From ec16a0ddc157c1cd5602b9552b7c06816fad7a89 Mon Sep 17 00:00:00 2001
From: Keith Whyte <keith@rhizomatica.org>
Date: Thu, 11 Mar 2021 08:04:26 +0100
Subject: [PATCH] Add configuration for vSat

Add sems install and config
Add FS profiles for Vsat incoming calls via sems + related gateway
---
 modules/rhizo_base/files/sems-etc/sbc.conf    |  78 ++
 modules/rhizo_base/files/systemd/sems.service |  15 +
 modules/rhizo_base/manifests/init.pp          |   4 +
 modules/rhizo_base/manifests/sems.pp          |  74 ++
 .../rhizo_base/templates/ifname_ext.conf.erb  |   3 +
 .../templates/mux-in.sbcprofile.conf.erb      |  14 +
 .../templates/mux-out.sbcprofile.conf.erb     |  13 +
 modules/rhizo_base/templates/sems.conf.erb    | 682 ++++++++++++++++++
 modules/rhizo_base/templates/sems.xml.erb     |  10 +
 modules/rhizo_base/templates/vsat.xml.erb     |  46 ++
 10 files changed, 939 insertions(+)
 create mode 100644 modules/rhizo_base/files/sems-etc/sbc.conf
 create mode 100644 modules/rhizo_base/files/systemd/sems.service
 create mode 100644 modules/rhizo_base/manifests/sems.pp
 create mode 100644 modules/rhizo_base/templates/ifname_ext.conf.erb
 create mode 100644 modules/rhizo_base/templates/mux-in.sbcprofile.conf.erb
 create mode 100644 modules/rhizo_base/templates/mux-out.sbcprofile.conf.erb
 create mode 100644 modules/rhizo_base/templates/sems.conf.erb
 create mode 100644 modules/rhizo_base/templates/sems.xml.erb
 create mode 100644 modules/rhizo_base/templates/vsat.xml.erb

diff --git a/modules/rhizo_base/files/sems-etc/sbc.conf b/modules/rhizo_base/files/sems-etc/sbc.conf
new file mode 100644
index 0000000..5a74c33
--- /dev/null
+++ b/modules/rhizo_base/files/sems-etc/sbc.conf
@@ -0,0 +1,78 @@
+# optional path from where to load the profiles if not set mod config path is used
+#profiles_path=/etc/sems/etc//profiles/
+
+# profiles - comma-separated list of call profiles to load
+#
+# <name>.sbcprofile.conf is loaded from module config 
+# path (the path where this file resides) or from profiles_path if set
+
+profiles=mux-in,mux-out
+
+# active call profile - comma separated list, first non-empty is used
+#
+# o active_profile=<profile_name>  always use <profile_name>
+#
+# o active_profile=$(ruri.user)    use user part of INVITE Request URI
+#
+# o active_profile=$(paramhdr)     use  "profile" option in P-App-Param header
+#
+# o any replacement pattern
+#
+#active_profile=mux-in
+
+active_profile=$M($Rn_$rU=>ifname_ext),mux-out
+
+# regex_maps - comma-separated list of regex maps to load at startup, for $M()
+# 
+# regex=>value maps for which names are given here are loaded from 
+# this path, e.g. src_ipmap.conf, ruri_map.conf, usermap.conf
+#
+#regex_maps=src_ipmap,ruri_map,usermap
+
+regex_maps=ifname_ext
+
+# load_cc_plugins - semicolon-separated list of call-control plugins to load
+#                   here the module names (.so names) must be specified, without .so
+#                   analogous to load_plugins in sems.conf
+#
+# e.g. load_cc_plugins=cc_pcalls;cc_ctl
+#load_cc_plugins=cc_pcalls;cc_ctl
+
+# handle OPTIONS messages in the core? (with limits etc)
+# Default: no
+core_options_handling=yes
+
+# How many threads to use for processing out-of-dialog messages, default: 1
+# out_of_dialog_threads=4
+
+## RFC4028 Session Timer
+# default configuration - can be overridden by call profiles
+
+# - enables the session timer ([yes,no]; default: no)
+#
+#enable_session_timer=yes
+
+# - set the "Session-Expires" parameter for the session timer.
+#
+# session_expires=240
+
+# - set the "Min-SE" parameter for the session timer.
