registrations" value="true"/> -->
-
-    <!-- <param name="max-audio-channels" value="2"/> -->
-
-  </settings>
-
-</configuration>
-
diff --git a/personal_infra/puppet/modules/freeswitch/templates/vars.xml b/personal_infra/puppet/modules/freeswitch/templates/vars.xml
deleted file mode 100644
index 850c0a17..00000000
--- a/personal_infra/puppet/modules/freeswitch/templates/vars.xml
+++ /dev/null
@@ -1,448 +0,0 @@
-<include>
-  <!-- Preprocessor Variables
-       These are introduced when configuration strings must be consistent across modules.
-       NOTICE: YOU CAN NOT COMMENT OUT AN X-PRE-PROCESS line, Remove the line instead.
-
-       WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-
-       YOU SHOULD CHANGE THIS default_password value if you don't want to be subject to any
-       toll fraud in the future.  It's your responsibility to secure your own system.
-
-       This default config is used to demonstrate the feature set of FreeSWITCH.
-
-       WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-  -->
-  <X-PRE-PROCESS cmd="set" data="default_password=<%= @freeswitch_password %>"/>
-  <!-- Did you change it yet? -->
-  <!--
-      The following variables are set dynamically - calculated if possible by freeswitch - and
-      are available to the config as $${variable}.  You can see their calculated value via fs_cli
-      by entering eval $${variable}
-
-      hostname
-      local_ip_v4
-      local_mask_v4
-      local_ip_v6
-      switch_serial
-      base_dir
-      recordings_dir
-      sound_prefix
-      sounds_dir
-      conf_dir
-      log_dir
-      run_dir
-      db_dir
-      mod_dir
-      htdocs_dir
-      script_dir
-      temp_dir
-      grammar_dir
-      certs_dir
-      storage_dir
-      cache_dir
-      core_uuid
-      zrtp_enabled
-      nat_public_addr
-      nat_private_addr
-      nat_type
-
-  -->
-
-
-  <X-PRE-PROCESS cmd="set" data="sound_prefix=$${sounds_dir}/en/us/callie"/>
-  <!--<Z-PRE-PROCESS cmd="set" data="sound_prefix=$${sounds_dir}/en/us/allison"/> -->
-
-  <!--
-      This setting is what sets the default domain FreeSWITCH will use if all else fails.
-
-      FreeSWICH will default to $${local_ip_v4} unless changed.  Changing this setting does
-      affect the sip authentication.  Please review conf/directory/default.xml for more
-      information on this topic.
-  -->
-  <X-PRE-PROCESS cmd="set" data="domain=sip.pdp7.net"/>
-  <X-PRE-PROCESS cmd="set" data="domain_name=$${domain}"/>
-  <X-PRE-PROCESS cmd="set" data="hold_music=local_stream://moh"/>
-  <X-PRE-PROCESS cmd="set" data="use_profile=external"/>
-  <X-PRE-PROCESS cmd="set" data="rtp_sdes_suites=AEAD_AES_256_GCM_8|AEAD_AES_128_GCM_8|AES_CM_256_HMAC_SHA1_80|AES_CM_192_HMAC_SHA1_80|AES_CM_128_HMAC_SHA1_80|AES_CM_256_HMAC_SHA1_32|AES_CM_192_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_32|AES_CM_128_NULL_AUTH"/>
-  <!--
-      Enable ZRTP globally you can override this on a per channel basis
-
-      http://wiki.freeswitch.org/wiki/ZRTP (on how to enable zrtp)
-  -->
-  <X-PRE-PROCESS cmd="set" data="zrtp_secure_media=true"/>
-  <!--
-      NOTICE: When using SRTP it's critical that you do not offer or accept
-      variable bit rate codecs, doing so would leak information and possibly
-      compromise your SRTP stream. (FS-6404)
-
-      Supported SRTP Crypto Suites:
-
-      AEAD_AES_256_GCM_8
-      ____________________________________________________________________________
-      This algorithm is identical to AEAD_AES_256_GCM (see Section 5.2 of
-      [RFC5116]), except that the tag length, t, is 8, and an
-      authentication tag with a length of 8 octets (64 bits) is used.
-      An AEAD_AES_256_GCM_8 ciphertext is exactly 8 octets longer than its
-      corresponding plaintext.
-
-
-      AEAD_AES_128_GCM_8
-      ____________________________________________________________________________
-      This algorithm is identical to AEAD_AES_128_GCM (see Section 5.1 of
-      [RFC5116]), except that the tag length, t, is 8, and an
-      authentication tag with a length of 8 octets (64 bits) is used.
