{
  "apiVersion": "v1",
  "data": {
    "ari.conf": "[general]\nenabled=yes\npretty=yes\nallowed_origins=*\n\n[flowercore]\ntype=user\nread_only=no\npassword=bluejay-asterisk-ari\npassword_format=plain\n",
    "extensions.conf": "[general]\nstatic=yes\nwriteprotect=no\n\n[from-twilio]\n; Inbound calls from Twilio SIP trunk -> FlowerCore IVR workflow\nexten => _+X.,1,Answer()\n same => n,Wait(1)\n same => n,Stasis(flowercore-pbx,inbound-pstn,${EXTEN})\n same => n,Hangup()\n\nexten => _X.,1,Answer()\n same => n,Wait(1)\n same => n,Stasis(flowercore-pbx,inbound-pstn,${EXTEN})\n same => n,Hangup()\n\n[from-internal]\n; Internal extension-to-extension dialing\nexten => _1XX,1,Dial(PJSIP/${EXTEN},30)\n same => n,Hangup()\n\n; Softphone proof endpoints and utility extensions\nexten => _9XX,1,NoOp(Proof call to ${EXTEN})\n same => n,Dial(PJSIP/${EXTEN},30)\n same => n,Hangup()\n\nexten => 999,1,Answer()\n same => n,Playback(demo-echotest)\n same => n,Echo()\n same => n,Hangup()\n\nexten => 998,1,Answer()\n same => n,Milliwatt()\n same => n,Hangup()\n\nexten => 997,1,Answer()\n same => n,Wait(0.5)\n same => n,Playback(hello-world)\n same => n,Wait(1)\n same => n,Hangup()\n\nexten => 996,1,Answer()\n same => n,Wait(0.5)\n same => n,Read(DIGITS,,4,,,5)\n same => n,SayDigits(${DIGITS})\n same => n,Hangup()\n\n; Outbound via Twilio SIP trunk (11-digit US)\nexten => _1NXXNXXXXXX,1,Set(CALLERID(num)=+13202332529)\n same => n,Dial(PJSIP/+${EXTEN}@twilio-trunk,60)\n same => n,Hangup()\n\n; Outbound via Twilio SIP trunk (+1 format)\nexten => _+1NXXNXXXXXX,1,Set(CALLERID(num)=+13202332529)\n same => n,Dial(PJSIP/${EXTEN}@twilio-trunk,60)\n same => n,Hangup()\n\n; IVR access from internal phones (when ARI is connected)\nexten => *100,1,Stasis(flowercore-pbx,internal,ivr)\n same => n,Hangup()\n\n; Test-only entry into the Victory Day workflow (DID +15074618329).\n; Used by live SIP AATs to exercise the VDAY Fun Menu + AsteriskGameHandler\n; path without dialing in over Twilio. Mnemonic: *832 = \"V-D-A\" (8-3-2).\nexten => *832,1,NoOp(Test entry: Victory Day workflow via AAT)\n same => n,Stasis(flowercore-pbx,inbound-pstn,+15074618329)\n same => n,Hangup()\n\n; Star codes routed to FlowerCore Stasis app for handling\nexten => *0,1,Stasis(flowercore-pbx,starcode,*0)\n same => n,Hangup()\nexten => *30,1,Stasis(flowercore-pbx,starcode,*30)\n same => n,Hangup()\nexten => *69,1,Stasis(flowercore-pbx,starcode,*69)\n same => n,Hangup()\nexten => *70,1,Stasis(flowercore-pbx,starcode,*70)\n same => n,Hangup()\nexten => _*70X.,1,Stasis(flowercore-pbx,starcode,${EXTEN})\n same => n,Hangup()\nexten => *71,1,Stasis(flowercore-pbx,starcode,*71)\n same => n,Hangup()\nexten => _*71X.,1,Stasis(flowercore-pbx,starcode,${EXTEN})\n same => n,Hangup()\nexten => *72,1,Stasis(flowercore-pbx,starcode,*72)\n same => n,Hangup()\nexten => *73,1,Stasis(flowercore-pbx,starcode,*73)\n same => n,Hangup()\nexten => *75,1,Stasis(flowercore-pbx,starcode,*75)\n same => n,Hangup()\nexten => *77,1,Stasis(flowercore-pbx,starcode,*77)\n same => n,Hangup()\nexten => *78,1,Stasis(flowercore-pbx,starcode,*78)\n same => n,Hangup()\nexten => *79,1,Stasis(flowercore-pbx,starcode,*79)\n same => n,Hangup()\nexten => *86,1,Stasis(flowercore-pbx,starcode,*86)\n same => n,Hangup()\nexten => *87,1,Stasis(flowercore-pbx,starcode,*87)\n same => n,Hangup()\nexten => *97,1,Stasis(flowercore-pbx,starcode,*97)\n same => n,Hangup()\nexten => *43,1,Stasis(flowercore-pbx,starcode,*43)\n same => n,Hangup()\nexten => *80,1,Stasis(flowercore-pbx,starcode,*80)\n same => n,Hangup()\nexten => *88,1,Stasis(flowercore-pbx,starcode,*88)\n same => n,Hangup()\nexten => *41,1,Stasis(flowercore-pbx,starcode,*41)\n same => n,Hangup()\nexten => *411,1,Stasis(flowercore-pbx,starcode,*411)\n same => n,Hangup()\n\n; Catch-all for any other star codes\nexten => _*X.,1,Stasis(flowercore-pbx,starcode,${EXTEN})\n same => n,Hangup()\n\n[default]\nexten => _X.,1,NoOp(Unhandled call to ${EXTEN})\n same => n,Hangup()\n",