+#
+# minimum_timer=90
+
+# session refresh (Session Timer, RFC4028) method
+#
+# INVITE                 - use re-INVITE
+# UPDATE                 - use UPDATE
+# UPDATE_FALLBACK_INVITE - use UPDATE if indicated in Allow, re-INVITE otherwise
+#
+# Default: UPDATE_FALLBACK_INVITE
+#
+#session_refresh_method=UPDATE
+
+# accept_501_reply - accept 501 reply as successful refresh? [yes|no]
+#
+# Default: yes
+#
+#accept_501_reply=no
+
diff --git a/modules/rhizo_base/files/systemd/sems.service b/modules/rhizo_base/files/systemd/sems.service
new file mode 100644
index 0000000..0e21b3d
--- /dev/null
+++ b/modules/rhizo_base/files/systemd/sems.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=SEMS Proxy
+Requires=sysinit.target system.slice tinc.service
+After=network.target
+
+[Service]
+Type=simple
+WorkingDirectory=/etc/sems/
+ExecStart=/usr/sbin/sems -P /var/run/sems/sems.pid -u sems -g sems -f /etc/sems/sems.conf -E
+TimeoutStopSec=5
+Restart=always
+RestartSec=60
+
+[Install]
+WantedBy=multi-user.target
diff --git a/modules/rhizo_base/manifests/init.pp b/modules/rhizo_base/manifests/init.pp
index 3be4b15..cb9010d 100644
--- a/modules/rhizo_base/manifests/init.pp
+++ b/modules/rhizo_base/manifests/init.pp
@@ -124,6 +124,7 @@ class rhizo_base {
   $reg_provider       = hiera('rhizo::reg_provider', 'true')
   $voip_chans_max     = hiera('rhizo::voip_chans_max', '200')
   $voip_mod           = hiera('rhizo::voip_mod', 'lambda num: num')
+  $has_vsat           = hiera('rhizo::has_vsat', 0)
 
   # Subscription SMS notification
   $notice_msg       = hiera('rhizo::notice_msg')
@@ -197,6 +198,9 @@ class rhizo_base {
   if $operatingsystem != 'Debian' {
     include rhizo_base::icinga
   }
+  if $has_vsat == 1 {
+    include rhizo_base::sems
+  }
 
   if $vpn_ip_address == $riak_ip_address {
     if $operatingsystem != 'Debian' {
diff --git a/modules/rhizo_base/manifests/sems.pp b/modules/rhizo_base/manifests/sems.pp
new file mode 100644
index 0000000..7ec4913
--- /dev/null
+++ b/modules/rhizo_base/manifests/sems.pp
@@ -0,0 +1,74 @@
+# Class: rhizo_base::sems
+#
+# This module manages the sems package and config
+#
+# Parameters: none
+#
+# Actions:
+#
+# Requires: see Modulefile
+#
+# Sample Usage:
+#
+class rhizo_base::sems {
+
+  $vpn_ip_address   = $rhizo_base::vpn_ip_address
+  $vsat_ip_address  = hiera('rhizo::vsat_ip_address', '127.0.0.1')
+  $vsat_serv_ip_address  = hiera('rhizo::vsat_serv_ip_address', '192.168.12.10')
+  $rtp_mux_port     = hiera('rhizo::rtp_mux_port', '5000')
+
+  package { ['sems', ]:
+      ensure  => installed,
+      require => Class['rhizo_base::apt'],
+    }
+
+  systemd::unit_file { 'sems.service':
+      source   => "puppet:///modules/rhizo_base/systemd/sems.service",
+      require  => Package['sems'],
+    }
+
+  file { '/etc/sems/sems.conf':
+      content => template('rhizo_base/sems.conf.erb'),
+      require => Package['sems'],
+    }
+
+  file { '/etc/sems/etc/mux-in.sbcprofile.conf':
+      content => template('rhizo_base/mux-in.sbcprofile.conf.erb'),
+      require => Package['sems'],
+    }
+
+  file { '/etc/sems/etc/mux-out.sbcprofile.conf':
+      content => template('rhizo_base/mux-out.sbcprofile.conf.erb'),
+      require => Package['sems'],
+    }
+
+  file { '/etc/sems/etc/ifname_ext.conf':
+      content => template('rhizo_base/ifname_ext.conf.erb'),
+      require => Package['sems'],
+    }
+
+  file { '/etc/sems/etc/':
+      ensure  => directory,
+      source  => 'puppet:///modules/rhizo_base/sems-etc',
+      owner   => 'root',
+      recurse => remote,
+      purge   => false,
+    }
+
+  file { '/etc/freeswitch/sip_profiles/vsat.xml':
+      content => template('rhizo_base/vsat.xml.erb'),
+      require => Package['freeswitch'],
+    }
+
+  file {'/etc/freeswitch/sip_profiles/vsat':
+      ensure  => directory,
+      require => File['/etc/freeswitch'],
+    }
+
+
+  file { '/etc/freeswitch/sip_profiles/vsat/sems.xml':
+      content => template('rhizo_base/sems.xml.erb'),
+      require => Package['freeswitch'],
