Add radicale role: lightweight {Card,Cal}DAV server

WARNING: py36-radicale2 needs manual installation at the moment.

10 files changed, 374 insertions, 45 deletions

diff --git a/deploy.yml b/deploy.yml
index 9befd89..75bfe02 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -19,5 +19,7 @@
       tags: shadowsocks
     - role: znc
       tags: znc
+    - role: radicale
+      tags: radicale
 
 # vim: set ft=yaml sw=2: #
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 948bdbf..4536b9f 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -21,6 +21,7 @@ domains:
       - mail
       - www
       - git
+      - dav
   - name: aaronly.me
     sub:
       - www
@@ -158,4 +159,28 @@ znc:
       channels:
         - dragonflybsd
 
+radicale:
+  home: /home/radicale
+  etcdir: /usr/local/etc/radicale2
+  wwwdir: /usr/local/www/radicale2
+  users:
+    - name: aly
+      pass: "{{ vault_radicale_users_aly_pass }}"
+      devices:
+        - name: laptop
+          pass: "{{ vault_radicale_users_aly_pass_laptop }}"
+        - name: office
+          pass: "{{ vault_radicale_users_aly_pass_office }}"
+        - name: phone
+          pass: "{{ vault_radicale_users_aly_pass_phone }}"
+        - name: tablet
+          pass: "{{ vault_radicale_users_aly_pass_tablet }}"
+    - name: lulu
+      pass: "{{ vault_radicale_users_lulu_pass }}"
+      devices:
+        - name: phone
+          pass: "{{ vault_radicale_users_lulu_pass_phone }}"
+        - name: tablet
+          pass: "{{ vault_radicale_users_lulu_pass_tablet }}"
+
 # vim: set ft=yaml sw=2: #
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index b69aff4..7215c61 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,46 +1,71 @@
 $ANSIBLE_VAULT;1.1;AES256
-31636433343664393661363232663562393138343436323136323336623166333334303563653166
-6534346164373231323433393630396530616135353866620a646632653362373739373938393733
-64623565663834313037656237633862353833666464663639653933653033326333306231323364
-3037366636646137300a666263306430616362313330386337313662646238613735313865653330
-61643762373437353039336266646139646261353037633139376434643335626330623431393037
-32366239636331316433356439353033616435626238333566336162646337386533373232353938
-65336365386436613039633861656465363937646165666562373730363335343635356338626236
-39376361656266396334626535653332346662343863306566373731386564636136343531346666
-62633332336639393463363434376436343030306661653431663030326665323835653532383063
-65326536323138303232336533356462633632356231396365306239326238623135366466393230
-36336634343565326130303562633166653862616563303064393939366666633938633930636433
-33386365353362663665303437363238623637373931373238643763306632643631633863363163
-35353838386331393936383631373937653438333534616161306431626362323863323463386130
-61663038333765396332373166646634323032636130346334643837636534346162616336393735
-30363930393937326664376332336165383039343866373961373834643066343762633530313330
-65633662636133666362383730303664333166376635663063336461343066636332653831373639
-61616232383862373637623531313632313833393064333137653663393365336465636530653532
-64363133343330343932663461643539313536373763643930373735376165313837353939323330
-34396130396330336165623031663136613839353662396430626436326561613565646237303166
-31366434303565363034376633373664366531653563336539646233316332306239626464303339
-35323033643532313836643732363165666362343437336265303666666138383031656166353531
-37333839613537303035653963646134623730343261633037343437313865656639383339366539
-37353062366631306432353835376333303837666265303539343562306237643638313630646366
-65626465303331336466393135346665356132393230303664386537616134393463353839393231
-36383462326636313931393436653534323337336431623935313536656662653361373462376436
-34343736363334363136383038336634333461613135393835303264373563613931383035393734
-62383739376663336233356532393432303436373435623261393562613837333865373036373838
-34633532346666633066353763383538316632303364633436663336326330363739663537323762
-39323963623637373236343662353833316637386537313962326264646630636633623138613361
-65626366333337386562373237656337646234666365303831373939376531346632623331366363
-32323333646364653732653136353332633633346232623332636232623362303163343934323563
-64303965383836323531316435356361313766343563326337663161363263323634356437666334
-33633633636562663132366237396338646437633532623266363361666335343431613862313963
-30366630303132613434303966323238386264626662366539623537653135373363633039346664
-37616531313761326631323637363735333134343665613133393534313834646166386463633734
-62316631343332393465353132396431343831383062336165333061653938396231333937373331
-32663061623962376463306561316237626261646232626231633736333564623533646661656662
-37353639653036323535366438356664366235383331643232376465663862313535316364353737
-34666635663264613030323933333361346530633939626464323933336634303266633966326530
-66643336303566633139633664356261366233626133333365346337393034356266656538663738
-34623134303361663565383161616261636130623761353738363365366533383732666430316661
-62393066346438616265343333636362363662343237633737333662306435306338333565313933
-38396665306464616330626364623931613062663365303761613839616233623237363665323266
-64336136303064323634666537613661313132343663393034393665313739656430633334653065
-64303966376361613962646436373434643034646130623638616238313561626265
+34336433353338333831623136623462333135306662666134663062396330363937616638323066
+6131353738326439396333623862666263303262656431380a353135656337366439633832303131
+62656235303330653235383131646637663334616463326263643863373035313763353033306562
+3361346131343033640a643336633334313336626635373333653136386161356366333730323937
+63663634666362393163366131343264366431363231333331393338356136323934336232373136
