bundles/radicale: introduce

PORT_MAP.md

@@ -43,6 +43,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports.
 | 22020       | travelynx            | Travelynx Web |
 | 22030       | octoprint            | OctoPrint Web Interface |
 | 22040       | miniflux             | Miniflux Web Interface |
+| 22050       | radicale             | radicale carddav and caldav server |
 | 45923       |                      | grafana |
 
 ## UDP

bundles/radicale/files/config

@@ -0,0 +1,25 @@
+[server]
+hosts = [::1]:22050
+max_connections = 100
+
+[encoding]
+request = utf-8
+stock = utf-8
+
+[auth]
+type = http_x_remote_user
+
+[rights]
+type = owner_only
+
+[storage]
+type = multifilesystem
+filesystem_folder = /var/lib/radicale/collections/
+filesystem_locking = True
+filesystem_fsync = True
+
+[web]
+type = internal
+
+[logging]
+mask_passwords = True

bundles/radicale/files/htpasswd

@@ -0,0 +1,3 @@
+% for user, password in users.items():
+${user}:${password}
+% endfor

bundles/radicale/files/radicale.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=A simple CalDAV (calendar) and CardDAV (contact) server
+After=network.target
+Requires=network.target
+
+[Service]
+ExecStart=/usr/bin/env python3 -m radicale
+Restart=on-failure
+User=radicale
+UMask=0027
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+NoNewPrivileges=true
+ReadWritePaths=/var/lib/radicale/collections
+
+[Install]
+WantedBy=multi-user.target

bundles/radicale/items.py

@@ -0,0 +1,41 @@
+directories = {
+    '/var/lib/radicale/collections': {
+        'owner': 'radicale',
+        'group': 'radicale',
+        'mode': '0700',
+    },
+}
+
+files = {
+    '/etc/systemd/system/radicale.service': {
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:radicale:restart',
+        },
+    },
+    '/etc/radicale/config': {
+        'triggers': {
+            'svc_systemd:radicale:restart',
+        },
+    },
+    '/etc/radicale/htpasswd': {
+        'content_type': 'mako',
+        'context': {
+            'users': node.metadata.get('radicale', {}).get('users', {}),
+        },
+        'triggers': {
+            'svc_systemd:radicale:restart',
+        },
+    },
+}
+
+svc_systemd = {
+    'radicale': {
+        'needs': {
+            'file:/etc/systemd/system/radicale.service',
+            'file:/etc/radicale/config',
+            'file:/etc/radicale/htpasswd',
+            'pkg_apt:python3-radicale',
+        },
+    },
+}

bundles/radicale/metadata.py

@@ -0,0 +1,12 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'python3-radicale': {},
+        },
+    },
+    'users': {
+        'radicale': {
+            'home': '/var/lib/radicale',
+        },
+    },
+}

data/nginx/files/extras/htz.ex42-1048908/dav.kunsmann.eu

@@ -1,8 +1,8 @@
     location / {
-        proxy_pass           http://localhost:5232/;
+        proxy_pass           http://[::1]:22050;
         proxy_set_header     X-Script-Name /;
         proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header     X-Remote-User $remote_user;
-        auth_basic           "bleps :o";
+        auth_basic           "Radicale";
         auth_basic_user_file /etc/radicale/htpasswd;
     }

nodes/htz/ex42-1048908.py

@@ -9,6 +9,7 @@ nodes['htz.ex42-1048908'] = {
         'nodejs',
         'riot-web',
         'postgresql',
+        'radicale',
         'travelynx',
         'vmhost',
         'voc-loudness-monitor',
@@ -226,6 +227,11 @@ nodes['htz.ex42-1048908'] = {
             },
             'worker_processes': 4,
         },
+        'radicale': {
+            'users': {
+                'kunsi': vault.decrypt('encrypt$gAAAAABfktUcN5dAS1IP0bQr8Qe54F8UCKLWI3RXscI0xE5he1hx-faiR5grtW4p25mvgxJRw_kDs_dmpahpRztcAjnD8uNEOlFcQefqeVCxyJKsPYiVjN6WsRjAHFd7PoES9gcWln1O'),
+            },
+        },
         'riot-web': {
             'url': 'chat.franzi.business',
             'config': {