+    }
+
+  }
diff --git a/modules/rhizo_base/templates/ifname_ext.conf.erb b/modules/rhizo_base/templates/ifname_ext.conf.erb
new file mode 100644
index 0000000..f5efed9
--- /dev/null
+++ b/modules/rhizo_base/templates/ifname_ext.conf.erb
@@ -0,0 +1,3 @@
+^.*_9519800748$=>mux-in
+^.*_9519800756$=>mux-in
+^rhizomatica_00.*$=>mux-out
diff --git a/modules/rhizo_base/templates/mux-in.sbcprofile.conf.erb b/modules/rhizo_base/templates/mux-in.sbcprofile.conf.erb
new file mode 100644
index 0000000..62ec949
--- /dev/null
+++ b/modules/rhizo_base/templates/mux-in.sbcprofile.conf.erb
@@ -0,0 +1,14 @@
+next_hop=<%= @vpn_ip_address %>:5091
+RURI=sip:$rU@<%= @vpn_ip_address %>
+
+a_rtp_mux_ip=<%= @vsat_serv_ip_address %>
+a_rtp_mux_port=<%= @rtp_mux_port %>
+
+enable_rtprelay=yes
+rtprelay_force_symmetric_rtp=no
+
+# RTP interface to use for A leg
+aleg_rtprelay_interface=vsat
+
+# RTP interface to use for B leg
+rtprelay_interface=rhizo
diff --git a/modules/rhizo_base/templates/mux-out.sbcprofile.conf.erb b/modules/rhizo_base/templates/mux-out.sbcprofile.conf.erb
new file mode 100644
index 0000000..f95e1dc
--- /dev/null
+++ b/modules/rhizo_base/templates/mux-out.sbcprofile.conf.erb
@@ -0,0 +1,13 @@
+next_hop=<%= @vsat_serv_ip_address %>:5090
+RURI=sip:$rU@<%= @vsat_serv_ip_address %>
+
+b_rtp_mux_ip==<%= @vsat_serv_ip_address %>
+b_rtp_mux_port=<%= @rtp_mux_port %>
+
+enable_rtprelay=yes
+
+# RTP interface to use for A leg
+aleg_rtprelay_interface=rhizo
+
+# RTP interface to use for B leg
+rtprelay_interface=vsat
diff --git a/modules/rhizo_base/templates/sems.conf.erb b/modules/rhizo_base/templates/sems.conf.erb
new file mode 100644
index 0000000..ac65d48
--- /dev/null
+++ b/modules/rhizo_base/templates/sems.conf.erb
@@ -0,0 +1,682 @@
+# $Id$
+#
+# sems.conf.sample
+#
+# Sip Express Media Server (sems)
+# 
+# sample configuration file
+# 
+#
+# whitespaces (spaces and tabs) are ignored
+# comments start with a "#" and may be used inline
+# 
+# example: option=value # i like this option
+#
+# @filename includes mod_config_path/filename
+# @/absolute/path/to/file includes file
+
+############################################################
+# Network configuration
+
+# If only one signaling (SIP) and media (RTP) interface is
+# to be used, configure the options
+#    sip_ip / sip_port / media_ip/ rtp_low_port /
+#    rtp_high_port / public_ip / sig_sock_opts
+# If more than one interface is to be used, configure the option
+# 'interfaces' and those options for each interface.
+
+############# configuration for single interface ############
+# optional parameter: sip_ip=<ip_address>|<device>
+#
+# - SIP IP where the SIP stack is bound to. This also sets 
+#   the value used for contact header in outgoing calls and 
+#   registrations.
+# - If neither 'media_ip' nor 'sip_ip' are set, defaults 
+#   to first non-loopback interface, and the port configured below
+#   is ignored.
+#
+# Example:
+#  sip_ip=10.0.0.34
+#  sip_ip=en0
+
+# optional parameter: sip_port=<port_number>
+#
+# - port where its SIP stack should be bound to, ignored if sip_ip not set.
+#   default: 5060
+#
+#sip_port=5080
+
+# optional parameter: media_ip=<ip_address>|<device>
+#
+# - IP address or interface that SEMS uses to send and receive media.
+# - If neither 'media_ip' nor 'sip_ip' are set, defaults
+#   to first non-loopback interface. If 'sip_ip' is set,
+#   'media_ip' defaults to 'sip_ip.
+#
+# Examples:
+#  media_ip=10.0.0.34
+#  media_ip=eth0
+
+# optional parameter: rtp_low_port=<port>
+#
+# - sets lowest for RTP used port (Default: 1024)
+rtp_low_port=10000
+
+# optional parameter: rtp_high_port=<port>
+#
+# - sets highest for RTP used port (Default: 0xffff)
+rtp_high_port=60000
+
+# optional parameter: public_ip=<ip_address>
+# 
+# - near end NAT traversal. when running SEMS behind certain static
+#   NATs, use this parameter to inform SEMS of its public IP
+#   address. If this parameter is set, SEMS will write this value
+#   into SDP bodies and Contact.
