WIP

2025-10-15 14:26:28 -07:00 · 2025-10-15 14:26:28 -07:00 · f1f2043fba
commit f1f2043fba
parent b91fcb6500
6 changed files with 132 additions and 9 deletions
--- a/hosts/astral/default.nix
+++ b/hosts/astral/default.nix
@ -7,6 +7,7 @@
    agenix.nixosModules.default
    ./forgejo.nix
    ./links.nix
+    ./radicale.nix
    ./vaultwarden.nix
  ];

@ -35,6 +36,11 @@

  services.caddy = {
    enable = true;
+    package = pkgs.caddy.withPlugins {
+      plugins =
+        [ "github.com/abiosoft/caddy-exec@v0.0.0-20240914124740-521d8736cb4d" ];
+      hash = "sha256-ef6/x7wjKk0axjX6MfAzTTwPM2FTOTSSyI9zLLrczV0=";
+    };
    virtualHosts = {
      "astral.leaf.ninja".extraConfig = ''
        respond "astral is online"
--- a/hosts/astral/links.nix
+++ b/hosts/astral/links.nix
@ -22,15 +22,15 @@ let
        httpd.serve_forever()
  '';
 in {
-  systemd.services.links-webhook = {
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
-    serviceConfig = {
-      Type = "simple";
-      ExecStart = "${pkgs.python3}/bin/python3 ${webhookHandler}";
-      Restart = "always";
-    };
-  };
+  # systemd.services.links-webhook = {
+  #   wantedBy = [ "multi-user.target" ];
+  #   after = [ "network.target" ];
+  #   serviceConfig = {
+  #     Type = "simple";
+  #     ExecStart = "${pkgs.python3}/bin/python3 ${webhookHandler}";
+  #     Restart = "always";
+  #   };
+  # };

  services.caddy.virtualHosts.${domain}.extraConfig = ''
    root * ${root}
--- a/hosts/astral/radicale.nix
+++ b/hosts/astral/radicale.nix
@ -0,0 +1,100 @@
+{ pkgs, config, lib, ... }:
+let domain = "radicale.leaf.ninja";
+in {
+  users.users.radicale-sync = {
+    isSystemUser = true;
+    group = "radicale-sync";
+  };
+
+  users.groups.radicale-sync = { };
+
+  age.secrets = {
+    radicale-htpasswd = {
+      file = ./secrets/radicale-htpasswd;
+      mode = "400";
+      owner = "radicale";
+    };
+    radicale-sync-secrets = {
+      file = ./secrets/radicale-sync-secrets.fish;
+      mode = "400";
+      owner = "radicale-sync";
+    };
+  };
+
+  services.radicale = {
+    enable = true;
+    settings = {
+      server.hosts = [ "localhost:5232" ];
+      auth = {
+        type = "htpasswd";
+        htpasswd_filename = config.age.secrets.radicale-htpasswd.path;
+        htpasswd_encryption = "plain";
+      };
+    };
+    rights = {
+      root = {
+        user = ".+";
+        collection = "";
+        permissions = "R";
+      };
+      principal = {
+        user = ".+";
+        collection = "{user}";
+        permissions = "RW";
+      };
+      calendars = {
+        user = ".+";
+        collection = "{user}/[^/]+";
+        permissions = "rw";
+      };
+      remote = {
+        user = ".+";
+        collection = "remote/.+";
+        permissions = "r";
+      };
+    };
+  };
+
+  services.caddy.virtualHosts.${domain}.extraConfig = ''
+    reverse_proxy localhost:5232
+  '';
+
+  systemd.timers.radicale-sync = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "5min";
+      OnCalendar = "*-*-* *:0/4:00";
+    };
+  };
+
+  systemd.services.radicale-sync = let
+    radicaleUrl = "http://localhost:5232";
+    remoteCollections = [{
+      collection = "devhack";
+      url = "https://devhack.net/calendar.ics";
+    }];
+    remoteCollectionsFile = pkgs.writers.writeText "remote-collections"
+      (lib.concatMapStringsSep "\n"
+        ({ collection, url }: "${collection} ${url}") remoteCollections);
+    syncScript = pkgs.writers.writeFish "sync.fish" ''
+      alias curl ${lib.getExe pkgs.curl}
+      source ${config.age.secrets.radicale-sync-secrets.path}
+      while read -l name url
+        set tempfile (mktemp)
+        curl -sf $url -o $tempfile
+        curl -sf -u "remote:$password" \
+             -X PUT "${radicaleUrl}/remote/$name" \
+             -H 'Content-Type: text/calendar; charset=utf-8' \
+             --data-binary @$tempfile
+        echo "Uploaded $name"
+      end < ${remoteCollectionsFile}
+    '';
+  in {
+    serviceConfig = {
+      Type = "oneshot";
+      User = "radicale-sync";
+      Group = "radicale-sync";
+      ExecStart = syncScript;
+    };
+  };
+}
--- a/hosts/astral/secrets/radicale-htpasswd
+++ b/hosts/astral/secrets/radicale-htpasswd
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 f+PJrQ iGtaCi4amFijPCydakWm6qo6eYPiRHp5Rrr7TpnRLxo
+MiFAmPkU9gDBYdNqGA9CdYike2n780nQ7o8nAZ0GGtE
+-> ssh-ed25519 nz/vnw FiTGU3HNakVR1VNVyUPdiu+WhEMf9t/ONBgoQRILExA
+TjDSkxA6z1ovqu2mA0G1UY1k29f35HFHDZQWA90XSzM
+--- WK1KjkiLaqH1jN3zIgetSHEe5xEddBYjlt3Qu5Z/Bcg
+„™æ¤Ï¹%sçlmaæ†á@OÔ§ë>
K<ç(<28>š†©CoÕ6ªhÓ–LÁëÉ (ö_›h”ð¶R2ð²ÈŠ"®znp/M¿W}—æÕLò‘‰‘Nàe»ª˜%²’ÂCÌº•¡7?#jè3—Ò‹G? Ã<>X{V%Ym¯æ 
lf™Õ
--- a/hosts/astral/secrets/radicale-sync-secrets.fish
+++ b/hosts/astral/secrets/radicale-sync-secrets.fish
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 f+PJrQ f+4sexgdKNmdc7DQe3h6v8CveCiHN+dLFX0vdMzBOBQ
+/nSP3nPNdxKjOUIn0xzH/ht4QC68aMxCLplP8kIeKr4
+-> ssh-ed25519 nz/vnw ejIzeXNfCDxPhho7426oR6WQWlJxDprp1j90lgCGnmM
+yaq9bU726x5xtHhK7ZQc1Onlg681cSQsSxSCRU/GBAU
+--- UT7B9uDmsNJwTLroGj+JQdKbsOHhgSnnlhMru4tY7/M
+uKÒ¿Tiö,®Mß`‚ø“S4<EFBFBD>÷~–š™6Ï’¿jÓÑçÒ«9Õï$H0dô¡?ñ<>ÒpƒXV%ÙIËJØ˜ "Ò¾dËùâÓWO¹ÓÄ