feat: add radicale

2023-12-22 02:37:14 +01:00 · 2023-12-22 02:37:14 +01:00 · 4cdf17e2ab
commit 4cdf17e2ab
parent aa9ba64bff
4 changed files with 84 additions and 3 deletions
--- a/flake.lock
+++ b/flake.lock
@ -405,11 +405,11 @@
        "pre-commit-hooks": "pre-commit-hooks_3"
      },
      "locked": {
-        "lastModified": 1703205251,
-        "narHash": "sha256-V8Uxy/g6WRn+ISgBHjs0IY9ZGqjovguNp2FZ2aL+Oqg=",
+        "lastModified": 1703206032,
+        "narHash": "sha256-hCuX9y1lUwa8Ck0jruebL2YLhwnDunav/uiIp9EvmNc=",
        "owner": "oddlama",
        "repo": "nixos-extra-modules",
-        "rev": "42374eff1f3ca895d631789e38c04f3f10318abb",
+        "rev": "073a8ae3b34ed85619dd22bba0d4fb6b6e8e14d1",
        "type": "github"
      },
      "original": {
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -94,6 +94,7 @@
      // mkContainer "kanidm"
      // mkContainer "loki"
      // mkContainer "paperless"
+      // mkContainer "radicale"
      // mkContainer "vaultwarden"
    );

--- a/hosts/ward/guests/radicale.nix
+++ b/hosts/ward/guests/radicale.nix
@ -0,0 +1,79 @@
+{
+  config,
+  nodes,
+  ...
+}: let
+  sentinelCfg = nodes.sentinel.config;
+  radicaleDomain = "radicale.${sentinelCfg.repo.secrets.local.personalDomain}";
+in {
+  meta.wireguard-proxy.sentinel.allowedTCPPorts = [
+    8000
+  ];
+
+  nodes.sentinel = {
+    networking.providedDomains.radicale = radicaleDomain;
+
+    services.nginx = {
+      upstreams.radicale = {
+        servers."${config.meta.wireguard.proxy-sentinel.ipv4}:8000" = {};
+        extraConfig = ''
+          zone radicale 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${radicaleDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        extraConfig = ''
+          client_max_body_size 16M;
+        '';
+        locations."/".proxyPass = "http://radicale";
+      };
+    };
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/radicale";
+      user = "radicale";
+      group = "radicale";
+      mode = "0700";
+    }
+  ];
+
+  services.radicale = {
+    enable = true;
+    settings = {
+      server = {
+        hosts = ["0.0.0.0:8000" "[::]:8000"];
+      };
+      auth = {
+        type = "htpasswd";
+        htpasswd_filename = "/etc/radicale/users";
+        htpasswd_encryption = "bcrypt";
+      };
+      storage = {
+        filesystem_folder = "/var/lib/radicale/collections";
+      };
+    };
+    rights = {
+      root = {
+        user = ".+";
+        collection = "";
+        permissions = "R";
+      };
+      principal = {
+        user = ".+";
+        collection = "{user}";
+        permissions = "RW";
+      };
+      calendars = {
+        user = ".+";
+        collection = "{user}/[^/]+";
+        permissions = "rw";
+      };
+    };
+  };
+
+  systemd.services.radicale.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+}
--- a/modules/distributed-config.nix
+++ b/modules/distributed-config.nix
@ -19,6 +19,7 @@

  nodeName = config.node.name;
 in {
+  # TODO expose exactly what we can configure! not everything
  options.nodes = mkOption {
    default = {};
    description = mdDoc "Allows extending the configuration of other machines.";