+#   If this parameter is not set, the local IP address is used.
+#   N.B., there is no support for port translation; the local 
+#   RTP port is advertised in SDP in either case.
+#   
+# Example:
+#  public_ip=75.101.219.48
+#  
+
+# optional parameter: sig_sock_opts=option,option,option,...
+#
+# - signaling socket options
+#      o force_via_address         - force sending replies to 1st Via
+#      o no_transport_in_contact   - do not add transport to contact in replies
+#
+# Example:
+#  sig_sock_opts=force_via_address,no_transport_in_contact
+
+# optional parameter: tcp_connect_timeout=<timeout in millisec>
+# Default: 2000 (2 sec)
+
+# optional parameter: tcp_idle_timeout=<timeout in millisec>
+# Default: 3600000 (1 hour)
+
+############# configuration for multiple interfaces ############
+#   interfaces = <list of interface names>
+#
+# 'interfaces' must be set if more than one interface is to be used
+# for the same purpose (e.g. more than one interface for SIP).
+# Configure additional interfaces if networks should be bridged or
+# separate networks should be served.
+#
+# For each interface, a set of parameters suffixed with the
+# interface name should be configured.
+#
+# Please note that for each additional interface,
+# 'sip_ip_[if_name]' is mandatory (but can be the interface
+# name, then the first assigned IP is used). The other
+# parameters are optional. 'media_ip_[if_name]'
+# is derived from 'sip_ip_[if_name]' if not set.
+# 'public_ip_[ip_name]' is also based on 'sip_ip_[if_name]'
+# if not set explicitly.
+# 
+# Example:
+interfaces=rhizo,vsat
+#
+sip_ip_rhizo=<%= @vpn_ip_address %>
+sip_port_rhizo=5095
+media_ip_rhizo=<%= @vpn_ip_address %>
+rtp_low_port_rhizo=12000
+rtp_high_port_rhizo=13000
+#
+sip_ip_vsat=<%= @vsat_ip_address %>
+sip_port_vsat=5090
+media_ip_vsat=<%= @vsat_ip_address %>
+rtp_low_port_vsat=14000
+rtp_high_port_vsat=15000
+#sig_sock_opts_vsat=force_via_address
+tcp_connect_timeout_vsat=1000
+tcp_idle_timeout_vsat=900000
+
+############# other network configuration ############################## 
+
+# NAT handling for SIP:sip_nat_handling={yes|no}
+#
+# Learn remote next hop address from the source of the address where
+# requests are received from. This option does not apply to the sbc module.
+#
+# default: no
+#
+#sip_nat_handling=yes
+
+# NAT handling for RTP: force_symmetric_rtp={yes|no}
+#
+# Force comedia style "symmetric RTP" NAT handling, i.e.
+# learn remote RTP address from where RTP packets come from
+# (This option does not apply to the sbc module's RTP relay)
+#
+# default: no
+#
+force_symmetric_rtp=no
+
+# optional parameter: outbound_proxy=uri
+#
+# - this sets an outbound proxy for dialogs and registrations initiated 
+#   by SEMS.  A preloaded Route header containing the uri is added to
+#   each initial request.  The request is then sent to destination obtained
+#   by resolving the uri. If outbound_proxy is not set (default setting),
+#   no preloaded Route header is added and request is sent to destination
+#   obtained by resolving r-uri.  Resolving is done by SIP stack with DNS
+#   if uri contains domain name. Warning: If uri can not be resolved, no  
+#   requests will be sent out at all!
+#  
+#   default: empty
+#
+# Example:
+#   outbound_proxy=sip:proxy.mydomain.net
+
+# optional parameter: force_outbound_proxy={yes|no}
+#
+# - forces SEMS to set outbound_proxy for any requests (not just for
+#   registrations and dialog initiating requests). See above what setting
+#   of outbound_proxy means.  This option will only have an effect if the
+#   outbound_proxy option has been set, and it will break 3261 compatibility
+#   in some cases; better use next_hop.
+#
+#   default: no
+#
+# Example:
+#   force_outbound_proxy=yes
+
+# optional parameter: next_hop=address[:port][/transport]
+# - if this is set, all outgoing requests will be sent to
+#   this address (IP address or domain name), regardless of R-URI etc.
+#
+# Examples:
+#   next_hop=192.168.5.1
+#   next_hop=foo.example.com:5080/tcp
+
+# optional parameter: next_hop_1st_req={yes|no}
+# - if set to yes, next_hop behavior (routing without pre-loaded route set)
+#   applies only to initial request.  Subsequent requests are routed
+#   normally based on route set learned from reply to initial request.
