This commit is contained in:
parent
ab3a76cd0f
commit
56d8fb4d56
85 changed files with 8879 additions and 0 deletions
46
clio-infra/nixos/Caddyfile
Normal file
46
clio-infra/nixos/Caddyfile
Normal file
|
|
@ -0,0 +1,46 @@
|
|||
# Caddyfile snippet for phone-recorder
|
||||
# Add this to your global /etc/caddy/Caddyfile
|
||||
#
|
||||
# Caddy will automatically obtain and renew HTTPS certificates
|
||||
|
||||
recordings.hallocks.xyz {
|
||||
# Proxy everything to FastAPI
|
||||
reverse_proxy localhost:8000
|
||||
|
||||
# Security headers
|
||||
header {
|
||||
X-Content-Type-Options nosniff
|
||||
X-Frame-Options SAMEORIGIN
|
||||
Referrer-Policy strict-origin-when-cross-origin
|
||||
-Server
|
||||
}
|
||||
|
||||
# Logging for fail2ban
|
||||
log {
|
||||
output file /var/log/caddy/recordings.log {
|
||||
roll_size 10mb
|
||||
roll_keep 5
|
||||
}
|
||||
format json
|
||||
}
|
||||
}
|
||||
|
||||
# ============================================================
|
||||
# Other services (for reference when setting them back up):
|
||||
# ============================================================
|
||||
|
||||
# todo.hallocks.xyz {
|
||||
# reverse_proxy localhost:3456 # Vikunja
|
||||
# log {
|
||||
# output file /var/log/caddy/todo.log
|
||||
# format json
|
||||
# }
|
||||
# }
|
||||
|
||||
# passwords.hallocks.xyz {
|
||||
# reverse_proxy localhost:8080 # Vaultwarden
|
||||
# log {
|
||||
# output file /var/log/caddy/passwords.log
|
||||
# format json
|
||||
# }
|
||||
# }
|
||||
182
clio-infra/nixos/phone-recorder.nix
Normal file
182
clio-infra/nixos/phone-recorder.nix
Normal file
|
|
@ -0,0 +1,182 @@
|
|||
# NixOS module for phone-recorder server
|
||||
# Add to your configuration.nix imports or use as a standalone module
|
||||
#
|
||||
# Usage in configuration.nix:
|
||||
# imports = [ ./phone-recorder.nix ];
|
||||
# services.phone-recorder.enable = true;
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.services.phone-recorder;
|
||||
in
|
||||
{
|
||||
options.services.phone-recorder = {
|
||||
enable = lib.mkEnableOption "Phone Recorder server";
|
||||
|
||||
port = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 8000;
|
||||
description = "Port for the API server";
|
||||
};
|
||||
|
||||
dataDir = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "/var/lib/phone-recorder";
|
||||
description = "Directory for recordings and database";
|
||||
};
|
||||
|
||||
user = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "phone-recorder";
|
||||
description = "User to run the service as";
|
||||
};
|
||||
|
||||
domain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "recordings.hallocks.xyz";
|
||||
description = "Domain for HTTPS access";
|
||||
};
|
||||
|
||||
enableCaddy = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "Enable Caddy reverse proxy with automatic HTTPS";
|
||||
};
|
||||
|
||||
enableFail2ban = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "Enable fail2ban protection";
|
||||
};
|
||||
|
||||
sourceDir = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = /home/thallock/phone-recorder;
|
||||
description = "Path to the server source code";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
# Create user and group
|
||||
users.users.${cfg.user} = {
|
||||
isSystemUser = true;
|
||||
group = cfg.user;
|
||||
home = cfg.dataDir;
|
||||
createHome = true;
|
||||
};
|
||||
users.groups.${cfg.user} = {};
|
||||
|
||||
# Systemd service
|
||||
systemd.services.phone-recorder = {
|
||||
description = "Phone Recorder API Server";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
environment = {
|
||||
HOST = "127.0.0.1"; # Only listen locally, Caddy handles external
|
||||
PORT = toString cfg.port;
|
||||
BASE_DIR = toString cfg.sourceDir;
|
||||
