Remove redundant cursor styling
Some checks failed
Deploy API / deploy (push) Failing after 1s
Deploy UI / deploy (push) Successful in 1s

This commit is contained in:
Your Name 2026-05-19 19:48:13 -04:00
parent 080b4bdaf1
commit b24dd72ae0
93 changed files with 9058 additions and 1 deletions

10
clio-api/.gitignore vendored Normal file
View file

@ -0,0 +1,10 @@
# Python-generated files
__pycache__/
*.py[oc]
build/
dist/
wheels/
*.egg-info
# Virtual environments
.venv

1
clio-api/.python-version Normal file
View file

@ -0,0 +1 @@
3.13

0
clio-api/README.md Normal file
View file

74
clio-api/deploy.sh Executable file
View file

@ -0,0 +1,74 @@
#!/usr/bin/env bash
set -euo pipefail
# Deployment script for phone-recorder server
# Target: thallock@10.0.0.45 (SSH port 2252)
#
# Paths on server:
# Code: /work/hosting/recordings
# Data (db): /work/hosting/recordings/data
# Audio: /media/external/Hosting/Recordings
SERVER_HOST="10.0.0.45"
SERVER_USER="thallock"
SERVER_PORT="2252"
CODE_DIR="/work/hosting/recordings"
DATA_DIR="/work/hosting/recordings/data"
AUDIO_DIR="/media/external/Hosting/Recordings"
SSH_OPTS="-p ${SERVER_PORT}"
SSH_CMD="ssh ${SSH_OPTS} ${SERVER_USER}@${SERVER_HOST}"
RSYNC_SSH="ssh -p ${SERVER_PORT}"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
echo "=== Deploying phone-recorder server to ${SERVER_USER}@${SERVER_HOST} ==="
# Sync server code (excluding local data)
echo "Syncing server code..."
rsync -avz --delete \
--exclude '.venv' \
--exclude '__pycache__' \
--exclude '*.pyc' \
--exclude 'recordings/' \
--exclude 'recordings.db' \
--exclude 'keys/' \
--exclude 'data/' \
--exclude '.git' \
--exclude 'nixos/' \
-e "${RSYNC_SSH}" \
"${SCRIPT_DIR}/" \
"${SERVER_USER}@${SERVER_HOST}:${CODE_DIR}/"
echo "Setting up on remote server..."
${SSH_CMD} bash << REMOTE_SCRIPT
set -euo pipefail
# Create directories
mkdir -p ${DATA_DIR}/keys
mkdir -p ${AUDIO_DIR}
cd ${CODE_DIR}
# Sync dependencies
echo "Syncing Python dependencies..."
uv sync
echo ""
echo "=== Server code deployed ==="
echo "Code: ${CODE_DIR}"
echo "Data: ${DATA_DIR}"
echo "Audio: ${AUDIO_DIR}"
echo ""
echo "To install/update systemd service:"
echo " sudo cp ${CODE_DIR}/nixos/phone-recorder.service /etc/systemd/system/"
echo " sudo systemctl daemon-reload"
echo " sudo systemctl enable --now phone-recorder"
echo ""
echo "To check status:"
echo " sudo systemctl status phone-recorder"
echo " curl http://localhost:8000/health"
REMOTE_SCRIPT
echo ""
echo "=== Deployment complete ==="

46
clio-api/nixos/Caddyfile Normal file
View file

@ -0,0 +1,46 @@
# Caddyfile snippet for phone-recorder
# Add this to your global /etc/caddy/Caddyfile
#
# Caddy will automatically obtain and renew HTTPS certificates
recordings.hallocks.xyz {
# Proxy everything to FastAPI
reverse_proxy localhost:8000
# Security headers
header {
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy strict-origin-when-cross-origin
-Server
}
# Logging for fail2ban
log {
output file /var/log/caddy/recordings.log {
roll_size 10mb
roll_keep 5
}
format json
}
}
# ============================================================
# Other services (for reference when setting them back up):
# ============================================================
# todo.hallocks.xyz {
# reverse_proxy localhost:3456 # Vikunja
# log {
# output file /var/log/caddy/todo.log
# format json
# }
# }
# passwords.hallocks.xyz {
# reverse_proxy localhost:8080 # Vaultwarden
# log {
# output file /var/log/caddy/passwords.log
# format json
# }
# }