+#
+#   default: no
+#
+# Example:
+#   next_hop_1st_req=yes
+
+# optional parameter:next_hop_for_replies
+# - use next_hop for replies, too?
+#
+#next_hop_for_replies=yes
+
+# RTP multiplexing configuration - see doc/rtp_mux/
+#
+# IP:port to open an incoming (listening) RTP MUX port
+
+rtp_mux_ip=<%= @vsat_ip_address %>
+rtp_mux_port=<%= @rtp_mux_port %>
+
+#
+# Interface to send outgoing RTP MUX packets from (port is auto-assigned)
+
+rtp_mux_out_interface=vsat
+
+#
+# Parameters for outgoing mux:
+#   MTU threshold: frame is sent if over this threshold; leave 1 RTP payload size to actual MTU
+rtp_mux_mtu_threshold=135
+#   max frame age: .. or this old (millisec), i.e. max delay introduced
+rtp_mux_max_frame_age_ms=30
+#
+# For gatewaying, additionally a_rtp_mux_ip/a_rtp_mux_port or b_rtp_mux_ip/
+# b_rtp_mux_port must be configured in the SBC profile.
+#
+
+############################################################
+# modules and application configuration
+#
+# Configuration of plugin (module) loading:
+# - if load_plugins is set, only those are loaded.
+# - if load_plugins is not set, all modules in the plugin_path
+#   directory are loaded, except those which are listed 
+#   in exclude_plugins.
+#
+
+# optional parameter: plugin_path=<path>
+# 
+# - sets the path to the plug-ins' binaries
+# - may be absolute or relative to CWD
+plugin_path=/usr/lib/sems/plug-in/
+
+# optional parameter: load_plugins=<modules list>
+# 
+# semicolon-separated list of modules to load.
+# If empty, all modules in plugin_path are loaded.
+#
+# example for announcement with only g711 and ilbc codecs  
+# load_plugins=wav;ilbc;announcement
+load_plugins=wav;isac;l16;speex;g722;gsm;ilbc;stats;sbc;xmlrpc2di
+
+# optional parameter: exclude_plugins=<modules list>
+#
+# semicolon-separated list of modules to exclude from loading
+# ('blacklist'). If empty, all modules in plugin_path are loaded.
+# This has only effect it load_plugins is not set.
+#
+# o precoded_announce: no precoded sample files present
+# o py_sems: conflicts with ivr (in some cases)
+# o db_reg_agent: needs DB tables
+# o cc_* : sbc call control modules (loaded from sbc.conf)
+exclude_plugins=precoded_announce;py_sems;db_reg_agent;cc_call_timer;cc_ctl;cc_pcalls;cc_prepaid;cc_prepaid_xmlrpc;cc_rest;cc_syslog_cdr
+
+# optional: load_plugins_rtld_global=<modules list>
+#
+# load these plugins with RTLD_GLOBAL (by default py_sems,
+# dsm, ivr, sbc, diameter_client, registrar_client, uac_auth)
+#
+#load_plugins_rtld_global=myapp
+
+# optional parameter: application
+# 
+# This controls which application is to be executed for incoming calls
+# is no explicit application requested (outgoing calls)
+#
+# This can be one of 
+#    $(ruri.user)       - user part of ruri is taken as application,
+#                         e.g. sip:announcement@host
+#    $(ruri.param)      - uri parameter "app", e.g. 
+#                         sip:joe@host.net;app=announcement
+#    $(apphdr)          - the value of the P-App-Name header is used
+#
+#    $(mapping)         - regex=>application mapping is read from
+#                         app_mapping.conf (see app_mapping.conf)
+#    <application name> - application name configured here, e.g.
+#                         application=announcement
+#   
+# examples:
+# application = conference
+# application = $(mapping)
+# application = $(ruri.user)
+# application = $(ruri.param)
+# application = $(apphdr)
+application=sbc
+
+# parameter: plugin_config_path=<path>
+#
+# - in this path configuration files of the applications 
+#   (e.g. announcement.conf) are searched
+plugin_config_path=/etc/sems/etc/
+
+# optional parameter: exclude_payloads=<payload list>
+#
+# semicolon-separated list of payloads to exclude from loading
+# ('blacklist'). 