-      An AEAD_AES_128_GCM_8 ciphertext is exactly 8 octets longer than its
-      corresponding plaintext.
-
-
-      AES_CM_256_HMAC_SHA1_80 | AES_CM_192_HMAC_SHA1_80 | AES_CM_128_HMAC_SHA1_80
-      ____________________________________________________________________________
-      AES_CM_128_HMAC_SHA1_80 is the SRTP default AES Counter Mode cipher
-      and HMAC-SHA1 message authentication with an 80-bit authentication
-      tag. The master-key length is 128 bits and has a default lifetime of
-      a maximum of 2^48 SRTP packets or 2^31 SRTCP packets, whichever comes
-      first.
-
-
-      AES_CM_256_HMAC_SHA1_32 | AES_CM_192_HMAC_SHA1_32 | AES_CM_128_HMAC_SHA1_32
-      ____________________________________________________________________________
-      This crypto-suite is identical to AES_CM_128_HMAC_SHA1_80 except that
-      the authentication tag is 32 bits. The length of the base64-decoded key and
-      salt value for this crypto-suite MUST be 30 octets i.e., 240 bits; otherwise,
-      the crypto attribute is considered invalid.
-
-
-      AES_CM_128_NULL_AUTH
-      ____________________________________________________________________________
-      The SRTP default cipher (AES-128 Counter Mode), but to use no authentication
-      method.  This policy is NOT RECOMMENDED unless it is unavoidable; see
-      Section 7.5 of [RFC3711].
-
-
-      SRTP variables that modify behaviors based on direction/leg:
-
-      rtp_secure_media
-      ____________________________________________________________________________
-      possible values:
-          mandatory - Accept/Offer SAVP negotiation ONLY
-          optional  - Accept/Offer SAVP/AVP with SAVP preferred
-          forbidden - More useful for inbound to deny SAVP negotiation
-          false     - implies forbidden
-          true      - implies mandatory
-
-      default if not set is accept SAVP inbound if offered.
-
-
-      rtp_secure_media_inbound | rtp_secure_media_outbound
-      ____________________________________________________________________________
-      This is the same as rtp_secure_media, but would apply to either inbound
-      or outbound offers specifically.
-
-
-      How to specify crypto suites:
-      ____________________________________________________________________________
-      By default without specifying any crypto suites FreeSWITCH will offer
-      crypto suites from strongest to weakest accepting the strongest each
-      endpoint has in common.  If you wish to force specific crypto suites you
-      can do so by appending the suites in a comma separated list in the order
-      that you wish to offer them in.
-
-      Examples:
-
-          rtp_secure_media=mandatory:AES_CM_256_HMAC_SHA1_80,AES_CM_256_HMAC_SHA1_32
-          rtp_secure_media=true:AES_CM_256_HMAC_SHA1_80,AES_CM_256_HMAC_SHA1_32
-          rtp_secure_media=optional:AES_CM_256_HMAC_SHA1_80
-          rtp_secure_media=true:AES_CM_256_HMAC_SHA1_80
-
-      Additionally you can narrow this down on either inbound or outbound by
-      specifying as so:
-
-          rtp_secure_media_inbound=true:AEAD_AES_256_GCM_8
-          rtp_secure_media_inbound=mandatory:AEAD_AES_256_GCM_8
-          rtp_secure_media_outbound=true:AEAD_AES_128_GCM_8
-          rtp_secure_media_outbound=optional:AEAD_AES_128_GCM_8
-
-
-      rtp_secure_media_suites
-      ____________________________________________________________________________
-      Optionaly you can use rtp_secure_media_suites to dictate the suite list
-      and only use rtp_secure_media=[optional|mandatory|false|true] without having
-      to dictate the suite list with the rtp_secure_media* variables.
-  -->
-  <!--
-       Examples of codec options: (module must be compiled and loaded)
-
-       codecname[@8000h|16000h|32000h[@XXi]]
-
-       XX is the frame size must be multples allowed for the codec
-       FreeSWITCH can support 10-120ms on some codecs.
-       We do not support exceeding the MTU of the RTP packet.
-
-
-       iLBC@30i         - iLBC using mode=30 which will win in all cases.
-       DVI4@8000h@20i   - IMA ADPCM 8kHz using 20ms ptime. (multiples of 10)
-       DVI4@16000h@40i  - IMA ADPCM 16kHz using 40ms ptime. (multiples of 10)
-       speex@8000h@20i  - Speex 8kHz using 20ms ptime.
