radicale

2026-04-14 15:07:25 +02:00
parent 4390a02e46
commit b3ff52d668
5 changed files with 91 additions and 14 deletions
@@ -102,8 +102,6 @@ let
    );
 in
 {
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
  services.nginx.virtualHosts = mailDiscoveryVirtualHosts // {
    ${config.mailserver.fqdn}.enableACME = true;
  };
@@ -1,7 +1,15 @@
 {
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "postmaster@billenius.com";
+  };
+
  imports = [
    ./autodiscover.nix
    ./mail.nix
+    ./radicale.nix
    ./roundcube.nix
  ];
 }
@@ -1,10 +1,5 @@
 { ... }:
 {
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "postmaster@billenius.com";
-  };
-
  mailserver = {
    enable = true;
    fqdn = "mail.billenius.com";
@@ -12,7 +7,7 @@
    certificateScheme = "acme";

    # A list of all login accounts. To create the password hashes, use
-    # nix-shell -p mkpasswd --run 'mkpasswd -s'
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "love@billenius.com" = {
        hashedPasswordFile = "${../../../resources/mail-server}/love@billenius.com";
@@ -23,7 +18,10 @@
      enable = true;
      autoIndex = true;
      enforced = "body";
-      autoIndexExclude = [ "Trash" "\\Junk" ];
+      autoIndexExclude = [
+        "Trash"
+        "\\Junk"
+      ];
    };
  };
 }
@@ -0,0 +1,78 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  domain = builtins.head config.mailserver.domains;
+  radicaleHost = "cal.${domain}";
+  mailAccounts = config.mailserver.loginAccounts;
+  discoveryHosts = lib.unique (
+    config.mailserver.domains
+    ++ [
+      config.mailserver.fqdn
+      radicaleHost
+    ]
+  );
+
+  accountHash =
+    mail: account:
+    if account ? hashedPassword then
+      account.hashedPassword
+    else if account ? hashedPasswordFile then
+      lib.removeSuffix "\n" (builtins.readFile account.hashedPasswordFile)
+    else
+      throw "Radicale requires ${mail} to define hashedPassword or hashedPasswordFile";
+
+  htpasswd = pkgs.writeText "radicale.users" (
+    lib.concatStrings (
+      lib.mapAttrsToList (mail: account: "${mail}:${accountHash mail account}\n") mailAccounts
+    )
+  );
+
+  mkWellKnownLocations = {
+    "/.well-known/caldav".return = "301 https://${radicaleHost}/";
+    "/.well-known/carddav".return = "301 https://${radicaleHost}/";
+  };
+
+  discoveryVirtualHosts = lib.listToAttrs (
+    map (host: {
+      name = host;
+      value = {
+        enableACME = true;
+        forceSSL = true;
+        locations = mkWellKnownLocations;
+      };
+    }) discoveryHosts
+  );
+in
+{
+  services.radicale = {
+    enable = true;
+    settings = {
+      auth = {
+        type = "htpasswd";
+        htpasswd_filename = htpasswd;
+        htpasswd_encryption = "bcrypt";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts = discoveryVirtualHosts // {
+    ${radicaleHost} = {
+      enableACME = true;
+      forceSSL = true;
+      locations = mkWellKnownLocations // {
+        "/" = {
+          proxyPass = "http://127.0.0.1:5232/";
+          extraConfig = ''
+            proxy_set_header X-Script-Name /;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_pass_header Authorization;
+          '';
+        };
+      };
+    };
+  };
+}
@@ -38,9 +38,4 @@
    enableACME = true;
    forceSSL = true;
  };
-
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
 }