+# 
+# For example, to only use low bandwidth codecs:
+#  exclude_payloads=PCMU;PCMA;G726-40;G726-32;G721;L16
+# or, to use only codecs which are not CPU-intensive:
+#  exclude_payloads=iLBC;speex;
+# only use G711 (exclude everything else):
+#  exclude_payloads=iLBC;speex;G726-40;G726-32;G721;G726-24;G726-16;GSM;L16
+
+############################################################
+# logging and running
+
+# optional parameter: fork={yes|no}
+# 
+# - specifies if sems should run in daemon mode (background)
+#   (fork=no is the same as -E)
+fork=yes
+
+# optional parameter: stderr={yes|no}
+#
+# - debug mode: do not fork and log to stderr
+#   (stderr=yes is the same as -E)
+stderr=no
+
+# optional parameter: loglevel={0|1|2|3}
+#
+# - sets log level (error=0, warning=1, info=2, debug=3)
+#   (same as -D)
+loglevel=2
+
+# optional parameter: syslog_facility={DAEMON|USER|LOCAL[0-7]}
+#
+# - sets the log facility that is used for syslog. Using this,
+#   the log can for example be filtered into a special file 
+#   by the syslog daemon.
+#
+# Default: DAEMON
+#
+# Example:
+# syslog_facility=LOCAL0
+
+# optional parameter: log_sessions=[yes|no]
+# 
+# Default: no
+# 
+# If log_sessions=yes is set, INFO level log messages are generated
+# for each session when it is started and stopped.
+#
+# log_sessions=yes
+
+# optional parameter: log_events=[yes|no]
+# 
+# Default: no
+# 
+# If log_eventy=yes is set, generic DBG level log messages are 
+# generated for each event that is posted into an event queue.
+#
+# log_events=yes
+
+# optional parameter: max_shutdown_time=<time in seconds>
+#
+# Limit on server shutdown time (time to send/resend BYE
+# to active calls). 0 to disable (infinite).
+#
+# Default: 10
+#
+#max_shutdown_time = 10
+
+# optional parameter: shutdown_mode_reply="<code> <reason>"
+#
+# Error reply that is used as reply to INVITE and OPTION
+# when SEMS is shutting down.
+#
+# Default: shutdown_mode_reply="503 Server shutting down"
+
+# optional parameter: cps_limit=<limit>;<err code>;<err reason>
+# 
+# - this sets a maximum calls per sec limit. If that limit is 
+#   reached, no further calls are accepted, but the error reply 
+#   with err code/err reason is sent out.
+# 
+# Default: 0 (None)
+#
+# Example:
+#  cps_limit="100;503;Server overload"
+
+###########################################################
+# if build with ZRTP support (see Makefile.defs)
+# enable ZRTP support in endpoint calls:
+#enable_zrtp=yes (default: yes)
+#
+
+# enable ZRTP debug log? (prints lots of info)
+#enable_zrtp_debuglog=no (default: yes)
+
+############################################################
+# tuning
+
+# optional parameter: session_processor_threads=<num_value>
+# 
+# - controls how many threads should be created that
+#   process the application logic and in-dialog signaling. 
+#   This is only available if compiled with threadpool support!
+#   (set USE_THREADPOOL in Makefile.defs)
+#   Defaults to 10
+#
+# session_processor_threads=50
+
+# optional parameter: media_processor_threads=<num_value>
+# 
+# - controls how many threads should be created that
+#   process media - on single-processor systems set this 
+#   parameter to 1 (default), on MP systems to a higher
+#   value
+#
+# media_processor_threads=1
+
+# optional parameter: rtp_receiver_threads=<num_value>
+#
+# - controls how many threads should be created that
+#   receive and relay RTP media - on single-processor systems set this
+#   parameter to 1 (default), on MP systems to a higher value.
+#
+# rtp_receiver_threads=1
+
+# optional parameter: session_limit=<limit>;<err code>;<err reason>
+# 
+# - this sets a maximum active session limit. If that limit is 
+#   reached, no further calls are accepted, but the error reply 
+#   with err code/err reason is sent out.
+# 
+# Default: 0 (None)
+#
+# Example:
+#  session_limit="1000;503;Server overload"
+
+# optional parameter: options_session_limit=<limit>;<err code>;<err reason>
+# 
+# - this sets a custom response to OPTIONS, if the session count reaches
+#   a certain limit. This way health monitor could raise an alarm to syste
+#   administrator. 
+# 
+# Default: 0 (None)
+#
+# Example:
+#  options_session_limit="900;503;Warning, server soon overloaded"
+
+# optional parameter: dead_rtp_time=<unsigned int>
+#
+# - if != 0, after this time (in seconds) of no RTP
+#   a session is considered dead and stopped. If set
+#   to 0 no check is done for rtp timeout.
+#
+#   default=300 (5 minutes)
+#
+# Examples:
+#    # disable RTP timeout
+#    dead_rtp_time=0  
+#    # RTP timeout after 10 seconds
+#    dead_rtp_time=10  
+
+# optional parameter: use_default_signature={yes|no}
+#
+# - use a Server/User-Agent header with the SEMS server 
+#   signature and version.