    "http.conf": "[general]\nenabled=yes\nbindaddr=0.0.0.0\nbindport=8088\n",
    "manager.conf": "[general]\nenabled=no\n",
    "modules.conf": "[modules]\nautoload=yes\nnoload=chan_sip.so\nnoload=res_hep.so\nnoload=res_hep_pjsip.so\nnoload=res_hep_rtcp.so\n",
    "pjsip.conf": "; ===== Transports =====\n[transport-udp]\ntype=transport\nprotocol=udp\nbind=0.0.0.0:5060\n; NAT: internal phones see node IP, Twilio sees public IP\nlocal_net=10.0.0.0/8\nlocal_net=172.16.0.0/12\nlocal_net=192.168.0.0/16\nexternal_media_address=74.40.140.28\nexternal_signaling_address=74.40.140.28\n\n; ===== Global endpoint identification / anti-scanner hardening =====\n; Reimagined 2026-06-15 (Blue Jay SIP).  Identify Twilio by source IP first,\n; then userpass for phones, then anonymous LAST.  There is NO [anonymous]\n; endpoint, so any REGISTER/INVITE matching neither an identify block nor a\n; named endpoint+auth is REJECTED (kills the brute-force REGISTER flood).\n[global]\ntype=global\nendpoint_identifier_order=ip,username,anonymous\n\n; ===== Inbound ACL (defense in depth) =====\n; Single global ACL evaluated by res_pjsip_acl for ALL inbound SIP.\n; Permit LAN + Andrew VPN + Twilio NA signaling blocks; deny everything else.\n; (Twilio inbound arrives post-pfSense-NAT as 10.0.56.14 -> covered by 10.0.0.0/8,\n;  but the Twilio blocks are listed explicitly for clarity / future direct peering.)\n[lan-vpn-only]\ntype=acl\ndeny=0.0.0.0/0.0.0.0\npermit=10.0.0.0/255.0.0.0\npermit=10.0.68.0/255.255.255.224\npermit=54.172.60.0/255.255.255.252\npermit=54.172.60.4/255.255.255.252\npermit=54.244.51.0/255.255.255.252\npermit=54.244.51.4/255.255.255.252\npermit=34.203.250.0/255.255.254.0\npermit=54.171.127.192/255.255.255.192\npermit=35.156.191.128/255.255.255.128\npermit=54.65.63.192/255.255.255.192\npermit=54.169.127.128/255.255.255.192\npermit=54.252.254.64/255.255.255.192\npermit=177.71.206.192/255.255.255.192\n\n; ===== Twilio SIP Trunk =====\n[twilio-trunk]\ntype=endpoint\ncontext=from-twilio\ntransport=transport-udp\ndisallow=all\nallow=ulaw\nallow=alaw\nallow=g722\naors=twilio-trunk\nfrom_domain=sip.twilio.com\ndirect_media=no\nice_support=no\nrtp_symmetric=yes\nforce_rport=yes\nrewrite_contact=yes\ntrust_id_inbound=yes\n\n[twilio-trunk]\ntype=aor\ncontact=sip:bluejay.pstn.twilio.com\n\n[twilio-trunk]\ntype=identify\nendpoint=twilio-trunk\n; Twilio North America signaling IPs\nmatch=54.172.60.0/30\nmatch=54.172.60.4/30\nmatch=54.244.51.0/30\nmatch=54.244.51.4/30\nmatch=34.203.250.0/23\nmatch=54.171.127.192/26\nmatch=35.156.191.128/25\nmatch=54.65.63.192/26\nmatch=54.169.127.128/26\nmatch=54.252.254.64/26\nmatch=177.71.206.192/26\n\n; ===== Phone Template (Yealink desk + softphones) =====\n; opus first for the mobile softphones (Family iPhone / Blue Jay Android),\n; ulaw/alaw guarantee interop; g722 wideband for the desk phone.\n; dtmf_mode=rfc4733 is LOAD-BEARING: in-call star codes (*0 etc.) reach the\n; ARI flowercore-pbx app only if DTMF arrives as RFC4733 events.  Do NOT change.\n[phone-template](!)