182 lines
4.7 KiB
Nix
182 lines
4.7 KiB
Nix
# NixOS module for phone-recorder server
|
|
# Add to your configuration.nix imports or use as a standalone module
|
|
#
|
|
# Usage in configuration.nix:
|
|
# imports = [ ./phone-recorder.nix ];
|
|
# services.phone-recorder.enable = true;
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
cfg = config.services.phone-recorder;
|
|
in
|
|
{
|
|
options.services.phone-recorder = {
|
|
enable = lib.mkEnableOption "Phone Recorder server";
|
|
|
|
port = lib.mkOption {
|
|
type = lib.types.port;
|
|
default = 8000;
|
|
description = "Port for the API server";
|
|
};
|
|
|
|
dataDir = lib.mkOption {
|
|
type = lib.types.path;
|
|
default = "/var/lib/phone-recorder";
|
|
description = "Directory for recordings and database";
|
|
};
|
|
|
|
user = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "phone-recorder";
|
|
description = "User to run the service as";
|
|
};
|
|
|
|
domain = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "recordings.hallocks.xyz";
|
|
description = "Domain for HTTPS access";
|
|
};
|
|
|
|
enableCaddy = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = "Enable Caddy reverse proxy with automatic HTTPS";
|
|
};
|
|
|
|
enableFail2ban = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = "Enable fail2ban protection";
|
|
};
|
|
|
|
sourceDir = lib.mkOption {
|
|
type = lib.types.path;
|
|
default = /home/thallock/phone-recorder;
|
|
description = "Path to the server source code";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
# Create user and group
|
|
users.users.${cfg.user} = {
|
|
isSystemUser = true;
|
|
group = cfg.user;
|
|
home = cfg.dataDir;
|
|
createHome = true;
|
|
};
|
|
users.groups.${cfg.user} = {};
|
|
|
|
# Systemd service
|
|
systemd.services.phone-recorder = {
|
|
description = "Phone Recorder API Server";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
environment = {
|
|
HOST = "127.0.0.1"; # Only listen locally, Caddy handles external
|
|
PORT = toString cfg.port;
|
|
BASE_DIR = toString cfg.sourceDir;
|
|
RECORDINGS_DIR = "${cfg.dataDir}/recordings";
|
|
DATABASE_PATH = "${cfg.dataDir}/recordings.db";
|
|
};
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
User = cfg.user;
|
|
Group = cfg.user;
|
|
WorkingDirectory = cfg.sourceDir;
|
|
ExecStart = "${pkgs.uv}/bin/uv run python main.py";
|
|
Restart = "always";
|
|
RestartSec = 5;
|
|
|
|
# Hardening
|
|
NoNewPrivileges = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = "read-only";
|
|
PrivateTmp = true;
|
|
ReadWritePaths = [ cfg.dataDir ];
|
|
};
|
|
|
|
preStart = ''
|
|
mkdir -p ${cfg.dataDir}/recordings
|
|
mkdir -p ${cfg.dataDir}/keys
|
|
'';
|
|
};
|
|
|
|
# Caddy reverse proxy
|
|
services.caddy = lib.mkIf cfg.enableCaddy {
|
|
enable = true;
|
|
virtualHosts = {
|
|
"${cfg.domain}" = {
|
|
extraConfig = ''
|
|
# API endpoints
|
|
handle /api/* {
|
|
reverse_proxy localhost:${toString cfg.port}
|
|
}
|
|
handle /health {
|
|
reverse_proxy localhost:${toString cfg.port}
|
|
}
|
|
|
|
# Static frontend (if you have one)
|
|
handle {
|
|
root * /var/www/recordings-viewer
|
|
file_server
|
|
try_files {path} /index.html
|
|
}
|
|
|
|
# Security headers
|
|
header {
|
|
X-Content-Type-Options nosniff
|
|
X-Frame-Options DENY
|
|
Referrer-Policy strict-origin-when-cross-origin
|
|
}
|
|
|
|
# Rate limiting for uploads
|
|
@upload path /api/v1/recordings/upload
|
|
handle @upload {
|
|
rate_limit {remote.ip} 10r/m
|
|
reverse_proxy localhost:${toString cfg.port}
|
|
}
|
|
|
|
# Logging
|
|
log {
|
|
output file /var/log/caddy/recordings.log
|
|
format json
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
# Open firewall
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ]
|
|
++ lib.optional (!cfg.enableCaddy) cfg.port;
|
|
|
|
# Fail2ban
|
|
services.fail2ban = lib.mkIf cfg.enableFail2ban {
|
|
enable = true;
|
|
maxretry = 5;
|
|
bantime = "1h";
|
|
|
|
jails = {
|
|
caddy-auth = lib.mkIf cfg.enableCaddy ''
|
|
enabled = true
|
|
filter = caddy-auth
|
|
logpath = /var/log/caddy/recordings.log
|
|
maxretry = 5
|
|
bantime = 3600
|
|
'';
|
|
};
|
|
};
|
|
|
|
# Fail2ban filter for Caddy
|
|
environment.etc."fail2ban/filter.d/caddy-auth.conf" = lib.mkIf (cfg.enableFail2ban && cfg.enableCaddy) {
|
|
text = ''
|
|
[Definition]
|
|
failregex = ^.*"remote_ip":"<HOST>".*"status":40[13].*$
|
|
ignoreregex =
|
|
'';
|
|
};
|
|
};
|
|
}
|