View file

@ -0,0 +1,182 @@
# NixOS module for phone-recorder server
# Add to your configuration.nix imports or use as a standalone module
#
# Usage in configuration.nix:
# imports = [ ./phone-recorder.nix ];
# services.phone-recorder.enable = true;
{ config, lib, pkgs, ... }:
let
cfg = config.services.phone-recorder;
in
{
options.services.phone-recorder = {
enable = lib.mkEnableOption "Phone Recorder server";
port = lib.mkOption {
type = lib.types.port;
default = 8000;
description = "Port for the API server";
};
dataDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/phone-recorder";
description = "Directory for recordings and database";
};
user = lib.mkOption {
type = lib.types.str;
default = "phone-recorder";
description = "User to run the service as";
};
domain = lib.mkOption {
type = lib.types.str;
default = "recordings.hallocks.xyz";
description = "Domain for HTTPS access";
};
enableCaddy = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Enable Caddy reverse proxy with automatic HTTPS";
};
enableFail2ban = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Enable fail2ban protection";
};
sourceDir = lib.mkOption {
type = lib.types.path;
default = /home/thallock/phone-recorder;
description = "Path to the server source code";
};
};
config = lib.mkIf cfg.enable {
# Create user and group
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.user;
home = cfg.dataDir;
createHome = true;
};
users.groups.${cfg.user} = {};
# Systemd service
systemd.services.phone-recorder = {
description = "Phone Recorder API Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
HOST = "127.0.0.1"; # Only listen locally, Caddy handles external
PORT = toString cfg.port;
BASE_DIR = toString cfg.sourceDir;
RECORDINGS_DIR = "${cfg.dataDir}/recordings";
DATABASE_PATH = "${cfg.dataDir}/recordings.db";
};
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.user;
WorkingDirectory = cfg.sourceDir;
ExecStart = "${pkgs.uv}/bin/uv run python main.py";
Restart = "always";
RestartSec = 5;
# Hardening
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = "read-only";
PrivateTmp = true;
ReadWritePaths = [ cfg.dataDir ];
};
preStart = ''
mkdir -p ${cfg.dataDir}/recordings
mkdir -p ${cfg.dataDir}/keys
'';
};
# Caddy reverse proxy
services.caddy = lib.mkIf cfg.enableCaddy {
enable = true;
virtualHosts = {
"${cfg.domain}" = {
extraConfig = ''
# API endpoints
handle /api/* {
reverse_proxy localhost:${toString cfg.port}
}
handle /health {
reverse_proxy localhost:${toString cfg.port}
}
# Static frontend (if you have one)
handle {
root * /var/www/recordings-viewer
file_server
try_files {path} /index.html
}
# Security headers
header {
X-Content-Type-Options nosniff
X-Frame-Options DENY
Referrer-Policy strict-origin-when-cross-origin
}
# Rate limiting for uploads
@upload path /api/v1/recordings/upload
handle @upload {
rate_limit {remote.ip} 10r/m
reverse_proxy localhost:${toString cfg.port}
}
# Logging
log {
output file /var/log/caddy/recordings.log
format json
}
'';
};
};
};
# Open firewall
networking.firewall.allowedTCPPorts = [ 80 443 ]
++ lib.optional (!cfg.enableCaddy) cfg.port;
# Fail2ban
services.fail2ban = lib.mkIf cfg.enableFail2ban {
enable = true;
maxretry = 5;
bantime = "1h";
jails = {
caddy-auth = lib.mkIf cfg.enableCaddy ''
enabled = true
filter = caddy-auth
logpath = /var/log/caddy/recordings.log
maxretry = 5
bantime = 3600
'';
};
};
# Fail2ban filter for Caddy
environment.etc."fail2ban/filter.d/caddy-auth.conf" = lib.mkIf (cfg.enableFail2ban && cfg.enableCaddy) {
text = ''
[Definition]
failregex = ^.*"remote_ip":"<HOST>".*"status":40[13].*$
ignoreregex =
'';
};
};
}

View file

@ -0,0 +1,33 @@
# Systemd service file for phone-recorder
# Copy to /etc/systemd/system/phone-recorder.service
# Then: systemctl daemon-reload && systemctl enable --now phone-recorder
[Unit]
Description=Phone Recorder API Server
After=network.target local-fs.target
Wants=network-online.target
[Service]
Type=simple
User=thallock
Group=thallock
WorkingDirectory=/work/hosting/recordings
# Paths
Environment="HOST=0.0.0.0"
Environment="PORT=8000"
Environment="BASE_DIR=/work/hosting/recordings"
Environment="RECORDINGS_DIR=/media/external/Hosting/Recordings"
Environment="DATABASE_PATH=/work/hosting/recordings/data/recordings.db"
Environment="KEYS_DIR=/work/hosting/recordings/data/keys"
ExecStart=/home/thallock/.local/bin/uv run python main.py
Restart=always
RestartSec=5
# Hardening
NoNewPrivileges=true
PrivateTmp=true
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,8 @@
fastapi>=0.109.0
uvicorn[standard]>=0.27.0
pynacl>=1.5.0
aiofiles>=23.2.1
python-multipart>=0.0.6
# For testing
requests>=2.31.0