-       speex@16000h@20i - Speex 16kHz using 20ms ptime.
-       speex@32000h@20i - Speex 32kHz using 20ms ptime.
-       BV16             - BroadVoice 16kb/s narrowband, 8kHz
-       BV32             - BroadVoice 32kb/s wideband, 16kHz
-       G7221@16000h     - G722.1 16kHz (aka Siren 7)
-       G7221@32000h     - G722.1C 32kHz (aka Siren 14)
-       CELT@32000h      - CELT 32kHz, only 10ms supported
-       CELT@48000h      - CELT 48kHz, only 10ms supported
-       GSM@40i          - GSM 8kHz using 40ms ptime. (GSM is done in multiples of 20, Default is 20ms)
-       G722             - G722 16kHz using default 20ms ptime. (multiples of 10)
-       PCMU             - G711 8kHz ulaw using default 20ms ptime. (multiples of 10)
-       PCMA             - G711 8kHz alaw using default 20ms ptime. (multiples of 10)
-       G726-16          - G726 16kbit adpcm using default 20ms ptime. (multiples of 10)
-       G726-24          - G726 24kbit adpcm using default 20ms ptime. (multiples of 10)
-       G726-32          - G726 32kbit adpcm using default 20ms ptime. (multiples of 10)
-       G726-40          - G726 40kbit adpcm using default 20ms ptime. (multiples of 10)
-       AAL2-G726-16     - Same as G726-16 but using AAL2 packing. (multiples of 10)
-       AAL2-G726-24     - Same as G726-24 but using AAL2 packing. (multiples of 10)
-       AAL2-G726-32     - Same as G726-32 but using AAL2 packing. (multiples of 10)
-       AAL2-G726-40     - Same as G726-40 but using AAL2 packing. (multiples of 10)
-       LPC              - LPC10 using 90ms ptime (only supports 90ms at this time in FreeSWITCH)
-       L16              - L16 isn't recommended for VoIP but you can do it. L16 can exceed the MTU rather quickly.
-
-       These are the passthru audio codecs:
-
-       G729             - G729 in passthru mode. (mod_g729)
-       G723             - G723.1 in passthru mode. (mod_g723_1)
-       AMR              - AMR in passthru mode. (mod_amr)
-
-       These are the passthru video codecs: (mod_h26x)
-
-       H261             - H.261 Video
-       H263             - H.263 Video
-       H263-1998        - H.263-1998 Video
-       H263-2000        - H.263-2000 Video
-       H264             - H.264 Video
-
-       RTP Dynamic Payload Numbers currently used in FreeSWITCH and their purpose.
-
-       96  - AMR
-       97  - iLBC (30)
-       98  - iLBC (20)
-       99  - Speex 8kHz, 16kHz, 32kHz
-       100 -
-       101 - telephone-event
-       102 -
-       103 -
-       104 -
-       105 -
-       106 - BV16
-       107 - G722.1 (16kHz)
-       108 -
-       109 -
-       110 -
-       111 -
-       112 -
-       113 -
-       114 - CELT 32kHz, 48kHz
-       115 - G722.1C (32kHz)
-       116 -
-       117 - SILK 8kHz
-       118 - SILK 12kHz
-       119 - SILK 16kHz
-       120 - SILK 24kHz
-       121 - AAL2-G726-40 && G726-40
-       122 - AAL2-G726-32 && G726-32
-       123 - AAL2-G726-24 && G726-24
-       124 - AAL2-G726-16 && G726-16
-       125 -
-       126 -
-       127 - BV32
-
-  -->
-  <X-PRE-PROCESS cmd="set" data="global_codec_prefs=OPUS,G722,PCMU,PCMA,H264,VP8"/>
-  <X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=OPUS,G722,PCMU,PCMA,H264,VP8"/>
-
-  <!--
-      xmpp_client_profile and xmpp_server_profile
-      xmpp_client_profile can be any string.
-      xmpp_server_profile is appended to "dingaling_" to form the database name
-      containing the "subscriptions" table.
-      used by: dingaling.conf.xml enum.conf.xml
-  -->
-
-  <X-PRE-PROCESS cmd="set" data="xmpp_client_profile=xmppc"/>
-  <X-PRE-PROCESS cmd="set" data="xmpp_server_profile=xmpps"/>
-  <!--
-       THIS IS ONLY USED FOR DINGALING
-
-       bind_server_ip
-
-       Can be an ip address, a dns name, or "auto".