+#
+#   default=no
+#
+use_default_signature=yes
+
+# optional parameter: signature=<signature string>
+#
+# - use a Server/User-Agent header with a custom user agent
+#   signature. Overridden by default signature if
+#   use_default_signature is set.
+#
+# signature="SEMS media server 1.0"
+
+# optional parameter: single_codec_in_ok={yes|no}
+#
+# - use single codec in 200 OK response
+#
+#   default=no
+#
+# single_codec_in_ok=no
+
+# optional parameter: codec_order=codec_name_1,codec_name2,...
+#
+# - Codec order used when sending INVITE requests.  Codecs in codec_order
+#   will be on the top of the list followed by other supported codecs
+#   (if any).
+#
+#   default=empty
+#
+# codec_order=iLBC,GSM
+
+# optional parameter: ignore_rtpxheaders={yes|no}
+#
+# - if this is set to yes, RTP extension headers (e.g. when using ZRTP)
+#   are ignored. If set to no, the whole RTP packets with extension 
+#   headers will be ignored and a debug message is printed on every 
+#   received packet.
+#
+#   default=no
+#
+# ignore_rtpxheaders=yes
+
+# optional parameter: dtmf_detector={spandsp|internal}
+#
+# sets inband DTMF detector to use. spandsp support must be compiled in
+# for this to have effect if dtmf_detector=spandsp.
+#  
+# default: internal
+#
+# dtmf_detector=spandsp
+
+# optional parameter: unhandled_reply_loglevel={error|warn|info|debug|no}
+# 
+# the default application logic implemented in the applications is to stop 
+# the session right after sending BYE, without waiting for a reply. this 
+# leads to many log entries of the form 
+# ERROR: [b6fa6bb0] handleSipMsg (AmSipDispatcher.cpp:48): unhandled 
+#    reply:  [code:200;phrase:[OK];... ]
+#
+# This parameter sets the log lovel of unhandled positive (200 class) replies.
+#
+# default: error
+# 
+# unhandled_reply_loglevel=info
+
+############################################################
+# SIP stack settings
+#   default settings (i.e. leave out) for these should be OK
+#   for most applications
+
+# Force use of the selected interface? (Default: no)
+#
+# Use IP_PKTINFO to force use of the selected interface for sending
+# packets. Useful in situations with overlapping IP address spaces, when
+# the kernel routing table should not be used to determine the sending
+# interface.
+#
+# force_outbound_if=yes
+
+# SIP timers configuration (in milliseconds)
+#
+# sip_timer_A=<n millisec>
+# sip_timer_B=<n millisec>
+# ...
+# sip_timer_M=<n millisec>
+#
+# timers A to J as in RFC3261.
+# Timer L: handle 200 ACKs automatically in INVITE client trans.
+# Timer M: cycle throught multiple addresses in case the R-URI
+#          resolves to multiple addresses
+#
+# Warning: Timer values are not checked whether they are appropriate!
+#          Leave to default values if in doubt.
+#
+# Example:
+#  # equivalent to fr_timer=20 in sip-router
+#  sip_timer_b=20000
+#  sip_timer_f=20000
+
+# sip_timer_t2=<n millisec)   T2 timer configuration
+#  (Cap for re-send request/response backoff)
+#
+# Warning: Timer values are not checked whether they are appropriate!
+#          Leave to default values if in doubt.
+#
+#sip_timer_t2=4000
+
+# skip DNS SRV lookup? [yes, no]
+#
+# according to RFC, if no port is specified, destination IP address
+# should be resolved with a DNS SRV lookup. If SEMS should not do that
+# (only an A record lookup), set disable_dns_srv=yes.
+#
+# Default: no
+#
+#disable_dns_srv=yes
+
+# support 100rel (PRACK) extension (RFC3262)? [disabled|supported|require]
+#
+# disabled - disable support for 100rel
+# supported - support it if remote end does, default
+# require - required
+#
+# Default: supported
+#
+#100rel=require
+
+# force the use of outbound interface? [yes, no]
+#
+# Useful in case of overlapping networks, or if OS routing can/should not be used. 
+# Default: no
+#
+# force_outbound_if=yes
+
+# use raw sockets for sending? [yes, no]
+# faster, requires root or CAP_NET_RAW
+#
+# Default: no
+#
+# use_raw_sockets=yes
+
+#
+# accept forked dialogs on UAS side? [yes|no]
+#
+#  no - INVITE with existing callid+remote_tag is replied with 482.
+# yes - INVITE with existing callid+remote_tag+via_branch is replied with 482.
+#       Forked INVITEs (!= via-branch) are accepted. 