\ntype=endpoint\ncontext=from-internal\ntransport=transport-udp\ndisallow=all\nallow=opus\nallow=g722\nallow=ulaw\nallow=alaw\ndirect_media=no\ndtmf_mode=rfc4733\nrtp_symmetric=yes\nforce_rport=yes\nrewrite_contact=yes\n; Advertise the MetalLB VIP (reachable from the phone) for media, so the phone's\n; upstream RTP \u2014 which carries rfc4733 DTMF \u2014 actually reaches Asterisk. The RTP\n; range is exposed on the asterisk-sip LoadBalancer (externalTrafficPolicy=Local).\nmedia_address=10.0.57.203\n\n; Extension 100 - Blue Jay's Nest\n[100](phone-template)\nauth=auth100\naors=100\ncallerid=\"Blue Jay's Nest\" <100>\n\n[auth100]\ntype=auth\nauth_type=userpass\nusername=100\npassword=kvNiD1gCeX5DCfTYrapGQxpu2wU7\n\n[100]\ntype=aor\nmax_contacts=1\nremove_existing=yes\nqualify_frequency=60\n\n; Extension 110 - Family iPhone\n[110](phone-template)\nauth=auth110\naors=110\ncallerid=\"Family iPhone\" <110>\n\n[auth110]\ntype=auth\nauth_type=userpass\nusername=110\npassword=wanVn0oqExl8wUfFJ3hx6BGAcvNF\n\n[110]\ntype=aor\nmax_contacts=1\nremove_existing=yes\nqualify_frequency=60\n\n; Extension 111 - Blue Jay Android\n[111](phone-template)\nauth=auth111\naors=111\ncallerid=\"Blue Jay Android\" <111>\n\n[auth111]\ntype=auth\nauth_type=userpass\nusername=111\npassword=C14qNz2rDRRgyAsUjrZGAMilLMcO\n\n[111]\ntype=aor\nmax_contacts=1\nremove_existing=yes\nqualify_frequency=60\n\n; Extension 101 - Office 1\n[101](phone-template)\nauth=auth101\naors=101\ncallerid=\"Office 1\" <101>\n\n[auth101]\ntype=auth\nauth_type=userpass\nusername=101\npassword=knYPbhnWQtfbWJr9hOPUql6InJns\n\n[101]\ntype=aor\nmax_contacts=1\nremove_existing=yes\nqualify_frequency=60\n\n; Extension 102 - Office 2\n[102](phone-template)\nauth=auth102\naors=102\ncallerid=\"Office 2\" <102>\n\n[auth102]\ntype=auth\nauth_type=userpass\nusername=102\npassword=D0aJY4LFKievwcRszq3TkbkhG1F7\n\n[102]\ntype=aor\nmax_contacts=1\nremove_existing=yes\nqualify_frequency=60\n\n; Extension 103 - Office 3\n[103](phone-template)\nauth=auth103\naors=103\ncallerid=\"Office 3\" <103>\n\n[auth103]\ntype=auth\nauth_type=userpass\nusername=103\npassword=56I8Q3oNOrd1nQMzWjeqizX0G4UI\n\n[103]\ntype=aor\nmax_contacts=1\nremove_existing=yes\nqualify_frequency=60\n\n; ===== Test endpoints 901-904 (softphone proof harness) =====\n[test-endpoint](!)\ntype=endpoint\ncontext=from-internal\ntransport=transport-udp\ndisallow=all\nallow=ulaw\nallow=alaw\ndirect_media=no\nrtp_symmetric=yes\nforce_rport=yes\nrewrite_contact=yes\nmedia_address=10.0.57.203\n\n[901](test-endpoint)\nauth=auth901\naors=901\ncallerid=\"Proof Caller\" <901>\n\n[auth901]\ntype=auth\nauth_type=userpass\nusername=901\npassword=Q0ti3c03K7xuKgMY6svBo9WGx0Rx\n\n[901]\ntype=aor\nmax_contacts=1\nremove_existing=yes\n\n[902](test-endpoint)\nauth=auth902\naors=902\ncallerid=\"Proof Callee\" <902>\n\n[auth902]\ntype=auth\nauth_type=userpass\nusername=902\npassword=uzcOVNn283sMtBtUT15ARY1I4J1K\n\n[902]\ntype=aor\nmax_contacts=1\nremove_existing=yes\n\n[903](test-endpoint)\nauth=auth903\naors=903\ncallerid=\"Proof Endpoint 3\" <903>\n\n[auth903]\ntype=auth\nauth_type=userpass\nusername=903\npassword=oD73km75xk3GzDMXUU8HNo4lIIOx\n\n[903]\ntype=aor\nmax_contacts=1\nremove_existing=yes\n\n[904](test-endpoint)\nauth=auth904\naors=904\ncallerid=\"Proof Endpoint 4\" <904>\n\n[auth904]\ntype=auth\nauth_type=userpass\nusername=904\npassword=EvljdvMTZ7SXkBPRUTWAcSge27Bk\n\n[904]\ntype=aor\nmax_contacts=1\nremove_existing=yes\n",
    "rtp.conf": "[general]\nrtpstart=10000\nrtpend=10030\nstrictrtp=yes\nicesupport=no\n"
  },
  "kind": "ConfigMap",
  "metadata": {
    "name": "asterisk-config",
    "namespace": "telephony"
  }
}