-       This determines an ip address available on this host to bind.
-       If you are separating RTP and SIP traffic, you will want to have
-       use different addresses where this variable appears.
-       Used by: dingaling.conf.xml
-  -->
-  <X-PRE-PROCESS cmd="set" data="bind_server_ip=auto"/>
-
-  <!-- NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
-
-       If you're going to load test FreeSWITCH please input real IP addresses
-       for external_rtp_ip and external_sip_ip
-  -->
-
-  <!-- external_rtp_ip
-       Can be an one of:
-           ip address: "12.34.56.78"
-           a stun server lookup: "stun:stun.server.com"
-           a DNS name: "host:host.server.com"
-       where fs.mydomain.com is a DNS A record-useful when fs is on
-       a dynamic IP address, and uses a dynamic DNS updater.
-       If unspecified, the bind_server_ip value is used.
-       Used by: sofia.conf.xml dingaling.conf.xml
-  -->
-  <X-PRE-PROCESS cmd="stun-set" data="external_rtp_ip=<%= @freeswitch_address %>"/>
-
-  <!-- external_sip_ip
-      Used as the public IP address for SDP.
-       Can be an one of:
-           ip address: "12.34.56.78"
-           a stun server lookup: "stun:stun.server.com"
-           a DNS name: "host:host.server.com"
-       where fs.mydomain.com is a DNS A record-useful when fs is on
-       a dynamic IP address, and uses a dynamic DNS updater.
-       If unspecified, the bind_server_ip value is used.
-       Used by: sofia.conf.xml dingaling.conf.xml
-  -->
-  <X-PRE-PROCESS cmd="stun-set" data="external_sip_ip=<%= @freeswitch_address %>"/>
-
-  <!-- unroll-loops
-       Used to turn on sip loopback unrolling.
-  -->
-  <X-PRE-PROCESS cmd="set" data="unroll_loops=true"/>
-
-  <!-- outbound_caller_id and outbound_caller_name
-       The caller ID telephone number we should use when calling out.
-       Used by: conference.conf.xml and user directory for default
-       outbound callerid name and number.
-  -->
-  <X-PRE-PROCESS cmd="set" data="outbound_caller_name=FreeSWITCH"/>
-  <X-PRE-PROCESS cmd="set" data="outbound_caller_id=0000000000"/>
-
-  <!-- various debug and defaults -->
-  <X-PRE-PROCESS cmd="set" data="call_debug=false"/>
-  <X-PRE-PROCESS cmd="set" data="console_loglevel=info"/>
-  <X-PRE-PROCESS cmd="set" data="default_areacode=918"/>
-  <X-PRE-PROCESS cmd="set" data="default_country=US"/>
-
-  <!-- if false or undefined, the destination number is included in presence NOTIFY dm:note.
-       if true, the destination number is not included -->
-  <X-PRE-PROCESS cmd="set" data="presence_privacy=false"/>
-
-  <X-PRE-PROCESS cmd="set" data="au-ring=%(400,200,383,417);%(400,2000,383,417)"/>
-  <X-PRE-PROCESS cmd="set" data="be-ring=%(1000,3000,425)"/>
-  <X-PRE-PROCESS cmd="set" data="ca-ring=%(2000,4000,440,480)"/>
-  <X-PRE-PROCESS cmd="set" data="cn-ring=%(1000,4000,450)"/>
-  <X-PRE-PROCESS cmd="set" data="cy-ring=%(1500,3000,425)"/>
-  <X-PRE-PROCESS cmd="set" data="cz-ring=%(1000,4000,425)"/>
-  <X-PRE-PROCESS cmd="set" data="de-ring=%(1000,4000,425)"/>
-  <X-PRE-PROCESS cmd="set" data="dk-ring=%(1000,4000,425)"/>
-  <X-PRE-PROCESS cmd="set" data="dz-ring=%(1500,3500,425)"/>
-  <X-PRE-PROCESS cmd="set" data="eg-ring=%(2000,1000,475,375)"/>
-  <X-PRE-PROCESS cmd="set" data="es-ring=%(1500,3000,425)"/>
-  <X-PRE-PROCESS cmd="set" data="fi-ring=%(1000,4000,425)"/>
