Omni/Cloud/Cal.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

{config, ...}: let
  ports = import ./Ports.nix;
  rootDomain = config.networking.domain;
in {
  networking.firewall.allowedTCPPorts = [ports.radicale];

  services.radicale = {
    enable = true;
    rights = {
      # Allow reading root collection for authenticated users
      root = {
        user = ".*";
        collection = "";
        permissions = "R";
      };
      # Allow reading and writing principal collection (same as username)
      principal = {
        user = ".+";
        collection = "{user}";
        permissions = "RW";
      };
      # Make shared collection visible as part of root listing
      shared_principal = {
        user = ".+";
        collection = "shared";
        permissions = "RW";
      };
      # Allow reading and writing calendars and address books that are direct
      # children of the principal collection
      calendars = {
        user = ".+";
        collection = "{user}/[^/]+";
        permissions = "rw";
      };
      # Allow ben full access to shared/ben, repeat this for other shared
      # calendars as needed.
      ben_shared = {
        user = "ben";
        collection = "shared/ben(/.+)?";
        permissions = "rwD";
      };
      # Must be authed to write to the shared collections
      shared_write = {
        user = ".+";
        collection = "shared/[^/]+";
        permissions = "rw";
      };
      # Allow any user to read the shared collection
      shared_read = {
        user = ".+";
        collection = "shared(/.*)?";
        permissions = "r";
      };
    };
    settings = {
      server = {
        hosts = [
          "0.0.0.0:${toString ports.radicale}"
          "[::]:${toString ports.radicale}"
        ];
      };
      auth = {
        type = "htpasswd";
        htpasswd_filename = "/etc/radicale/users";
        htpasswd_encryption = "plain";
      };
    };
  };

  services.nginx.virtualHosts."cal.${rootDomain}" = {
    locations."/".proxyPass = "http://localhost:${toString ports.radicale}";
    forceSSL = true;
    useACMEHost = rootDomain;
    extraConfig = ''
      proxy_set_header  X-Script-Name "";
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header  Host $host;
      proxy_pass_header Authorization;
    '';
  };
}