# NixOS module for phone-recorder server # Add to your configuration.nix imports or use as a standalone module # # Usage in configuration.nix: # imports = [ ./phone-recorder.nix ]; # services.phone-recorder.enable = true; { config, lib, pkgs, ... }: let cfg = config.services.phone-recorder; in { options.services.phone-recorder = { enable = lib.mkEnableOption "Phone Recorder server"; port = lib.mkOption { type = lib.types.port; default = 8000; description = "Port for the API server"; }; dataDir = lib.mkOption { type = lib.types.path; default = "/var/lib/phone-recorder"; description = "Directory for recordings and database"; }; user = lib.mkOption { type = lib.types.str; default = "phone-recorder"; description = "User to run the service as"; }; domain = lib.mkOption { type = lib.types.str; default = "recordings.hallocks.xyz"; description = "Domain for HTTPS access"; }; enableCaddy = lib.mkOption { type = lib.types.bool; default = true; description = "Enable Caddy reverse proxy with automatic HTTPS"; }; enableFail2ban = lib.mkOption { type = lib.types.bool; default = true; description = "Enable fail2ban protection"; }; sourceDir = lib.mkOption { type = lib.types.path; default = /home/thallock/phone-recorder; description = "Path to the server source code"; }; }; config = lib.mkIf cfg.enable { # Create user and group users.users.${cfg.user} = { isSystemUser = true; group = cfg.user; home = cfg.dataDir; createHome = true; }; users.groups.${cfg.user} = {}; # Systemd service systemd.services.phone-recorder = { description = "Phone Recorder API Server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; environment = { HOST = "127.0.0.1"; # Only listen locally, Caddy handles external PORT = toString cfg.port; BASE_DIR = toString cfg.sourceDir; RECORDINGS_DIR = "${cfg.dataDir}/recordings"; DATABASE_PATH = "${cfg.dataDir}/recordings.db"; }; serviceConfig = { Type = "simple"; User = cfg.user; Group = cfg.user; WorkingDirectory = cfg.sourceDir; ExecStart = "${pkgs.uv}/bin/uv run python main.py"; Restart = "always"; RestartSec = 5; # Hardening NoNewPrivileges = true; ProtectSystem = "strict"; ProtectHome = "read-only"; PrivateTmp = true; ReadWritePaths = [ cfg.dataDir ]; }; preStart = '' mkdir -p ${cfg.dataDir}/recordings mkdir -p ${cfg.dataDir}/keys ''; }; # Caddy reverse proxy services.caddy = lib.mkIf cfg.enableCaddy { enable = true; virtualHosts = { "${cfg.domain}" = { extraConfig = '' # API endpoints handle /api/* { reverse_proxy localhost:${toString cfg.port} } handle /health { reverse_proxy localhost:${toString cfg.port} } # Static frontend (if you have one) handle { root * /var/www/recordings-viewer file_server try_files {path} /index.html } # Security headers header { X-Content-Type-Options nosniff X-Frame-Options DENY Referrer-Policy strict-origin-when-cross-origin } # Rate limiting for uploads @upload path /api/v1/recordings/upload handle @upload { rate_limit {remote.ip} 10r/m reverse_proxy localhost:${toString cfg.port} } # Logging log { output file /var/log/caddy/recordings.log format json } ''; }; }; }; # Open firewall networking.firewall.allowedTCPPorts = [ 80 443 ] ++ lib.optional (!cfg.enableCaddy) cfg.port; # Fail2ban services.fail2ban = lib.mkIf cfg.enableFail2ban { enable = true; maxretry = 5; bantime = "1h"; jails = { caddy-auth = lib.mkIf cfg.enableCaddy '' enabled = true filter = caddy-auth logpath = /var/log/caddy/recordings.log maxretry = 5 bantime = 3600 ''; }; }; # Fail2ban filter for Caddy environment.etc."fail2ban/filter.d/caddy-auth.conf" = lib.mkIf (cfg.enableFail2ban && cfg.enableCaddy) { text = '' [Definition] failregex = ^.*"remote_ip":"".*"status":40[13].*$ ignoreregex = ''; }; }; }