feat: add radicale

2023-12-22 02:37:14 +01:00 · 2023-12-22 02:37:14 +01:00 · 4cdf17e2ab
commit 4cdf17e2ab
parent aa9ba64bff
4 changed files with 84 additions and 3 deletions
--- a/flake.lock
+++ b/flake.lock
@ -405,11 +405,11 @@
        "pre-commit-hooks": "pre-commit-hooks_3"
      },
      "locked": {
-        "lastModified": 1703205251,
+        "lastModified": 1703206032,
-        "narHash": "sha256-V8Uxy/g6WRn+ISgBHjs0IY9ZGqjovguNp2FZ2aL+Oqg=",
+        "narHash": "sha256-hCuX9y1lUwa8Ck0jruebL2YLhwnDunav/uiIp9EvmNc=",
        "owner": "oddlama",
        "repo": "nixos-extra-modules",
-        "rev": "42374eff1f3ca895d631789e38c04f3f10318abb",
+        "rev": "073a8ae3b34ed85619dd22bba0d4fb6b6e8e14d1",
        "type": "github"
      },
      "original": {
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -94,6 +94,7 @@
      // mkContainer "kanidm"
      // mkContainer "loki"
      // mkContainer "paperless"
      // mkContainer "radicale"
      // mkContainer "vaultwarden"
    );
--- a/hosts/ward/guests/radicale.nix
+++ b/hosts/ward/guests/radicale.nix
@ -0,0 +1,79 @@
 {
  config,
  nodes,
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
  radicaleDomain = "radicale.${sentinelCfg.repo.secrets.local.personalDomain}";
 in {
  meta.wireguard-proxy.sentinel.allowedTCPPorts = [
    8000
  ];
  nodes.sentinel = {
    networking.providedDomains.radicale = radicaleDomain;
    services.nginx = {
      upstreams.radicale = {
        servers."${config.meta.wireguard.proxy-sentinel.ipv4}:8000" = {};
        extraConfig = ''
          zone radicale 64k;
          keepalive 2;
        '';
      };
      virtualHosts.${radicaleDomain} = {
        forceSSL = true;
        useACMEWildcardHost = true;
        extraConfig = ''
          client_max_body_size 16M;
        '';
        locations."/".proxyPass = "http://radicale";
      };
    };
  };
  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/radicale";
      user = "radicale";
      group = "radicale";
      mode = "0700";
    }
  ];
  services.radicale = {
    enable = true;
    settings = {
      server = {
        hosts = ["0.0.0.0:8000" "[::]:8000"];
      };
      auth = {
        type = "htpasswd";
        htpasswd_filename = "/etc/radicale/users";
        htpasswd_encryption = "bcrypt";
      };
      storage = {
        filesystem_folder = "/var/lib/radicale/collections";
      };
    };
    rights = {
      root = {
        user = ".+";
        collection = "";
        permissions = "R";
      };
      principal = {
        user = ".+";
        collection = "{user}";
        permissions = "RW";
      };
      calendars = {
        user = ".+";
        collection = "{user}/[^/]+";
        permissions = "rw";
      };
    };
  };
  systemd.services.radicale.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
 }
--- a/modules/distributed-config.nix
+++ b/modules/distributed-config.nix
@ -19,6 +19,7 @@
  nodeName = config.node.name;
 in {
  # TODO expose exactly what we can configure! not everything
  options.nodes = mkOption {
    default = {};
    description = mdDoc "Allows extending the configuration of other machines.";