# radicale
cardDAV and calDAV server

Access on android clients with DAVx5, linux with pimsync


# Configuration
Relevant config with htpasswd auth
`/etc/radicale/config`
```sh
[auth]
type = htpasswd
htpasswd_filename = /etc/radicale/users
htpasswd_encryption = autodetect

cache_logins = true
cache_successful_logins_expiry = 30


[rights]
type = from_file
file = /etc/radicale/rights


[storage]
filesystem_folder = /var/lib/radicale/collections
```

Create a new htpasswd file with the user "user1" using SHA-512 as hash method
`htpasswd -B -c /path/to/users user1`
Add another user
`htpasswd -B /path/to/users user2`



## Nginx
Reverse proxy with mTLS (client certificate) auth 
```nginx
server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name dav.ctq.ro;

        client_max_body_size 100M;

        log_not_found on;

        ## "well-known" redirect
        rewrite ^/.well-known/carddav /radicale/ redirect;
        rewrite ^/.well-known/caldav /radicale/ redirect;

        ## Base URI: /radicale/
        location /radicale/ {
                if ($ssl_client_verify != SUCCESS) {
                        return 418;
                }

                proxy_pass        http://localhost:5232;
                proxy_set_header  X-Script-Name /radicale;
                proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header  X-Forwarded-Host $host;
                proxy_set_header  X-Forwarded-Port $server_port;
                proxy_set_header  X-Forwarded-Proto $scheme;
                proxy_set_header  Host $http_host;
                proxy_pass_header Authorization;
	}

        # client certificate
        ssl_client_certificate /etc/ssl/orion-ca/ca.crt;
        ssl_verify_client optional;

        # orion config set
        include orion/orion.conf;

        ssl_certificate /etc/letsencrypt/live/ctq.ro/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/ctq.ro/privkey.pem; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
}
```

# PAM auth
Alternative auth method
Untested

login through PAM with python3-pampy, need to add radicale to shadow with `usermod -aG radicale shadow`


See also
--------
https://radicale.org/v3.html#simple-5-minute-setup

See https://github.com/lpirl/radicale_auth_pam for PAM auth