-  <X-PRE-PROCESS cmd="set" data="fr-ring=%(1500,3500,440)"/>
-  <X-PRE-PROCESS cmd="set" data="hk-ring=%(400,200,440,480);%(400,3000,440,480)"/>
-  <X-PRE-PROCESS cmd="set" data="hu-ring=%(1250,3750,425)"/>
-  <X-PRE-PROCESS cmd="set" data="il-ring=%(1000,3000,400)"/>
-  <X-PRE-PROCESS cmd="set" data="in-ring=%(400,200,425,375);%(400,2000,425,375)"/>
-  <X-PRE-PROCESS cmd="set" data="jp-ring=%(1000,2000,420,380)"/>
-  <X-PRE-PROCESS cmd="set" data="ko-ring=%(1000,2000,440,480)"/>
-  <X-PRE-PROCESS cmd="set" data="pk-ring=%(1000,2000,400)"/>
-  <X-PRE-PROCESS cmd="set" data="pl-ring=%(1000,4000,425)"/>
-  <X-PRE-PROCESS cmd="set" data="ro-ring=%(1850,4150,475,425)"/>
-  <X-PRE-PROCESS cmd="set" data="rs-ring=%(1000,4000,425)"/>
-  <X-PRE-PROCESS cmd="set" data="ru-ring=%(800,3200,425)"/>
-  <X-PRE-PROCESS cmd="set" data="sa-ring=%(1200,4600,425)"/>
-  <X-PRE-PROCESS cmd="set" data="tr-ring=%(2000,4000,450)"/>
-  <X-PRE-PROCESS cmd="set" data="uk-ring=%(400,200,400,450);%(400,2000,400,450)"/>
-  <X-PRE-PROCESS cmd="set" data="us-ring=%(2000,4000,440,480)"/>
-  <X-PRE-PROCESS cmd="set" data="bong-ring=v=-7;%(100,0,941.0,1477.0);v=-7;>=2;+=.1;%(1400,0,350,440)"/>
-  <X-PRE-PROCESS cmd="set" data="beep=%(1000,0,640)"/>
-  <X-PRE-PROCESS cmd="set" data="sit=%(274,0,913.8);%(274,0,1370.6);%(380,0,1776.7)"/>
-
-  <!--
-       Digits Dialed filter: (FS-6940)
-
-       The digits stream may contain valid credit card numbers or social security numbers, These digit
-       filters will allow you to make a valant effort to stamp out sensitive information for
-       PCI/HIPPA compliance. (see xml_cdr dialed_digits)
-
-       df_us_ssn   = US Social Security Number pattern
-       df_us_luhn  = Visa, MasterCard, American Express, Diners Club, Discover and JCB
-  -->
-  <X-PRE-PROCESS cmd="set" data="df_us_ssn=(?!219099999|078051120)(?!666|000|9\d{2})\d{3}(?!00)\d{2}(?!0{4})\d{4}"/>
-  <X-PRE-PROCESS cmd="set" data="df_luhn=?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11}"/>
-  <!-- change XX to X below to enable -->
-  <XX-PRE-PROCESS cmd="set" data="digits_dialed_filter=(($${df_luhn})|($${df_us_ssn}))"/>
-
-  <!--
-      Setting up your default sip provider is easy.
-      Below are some values that should work in most cases.
-
-      These are for conf/directory/default/example.com.xml
-  -->
-  <X-PRE-PROCESS cmd="set" data="default_provider=example.com"/>
-  <X-PRE-PROCESS cmd="set" data="default_provider_username=joeuser"/>
-  <X-PRE-PROCESS cmd="set" data="default_provider_password=password"/>
-  <X-PRE-PROCESS cmd="set" data="default_provider_from_domain=example.com"/>
-  <!-- true or false -->
-  <X-PRE-PROCESS cmd="set" data="default_provider_register=false"/>
-  <X-PRE-PROCESS cmd="set" data="default_provider_contact=5000"/>
-
-  <!--
-     SIP and TLS settings. http://wiki.freeswitch.org/wiki/Tls
-
-     valid options: sslv2,sslv3,sslv23,tlsv1,tlsv1.1,tlsv1.2
-
-     default: tlsv1,tlsv1.1,tlsv1.2
-  -->
-  <X-PRE-PROCESS cmd="set" data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/>
-
-  <!--
-     TLS cipher suite: default ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
-
-     The actual ciphers supported will change per platform.
-
-     openssl ciphers -v 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
-
-     Will show you what is available in your verion of openssl.
