feat: add radicale

2025-12-06 09:07:21 +01:00 · 2025-06-29 15:29:26 +02:00 · 2025-06-29 15:29:26 +02:00 · 6b44dcb023
commit 6b44dcb023
parent e39f07eac1
7 changed files with 298 additions and 9 deletions
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@ -73,6 +73,7 @@ in
            "navidrome.access" = { };
            "freshrss.access" = { };
            "firefly.access" = { };
+            "radicale.access" = { };
          };

          inherit (config.repo.secrets.local) persons;
@ -188,6 +189,11 @@ in
                    "email"
                    "profile"
                  ];
+                  "radicale.access" = [
+                    "openid"
+                    "email"
+                    "profile"
+                  ];
                };
                preferShortUsername = true;
                claimMaps.groups = {
@ -196,6 +202,7 @@ in
                    "freshrss.access" = [ "ttrss_access" ];
                    "navidrome.access" = [ "navidrome_access" ];
                    "firefly.access" = [ "firefly_access" ];
+                    "radicale.access" = [ "radicale_access" ];
                  };
                };
              };
--- a/modules/nixos/server/oauth2-proxy.nix
+++ b/modules/nixos/server/oauth2-proxy.nix
@ -58,8 +58,9 @@ in
                    extraConfig = lib.optionalString locationSubmodule.config.setOauth2Headers ''
                      proxy_set_header X-User         $user;
                      proxy_set_header Remote-User    $user;
+                      proxy_set_header X-Remote-User  $user;
                      proxy_set_header X-Email        $email;
-                      proxy_set_header X-Access-Token $token;
+                      # proxy_set_header X-Access-Token $token;
                      add_header Set-Cookie           $auth_cookie;
                    '' + lib.optionalString locationSubmodule.config.bypassAuth ''
                      auth_request off;
@ -79,7 +80,7 @@ in
                auth_request_set $user  ${config.oauth2.X-User};
                auth_request_set $email ${config.oauth2.X-Email};
                # if you enabled --pass-access-token, this will pass the token to the backend
-                auth_request_set $token ${config.oauth2.X-Access-Token};
+                # auth_request_set $token ${config.oauth2.X-Access-Token};
                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
                auth_request_set $auth_cookie $upstream_http_set_cookie;
              '';
--- a/modules/nixos/server/radicale.nix
+++ b/modules/nixos/server/radicale.nix
@ -0,0 +1,107 @@
+{ self, lib, config, ... }:
+let
+  inherit (config.repo.secrets.local.radicale) user1;
+  sopsFile = self + /secrets/winters/secrets2.yaml;
+  serviceDomain = "schedule.swarsel.win";
+  servicePort = 8000;
+  serviceName = "radicale";
+  serviceUser = "radicale";
+  serviceGroup = serviceUser;
+
+  cfg = config.services."${serviceName}";
+in
+{
+  options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
+  config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
+
+    sops = {
+      secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+
+      templates = {
+        "radicale-users" = {
+          content = ''
+            ${user1}:${config.sops.placeholder.radicale-user}
+          '';
+          owner = serviceUser;
+          group = serviceGroup;
+          mode = "0440";
+        };
+      };
+    };
+
+    topology.self.services.radicale.info = "https://${serviceDomain}";
+
+    services.radicale = {
+      enable = true;
+      settings = {
+        server = {
+          hosts = [
+            "0.0.0.0:${builtins.toString servicePort}"
+            "[::]:${builtins.toString servicePort}"
+          ];
+        };
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = config.sops.templates.radicale-users.path;
+          htpasswd_encryption = "autodetect";
+        };
+        storage = {
+          filesystem_folder = "/Vault/data/radicale/collections";
+        };
+      };
+      rights = {
+        # all: match authenticated users only
+        root = {
+          user = ".+";
+          collection = "";
+          permissions = "R";
+        };
+        principal = {
+          user = ".+";
+          collection = "{user}";
+          permissions = "RW";
+        };
+        calendars = {
+          user = ".+";
+          collection = "{user}/[^/]+";
+          permissions = "rw";
+        };
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${cfg.settings.storage.filesystem_folder}'        0750 ${serviceUser} ${serviceGroup} - -"
+    ];
+
+    networking.firewall.allowedTCPPorts = [ servicePort ];
+    networking.firewall.allowedUDPPorts = [ servicePort ];
+
+    nodes.moonside.services.nginx = {
+      upstreams = {
+        "${serviceName}" = {
+          servers = {
+            "192.168.1.2:${builtins.toString servicePort}" = { };
+          };
+        };
+      };
+      virtualHosts = {
+        "${serviceDomain}" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          oauth2.enable = false;
+          locations = {
+            "/" = {
+              proxyPass = "http://${serviceName}";
+              extraConfig = ''
+                client_max_body_size 16M;
+              '';
+            };
+          };
+        };
+      };
+    };
+
+  };
+
+}