Refactor radicale setup

2025-04-06 09:34:33 +02:00 · 2025-04-06 09:34:33 +02:00 · 634bd0433f
commit 634bd0433f
parent a5e6468cb4
19 changed files with 214 additions and 564 deletions
--- a/templates/network/hosts.j2
+++ b/templates/network/hosts.j2
@ -7,3 +7,4 @@
 {{ vpn_media_listen_address }}    {{ vpn_media_domain }}
 {{ transmission_nginx_ip }}       {{ transmission_domain }}
 {{ syncthing_nginx_ip }}          {{ syncthing_domain }}
+{{ radicale_nginx_ip }}           {{ radicale_domain }}
--- a/templates/nftables.j2
+++ b/templates/nftables.j2
@ -54,11 +54,13 @@ table ip filter {

    tcp dport { {{ http_port }}, {{ https_port }} } ip saddr . ip daddr @vpn_set accept comment "HTTP/HTTPS"

-    tcp dport { 80, 443 } ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept comment "Transmission Web"
+    tcp dport 80 ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept comment "Transmission Web"

    tcp dport { 80, 443 } ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} accept comment "Syncthing Web"
    tcp dport {{ syncthing_protocol_port }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_app_ip }} accept comment "Syncthing protocol"

+    tcp dport 80 ip saddr {{ vpn_subnet }} ip daddr {{ radicale_nginx_ip }} accept comment "Radicale"
+
    tcp dport {{ mpd_port }} ip saddr . ip daddr @vpn_set accept comment "MPD"
    tcp dport {{ mpd_http_stream_port }} ip saddr . ip daddr @vpn_set accept comment "MPD HTTP stream"
    tcp dport {{ mpd_http_mobile_stream_port }} ip saddr . ip daddr @vpn_set accept comment "MPD HTTP mobile stream"
@ -80,5 +82,6 @@ table ip filter {
  chain DOCKER-USER {
    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept
    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} accept
+    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ radicale_nginx_ip }} accept
  }
 }
--- a/templates/nginx/vpn.j2
+++ b/templates/nginx/vpn.j2
@ -11,7 +11,7 @@ server {
 	error_log /var/log/nginx/vpn_error.log;

 	location /radicale/ {
-		proxy_pass https://127.0.0.1:{{ radicale_port }}/;
+		proxy_pass https://127.0.0.1:{{ radicale_app_port }}/;

 		proxy_set_header     X-Script-Name /radicale;
 		proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/templates/radicale/conf.j2
+++ b/templates/radicale/conf.j2
@ -1,14 +1,14 @@
 # {{ ansible_managed }}

 [server]
-ssl = True
-certificate = {{ radicale_certificate_path }}
-key = {{ radicale_key_path }}
-certificate_authority = {{ radicale_certificate_authority_path }}
-hosts = {{ radicale_listen_addres }}:{{ radicale_port }}
+ssl = False
+hosts = 0.0.0.0:{{ radicale_app_port }}

 [storage]
-filesystem_folder = {{ radicale_storage_path }}
+filesystem_folder = /app/collections

 [auth]
-type = http_x_remote_user
+type = htpasswd
+htpasswd_filename = /app/radicale_users
+htpasswd_encryption = sha512
+cache_logins = True
--- a/templates/radicale/docker-compose.j2
+++ b/templates/radicale/docker-compose.j2
@ -0,0 +1,43 @@
+# {{ ansible_managed }}
+
+networks:
+  radicale-net:
+    ipam:
+      config:
+        - subnet: '{{ radicale_subnet }}'
+
+services:
+  radicale:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        RADICALE_VERSION: {{ radicale_version }}
+        PYTHON_VERSION: {{ radicale_python_version }}
+    restart: always
+    networks:
+      radicale-net:
+        ipv4_address: {{ radicale_app_ip }}
+    healthcheck:
+      test: curl \
+        --fail \
+        --insecure \
+        --max-time 2 \
+        http://radicale:{{ radicale_app_port }}
+      start_period: 10s
+      interval: 1m
+      timeout: 10s
+      retries: 3
+    volumes:
+      - '{{ radicale_collection_dir }}:/app/collections'
+
+  nginx:
+    image: nginx:mainline-alpine
+    depends_on:
+      - radicale
+    restart: always
+    networks:
+      radicale-net:
+        ipv4_address: {{ radicale_nginx_ip }}
+    volumes:
+      - '{{ radicale_app_dir }}/nginx.conf.d:/etc/nginx/conf.d'
--- a/templates/radicale/dockerfile.j2
+++ b/templates/radicale/dockerfile.j2
@ -0,0 +1,20 @@
+# {{ ansible_managed }}
+
+ARG PYTHON_VERSION=3.13
+
+FROM python:$PYTHON_VERSION
+
+ARG RADICALE_VERSION
+
+RUN apt update && apt install apache2-utils
+RUN pip install Radicale==$RADICALE_VERSION
+
+WORKDIR /app
+
+COPY ./config ./radicale_users /app/
+
+VOLUME ["/root/.cache/pip", "/var/cache/apt/archives"]
+
+EXPOSE {{ radicale_app_port }}
+
+CMD ["/usr/local/bin/radicale", "--config=/app/config"]
--- a/templates/radicale/nginx.j2
+++ b/templates/radicale/nginx.j2
@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+upstream radicale-upstream {
+    server radicale:{{ radicale_app_port }};
+}
+
+server {
+  listen 80;
+  server_name {{ radicale_domain }};
+
+  location / {
+    proxy_pass        http://radicale-upstream;
+    proxy_set_header  X-Script-Name /radicale;
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header  X-Forwarded-Host $host;
+    proxy_set_header  X-Forwarded-Port $server_port;
+    proxy_set_header  X-Forwarded-Proto $scheme;
+    proxy_set_header  Host $http_host;
+    proxy_pass_header Authorization;
+  }
+}
--- a/templates/radicale/service.j2
+++ b/templates/radicale/service.j2
@ -1,24 +0,0 @@
-# {{ ansible_managed }}
-
-[Unit]
-Description=A simple CalDAV (calendar) and CardDAV (contact) server
-After=network.target
-Requires=network.target
-
-[Service]
-ExecStart=/usr/local/lib/radicale/env/bin/radicale
-User=radicale
-Restart=on-failure
-UMask=0027
-PrivateTmp=true
-ProtectSystem=strict
-ProtectHome=true
-PrivateDevices=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectControlGroups=true
-NoNewPrivileges=true
-ReadWritePaths=/etc/radicale/collections
-
-[Install]
-WantedBy=multi-user.target
--- a/templates/radicale/sudoers.j2
+++ b/templates/radicale/sudoers.j2
@ -1 +0,0 @@
-sonny    ALL=(radicale) NOPASSWD: ALL