Initial commit: avc-phone-ai codebase + CLAUDE.md

This commit is contained in:
tocmo0nlord
2026-06-23 22:38:22 +00:00
parent 4bf72b9616
commit c3c719b77e
16 changed files with 1491 additions and 0 deletions

View File

@@ -0,0 +1,58 @@
# nginx reverse proxy for the AVC phone agent.
# Terminates TLS for voip.activeblue.net and proxies to the app on 127.0.0.1:8200,
# forwarding the /ws WebSocket (Twilio Media Stream) with long timeouts.
#
# Install:
# sudo cp deploy/nginx-voip.activeblue.net.conf /etc/nginx/sites-available/voip.activeblue.net
# sudo cp deploy/nginx-ws-upgrade.conf /etc/nginx/conf.d/ws-upgrade.conf
# sudo ln -s /etc/nginx/sites-available/voip.activeblue.net /etc/nginx/sites-enabled/
# sudo nginx -t && sudo systemctl reload nginx
# (Get the cert FIRST — see README — or the 443 block fails to load.)
# ── HTTP :80 — ACME challenge + redirect everything else to HTTPS ─────────────
server {
listen 80;
listen [::]:80;
server_name voip.activeblue.net;
# Let's Encrypt HTTP-01 webroot challenge (served, not redirected).
location /.well-known/acme-challenge/ {
root /var/www/html;
}
location / {
return 301 https://$host$request_uri;
}
}
# ── HTTPS :443 — TLS termination + proxy to the app ──────────────────────────
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name voip.activeblue.net;
ssl_certificate /etc/letsencrypt/live/voip.activeblue.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/voip.activeblue.net/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Twilio Media Streams hold the WebSocket open for the whole call — allow it.
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
location / {
proxy_pass http://127.0.0.1:8200;
proxy_http_version 1.1;
# WebSocket upgrade (for /ws). $connection_upgrade comes from ws-upgrade.conf.
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

View File

@@ -0,0 +1,8 @@
# Maps the Connection header for WebSocket proxying. Goes in /etc/nginx/conf.d/ so it
# lives in the http{} context (a `map` can't go inside a server/location block).
# When a request carries `Upgrade: websocket`, send `Connection: upgrade`; otherwise
# `Connection: close`. Used by the voip.activeblue.net vhost for the /ws media stream.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

43
deploy/setup-tls.sh Executable file
View File

@@ -0,0 +1,43 @@
#!/usr/bin/env bash
# One-shot TLS + nginx reverse-proxy setup for the AVC phone agent.
# RUN AS ROOT: sudo bash deploy/setup-tls.sh
#
# Prerequisites (must be true BEFORE running):
# - DNS: voip.activeblue.net -> your WAN IP (done: 66.23.239.222)
# - Router forwards external 80 AND 443 -> this box (10.10.1.221)
# - nginx running with its default :80 site (used to answer the ACME challenge)
#
# What it does: installs certbot, gets a Let's Encrypt cert via the webroot challenge
# (served by the existing default :80 site), installs the vhost + ws-upgrade map, then
# tests and reloads nginx. Idempotent-ish; safe to re-run.
set -euo pipefail
DOMAIN="voip.activeblue.net"
EMAIL="mr.garcia09@gmail.com"
APP_DIR="/home/tocmo0nlord/avc-phone"
WEBROOT="/var/www/html"
if [ "$(id -u)" -ne 0 ]; then echo "Run as root (sudo)."; exit 1; fi
echo "==> 1/4 install certbot"
if ! command -v certbot >/dev/null 2>&1; then
apt-get update && apt-get install -y certbot
fi
echo "==> 2/4 obtain certificate for $DOMAIN (webroot challenge)"
mkdir -p "$WEBROOT/.well-known/acme-challenge"
certbot certonly --webroot -w "$WEBROOT" -d "$DOMAIN" \
--non-interactive --agree-tos -m "$EMAIL" --keep-until-expiring
echo "==> 3/4 install nginx vhost + ws-upgrade map"
cp "$APP_DIR/deploy/nginx-ws-upgrade.conf" /etc/nginx/conf.d/ws-upgrade.conf
cp "$APP_DIR/deploy/nginx-voip.activeblue.net.conf" /etc/nginx/sites-available/voip.activeblue.net
ln -sf /etc/nginx/sites-available/voip.activeblue.net /etc/nginx/sites-enabled/voip.activeblue.net
echo "==> 4/4 test + reload nginx"
nginx -t
systemctl reload nginx
echo
echo "Done. Verify: curl https://$DOMAIN/health"
echo "Cert auto-renews via the certbot systemd timer; nginx reload on renew is handled by certbot's deploy hook."