From 932c9c17f2ade0738195ac6488f29a89dfc2d7bd Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Sun, 12 Apr 2026 16:15:52 -0400
Subject: [PATCH] traccar: replace owntracks with traccar

---
 configuration.nix    |  2 ++
 service-configs.nix  | 12 ++++++++++++
 services/traccar.nix | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 50 insertions(+)
 create mode 100644 services/traccar.nix

diff --git a/configuration.nix b/configuration.nix
index 79f0159..3c0fdf6 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -73,6 +73,8 @@
     ./services/harmonia.nix
 
     ./services/ddns-updater.nix
+
+    ./services/traccar.nix
   ];
 
   # Hosts entries for CI/CD deploy targets
diff --git a/service-configs.nix b/service-configs.nix
index 4cb200d..77fecca 100644
--- a/service-configs.nix
+++ b/service-configs.nix
@@ -68,6 +68,10 @@ rec {
         port = 64738;
         proto = "both";
       };
+      traccar_tracking = {
+        port = 5056;
+        proto = "tcp";
+      };
     };
 
     # Ports bound to localhost / VPN only. The flake asserts none of
@@ -197,6 +201,10 @@ rec {
         port = 5500;
         proto = "tcp";
       };
+      traccar_web = {
+        port = 8082;
+        proto = "tcp";
+      };
     };
   };
 
@@ -330,6 +338,10 @@ rec {
     dataDir = services_dir + "/trilium";
   };
 
+  traccar = {
+    domain = "traccar.${https.domain}";
+  };
+
   media = {
     moviesDir = torrents_path + "/media/movies";
     tvDir = torrents_path + "/media/tv";
diff --git a/services/traccar.nix b/services/traccar.nix
new file mode 100644
index 0000000..4c43aa2
--- /dev/null
+++ b/services/traccar.nix
@@ -0,0 +1,36 @@
+{
+  service_configs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "traccar" service_configs.zpool_ssds [
+      "/var/lib/private/traccar"
+    ])
+    (lib.serviceFilePerms "traccar" [
+      "Z /var/lib/private/traccar 0700 root root"
+    ])
+    (lib.mkCaddyReverseProxy {
+      subdomain = "traccar";
+      port = service_configs.ports.private.traccar_web.port;
+    })
+  ];
+
+  services.traccar = {
+    enable = true;
+    settings = {
+      web.port = toString service_configs.ports.private.traccar_web.port;
+
+      # Only enable OsmAnd protocol (phone app). Prevents Traccar from
+      # opening 200+ default protocol ports that conflict with other services.
+      protocols.enable = "osmand";
+      osmand.port = toString service_configs.ports.public.traccar_tracking.port;
+    };
+  };
+
+  # OsmAnd tracking port must be reachable from the internet for the phone app
+  networking.firewall.allowedTCPPorts = [
+    service_configs.ports.public.traccar_tracking.port
+  ];
+}