Radicale

Radicale is a lightweight open-source CalDAV/CardDAV server that stores calendars and contacts as plain files on the filesystem, enabling simple self-hosted synchronization with standard clients.

Limitations

Radicale since the 3.x release (introduced in NixOS 20.09) does not support traditional crypt() password hashes any longer. To establish access for existing mailserver.accounts, the hashing method used for hashedPassword needs to be compatible with one of the available htpasswd_encryption methods. Such hashes can for example be created using

nix-shell -p mkpasswd --command "mkpasswd -m bcrypt"

Code

Configuration contributed by Robert Schütz (@dotlambda).

{
  config,
  pkgs,
  lib,
  ...
}:

let
  inherit (lib)
    concatStrings
    flip
    mapAttrsToList
    ;

  mailAccounts = config.mailserver.accounts;
  htpasswd = pkgs.writeText "radicale.users" (
    concatStrings (flip mapAttrsToList mailAccounts (mail: user: "${mail}+:${user.hashedPassword}\n"))
  );

in
{
  services.radicale = {
    enable = true;
    settings = {
      auth = {
        type = "htpasswd";
        htpasswd_filename = "${htpasswd}";
        htpasswd_encryption = "bcrypt";
      };
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts = {
      "cal.example.com" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:5232/";
          extraConfig = ''
            proxy_set_header  X-Script-Name /;
            proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass_header Authorization;
          '';
        };
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
}