+#
+# Default: yes
+#
+#accept_forked_dialogs=no
+
+# Make SIP authenticated requests sticky to the proxy? [yes | no]
+#
+# If enabled, host of request-URI of out-of-dialog requests that are 
+# authenticated with SIP auth is changed to the previously resolved
+# next-hop IP:port.
+#
+# default: no
+#
+# proxy_sticky_auth=yes
+
+# Ignore too low CSeq for NOTIFYs? [yes | no]
+#
+# May be necessary to interwork with simplistic/old SIP event notification 
+# implementations.
+#
+#ignore_notify_lower_cseq=yes
+
+#
+# Accept final replies without To-tag? [yes|no]
+#
+accept_fr_without_totag=yes
+
+#
+# Log raw messages?  [no|debug|info|warn|error]
+#
+# Default: debug
+#
+#log_raw_messages=no
+
+#
+# Log parsed received messages?  [yes|no]
+#
+# Default: yes
+#
+#log_parsed_messages=no
+
+# SIP UDP socket receive buffer size (in bytes)
+#
+# if not set, system default is used (which usually
+# is modest). set sytem wide upper limit with
+# e.g. sysctl -w net.core.rmem_max=8388608
+#
+# udp_rcvbuf = <value>
+
+# Number of SIP UDP receiver threads
+#
+# Default: 4
+#
+# sip_server_threads=8
+
+# dump conference streams - experimental
+# play with: $play -r <samplerate> -c 1 /tmp/123_1_nnnn.s16 
+#  where <samplerate> is in /tmp/123_1_nnnn.s16.samplerate
+#  (if it hasn't changed in-between...)
+#dump_conference_streams=true
+#dump_conference_path=/tmp/
diff --git a/modules/rhizo_base/templates/sems.xml.erb b/modules/rhizo_base/templates/sems.xml.erb
new file mode 100644
index 0000000..bd7529e
--- /dev/null
+++ b/modules/rhizo_base/templates/sems.xml.erb
@@ -0,0 +1,10 @@
+<include>
+  <gateway name="sems">
+  <param name="username" value="rhizomatica"/>
+  <param name="from-user" value="rhizomatica"/>
+  <param name="password" value="n-a"/>
+  <param name="proxy" value="<%= @vpn_ip_address %>:5095"/>
+  <param name="register" value="false"/>
+  <param name="caller-id-in-from" value="true"/>
+  </gateway>
+</include>
diff --git a/modules/rhizo_base/templates/vsat.xml.erb b/modules/rhizo_base/templates/vsat.xml.erb
new file mode 100644
index 0000000..1f01154
--- /dev/null
+++ b/modules/rhizo_base/templates/vsat.xml.erb
@@ -0,0 +1,46 @@
+<profile name="vsat">
+
+  <gateways>
+    <X-PRE-PROCESS cmd="include" data="vsat/*.xml"/>
+  </gateways>
+
+  <settings>
+
+    <!-- param name="auto-jitterbuffer-msec" value="100"/ -->
+    <param name="minimum-session-expires" value="90"/>
+    <param name="enable-time" value="false"/>
+    <param name="debug" value="0"/>
+
+    <param name="sip-trace" value="no"/>
+    <param name="sip-capture" value="no"/>
+    <param name="rfc2833-pt" value="101"/>
+
+    <param name="sip-port" value="5094"/>
+    <param name="dialplan" value="XML"/>
+    <param name="context" value="public"/>
+    <param name="dtmf-duration" value="2000"/>
+    <param name="inbound-codec-prefs" value="OPUS@8000h@20i,G729"/>
+    <param name="outbound-codec-prefs" value="OPUS@8000h@20i,G729"/>
+    <param name="rtp-timer-name" value="soft"/>
+
+    <param name="local-network-acl" value="localnet.auto"/>
+    <param name="manage-presence" value="false"/>
+
+    <param name="aggressive-nat-detection" value="false"/>
+    <param name="nat-options-ping" value="false"/>
+    <param name="inbound-codec-negotiation" value="greedy"/>
+    <param name="nonce-ttl" value="60"/>
+    <param name="auth-calls" value="false"/>
+    <param name="inbound-late-negotiation" value="true"/>
+    <param name="inbound-zrtp-passthru" value="true"/> <!-- (also enables late negotiation) -->
+
+    <param name="rtp-ip" value="$${local_ip_v4}"/>
+    <param name="sip-ip" value="$${local_ip_v4}"/>
+    <param name="ext-rtp-ip" value="$${local_ip_v4}"/>
+    <param name="ext-sip-ip" value="$${local_ip_v4}"/>
+    <param name="rtp-timeout-sec" value="90"/>
+    <param name="rtp-hold-timeout-sec" value="1800"/>
+
+  </settings>
+
+</profile>