RECORDINGS_DIR = "${cfg.dataDir}/recordings";
|
||||
DATABASE_PATH = "${cfg.dataDir}/recordings.db";
|
||||
};
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = cfg.user;
|
||||
Group = cfg.user;
|
||||
WorkingDirectory = cfg.sourceDir;
|
||||
ExecStart = "${pkgs.uv}/bin/uv run python main.py";
|
||||
Restart = "always";
|
||||
RestartSec = 5;
|
||||
|
||||
# Hardening
|
||||
NoNewPrivileges = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = "read-only";
|
||||
PrivateTmp = true;
|
||||
ReadWritePaths = [ cfg.dataDir ];
|
||||
};
|
||||
|
||||
preStart = ''
|
||||
mkdir -p ${cfg.dataDir}/recordings
|
||||
mkdir -p ${cfg.dataDir}/keys
|
||||
'';
|
||||
};
|
||||
|
||||
# Caddy reverse proxy
|
||||
services.caddy = lib.mkIf cfg.enableCaddy {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"${cfg.domain}" = {
|
||||
extraConfig = ''
|
||||
# API endpoints
|
||||
handle /api/* {
|
||||
reverse_proxy localhost:${toString cfg.port}
|
||||
}
|
||||
handle /health {
|
||||
reverse_proxy localhost:${toString cfg.port}
|
||||
}
|
||||
|
||||
# Static frontend (if you have one)
|
||||
handle {
|
||||
root * /var/www/recordings-viewer
|
||||
file_server
|
||||
try_files {path} /index.html
|
||||
}
|
||||
|
||||
# Security headers
|
||||
header {
|
||||
X-Content-Type-Options nosniff
|
||||
X-Frame-Options DENY
|
||||
Referrer-Policy strict-origin-when-cross-origin
|
||||
}
|
||||
|
||||
# Rate limiting for uploads
|
||||
@upload path /api/v1/recordings/upload
|
||||
handle @upload {
|
||||
rate_limit {remote.ip} 10r/m
|
||||
reverse_proxy localhost:${toString cfg.port}
|
||||
}
|
||||
|
||||
# Logging
|
||||
log {
|
||||
output file /var/log/caddy/recordings.log
|
||||
format json
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Open firewall
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ]
|
||||
++ lib.optional (!cfg.enableCaddy) cfg.port;
|
||||
|
||||
# Fail2ban
|
||||
services.fail2ban = lib.mkIf cfg.enableFail2ban {
|
||||
enable = true;
|
||||
maxretry = 5;
|
||||
bantime = "1h";
|
||||
|
||||
jails = {
|
||||
caddy-auth = lib.mkIf cfg.enableCaddy ''
|
||||
enabled = true
|
||||
filter = caddy-auth
|
||||
logpath = /var/log/caddy/recordings.log
|
||||
maxretry = 5
|
||||
bantime = 3600
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
# Fail2ban filter for Caddy
|
||||
environment.etc."fail2ban/filter.d/caddy-auth.conf" = lib.mkIf (cfg.enableFail2ban && cfg.enableCaddy) {
|
||||
text = ''
|
||||
[Definition]
|
||||
failregex = ^.*"remote_ip":"<HOST>".*"status":40[13].*$
|
||||
ignoreregex =
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
33
clio-infra/nixos/phone-recorder.service
Normal file
33
clio-infra/nixos/phone-recorder.service
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
# Systemd service file for phone-recorder
|
||||
# Copy to /etc/systemd/system/phone-recorder.service
|
||||
# Then: systemctl daemon-reload && systemctl enable --now phone-recorder
|
||||
|
||||
[Unit]
|
||||
Description=Phone Recorder API Server
|
||||
After=network.target local-fs.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=thallock
|
||||
Group=thallock
|
||||
WorkingDirectory=/work/hosting/recordings
|
||||
|
||||
# Paths
|
||||
Environment="HOST=0.0.0.0"
|
||||
Environment="PORT=8000"
|
||||
Environment="BASE_DIR=/work/hosting/recordings"
|
||||
Environment="RECORDINGS_DIR=/media/external/Hosting/Recordings"
|
||||
Environment="DATABASE_PATH=/work/hosting/recordings/data/recordings.db"
|
||||
Environment="KEYS_DIR=/work/hosting/recordings/data/keys"
|
||||
|
||||
ExecStart=/home/thallock/.local/bin/uv run python main.py
|
||||
Restart=always
|
||||
RestartSec=5
|
||||
|
||||
# Hardening
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Loading…
Add table
Add a link
Reference in a new issue