-  -->
-  <X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>
-
-  <!-- Internal SIP Profile -->
-  <X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/>
-  <X-PRE-PROCESS cmd="set" data="internal_sip_port=5060"/>
-  <X-PRE-PROCESS cmd="set" data="internal_tls_port=5061"/>
-  <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>
-
-  <!-- External SIP Profile -->
-  <X-PRE-PROCESS cmd="set" data="external_auth_calls=false"/>
-  <X-PRE-PROCESS cmd="set" data="external_sip_port=5080"/>
-  <X-PRE-PROCESS cmd="set" data="external_tls_port=5081"/>
-  <X-PRE-PROCESS cmd="set" data="external_ssl_enable=false"/>
-
-  <!-- Video Settings -->
-  <!-- Setting the max bandwdith -->
-  <X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_in=3mb"/>
-  <X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_out=3mb"/>
-
-  <!-- WebRTC Video -->
-  <!-- Suppress CNG for WebRTC Audio -->
-  <X-PRE-PROCESS cmd="set" data="suppress_cng=true"/>
-  <!-- Enable liberal DTMF for those that can't get it right -->
-  <X-PRE-PROCESS cmd="set" data="rtp_liberal_dtmf=true"/>
-  <!-- Helps with WebRTC Audio -->
-
-  <!-- Stock Video Avatars -->
-  <X-PRE-PROCESS cmd="set" data="video_mute_png=$${images_dir}/default-mute.png"/>
-  <X-PRE-PROCESS cmd="set" data="video_no_avatar_png=$${images_dir}/default-avatar.png"/>
-
-</include>
diff --git a/personal_infra/puppet/site/flexisip.h1.int.pdp7.net.pp b/personal_infra/puppet/site/flexisip.h1.int.pdp7.net.pp
new file mode 100644
index 00000000..75b57fe0
--- /dev/null
+++ b/personal_infra/puppet/site/flexisip.h1.int.pdp7.net.pp
@@ -0,0 +1,17 @@
+node 'flexisip.h1.int.pdp7.net' {
+  $password = lookup("flexisip.password")
+
+  class {'flexisip':
+    flexisip_domain => 'sip.pdp7.net',
+    flexisip_sdp_port_range_min => '20000',
+    flexisip_sdp_port_range_max => '20010',
+    flexisip_user_database => @("EOT")
+    version:1
+
+    1000@sip.pdp7.net clrtxt:$password ;
+    1001@sip.pdp7.net clrtxt:$password ;
+    1002@sip.pdp7.net clrtxt:$password ;
+    | EOT
+    ,
+  }
+}
diff --git a/personal_infra/puppet/site/freeswitch.h1.int.pdp7.net.pp b/personal_infra/puppet/site/freeswitch.h1.int.pdp7.net.pp
deleted file mode 100644
index 2f8b3080..00000000
--- a/personal_infra/puppet/site/freeswitch.h1.int.pdp7.net.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-node 'freeswitch.h1.int.pdp7.net' {
-  class {'freeswitch':
-    freeswitch_password => lookup("freeswitch.password"),
-    freeswitch_address => 'stun:stun.freeswitch.org',
-    freeswitch_rtp_start_port => '20000',
-    freeswitch_rtp_end_port => '20010',
-  }
-}
diff --git a/personal_infra/puppet/site/h1.pdp7.net.pp b/personal_infra/puppet/site/h1.pdp7.net.pp
index 967a6348..f8b88ce3 100644
--- a/personal_infra/puppet/site/h1.pdp7.net.pp
+++ b/personal_infra/puppet/site/h1.pdp7.net.pp
@@ -179,4 +179,32 @@ node 'h1.pdp7.net' {
   }
   ~>
   Service['apache2']
+
+  # bogus host to obtain a certificate for sip.pdp7.net
+  file {"/etc/apache2/sites-enabled/sip.pdp7.net.conf":
+    content => @("EOT")
+      MDomain sip.pdp7.net
+
+      <VirtualHost *:443>
+        ServerName sip.pdp7.net
+        SSLEngine on
+        Alias / /bogus
+      </VirtualHost>
+      | EOT
+    ,
+  }
+  ~>
+  Service['apache2']
+
+  file {"/usr/local/bin/notify_md_renewal_hook_sip":
+    content => @("EOT"/$)
+    #!/bin/sh
+
+    cp /etc/apache2/md/domains/sip.pdp7.net/pubcert.pem  /rpool/data/subvol-209-disk-0/etc/pki/tls/certs/localhost.crt
+    cp /etc/apache2/md/domains/sip.pdp7.net/privkey.pem  /rpool/data/subvol-209-disk-0/etc/pki/tls/private/localhost.key
+    pct exec 209 systemctl restart flexisip-proxy
+    | EOT
+    ,
+    mode => '0755',
+  }
 }