+35313563353936303766343835613837353635656461333238313735353565396663636637336165
+32343064383131656266343065623064323064346365363663396165393333303761656265393935
+38343062303265336363663563303936393637613734326331393534383834613333336533653835
+61383063653230366566376236306232363266343365343438653734336366656166343836626333
+33646461313936326634343735376136303365333539643061383634646432343339623931663562
+36303937623732333532313432316337363634333834303061383438653464633763383563316331
+31396562656462653764636438646134646465653439373430393930653266373166306138396161
+64313539633839343230343466613833346634666262656661666639356536343866303262373461
+33643235326365656565376634316236373363386261613339366335393866346237613966346162
+32623763366436303835303731313063306564393438373337356666383263653236613535623536
+66383036353065303564616437633761393931633065393730626661393430313836313065643336
+33363036626463316430323631386533383531353734646130646232626134396361313634323737
+37336530663561626134366465393861376137306161623636383565653933393366353666636461
+66633837336563356436316135633833373062633062376565343734643030323731366139343732
+64326135653533303565393638346638343833613338366463633735306636623636646531306630
+38393462373132636435356430613031663836346263343339373231616662626166376533393333
+62633430336231363731313930653334663066343934366461363136343363303332396530663830
+66636437393130663164653264613665343461353236333864343230656232303032343338336462
+31303038663963656362303964363864393934383463373266616437326537376264376136363635
+33613063363439373065353865326636393134633332653264393566636335336166636538666531
+36636465306636613664353433383162663633656637383730643038623334616238663830383832
+65383035663666653937623835663930643838653833663332623062633464626636373461336164
+31616535633834373134633032616238333036626539346435633839373337653030316338663465
+32623562636538303833353434656134653136633339646139336339613965363237353938306166
+66613832613537383961613239616166383534336562376666316462653264343538353039366130
+61613331356264326162666163383432623563333036346634346639623632386637373033663661
+38373464313931613434653236393765373835636166366435633531393361323561353764363037
+35653832396237343962383638363637626135643735303562653339626366363163366364346336
+38663039386433613338316461386564623530623663643465363134653436363365383633663663
+62393263646534663265636566383665356664613131613933613633636663646536373239663338
+65366132356162323938396566343330643732653630356137316630323939396530313733366637
+65643061616663613561346239393466663630326364303565613564343331346164346364343039
+34643034346564643530346662393734343733666337363233303433313735363764653963383866
+66663562643738356265336131623466656265383930396333666261656365383337643936363937
+34303235663433626662323534323263356164623061313832623166323666613466383334653637
+61613262343230623338633938306461636565623364613539643865376234336663636432366661
+35653863646464646238386365633662373665633736343233663537326238623937666364313832
+65396335386365393566366536393665326161363530303034366337333130323230343335666364
+33356562303161646230303332656265393339626636623436313238363337363535343933663437
+31643539653566353362353436336131333339373437353866323434623830633764366631343036
+33666464636632643661666434383930626365656333316135333337366163393631353136666234
+32333763643335363662343634343030313239626661663061393933306139303630353131346266
+31366638623162626566353936313934663538656361623665663761656363346666383835613139
+64396635646438306438303439346465376636363663386132653532393139666631636537633361
+35316661633935643265333562646530666238646237346362643735633463383338636661616538
+37636336393030393137613536666537386437343539663065376234313064346166306665323334
+62626261396266383336663862663063636532313361663732386231636230653766373664323431
+37323062343764316432343836393630623937646461353737393261663661323762306138373438
+65363563613961386336353061336363633161653034326131623230333235653432663965383531
+34653136333664633631366462373131383930376132616464653134366332393539323565336265
+35306135666533373861666438633339346435623463316666386333363264373036613161613732
+65663931313961346431666534333537633664623439343563343436626565306665613831393063
+32326639323833666233336131636433363935616631396633623733373931656561613237633732
+33366436366538653466363530623333333134373035373339653465663536663666613637386330
+36323233626262303962633461393231623362303437356333316135393963386465636665376237
+35363865343465373265353430646530366631326166303130343632396432633065663934373732
+62623730626334346134396161373966643436613761386230633266316239636465393239653365
+36363435326238663433373465353235616132646561333230303035333239663130643131623731
+38356163353433366137373530346630356161636664623561353638316633313833343536343439
+62393864653338316234353663616631356264316437346634316664376234663931613231383034
+62623139626665636130303763363631663664333031636465366163306233373935386337653831
+38373738346438656234373465643937326234396662366139663530386565313130313938353335
+39356262663234393430336365353438376365666265393963373065633833363263333036623939
+37396133393834646236323762333834303263643331656563633164356430373138366464633366
+3831666331373363333130616632616362373438313038393531
diff --git a/roles/radicale/files/_gitignore b/roles/radicale/files/_gitignore
new file mode 100644
index 0000000..464ffb6
--- /dev/null
+++ b/roles/radicale/files/_gitignore
@@ -0,0 +1,5 @@
+# http://radicale.org/versioning/
+
+.Radicale.cache
+.Radicale.lock
+.Radicale.tmp-*
diff --git a/roles/radicale/files/logging b/roles/radicale/files/logging
new file mode 100644
index 0000000..07fae21
--- /dev/null
+++ b/roles/radicale/files/logging
@@ -0,0 +1,50 @@
+#
+# /usr/local/etc/radicale/logging
+# Logging configurations for Radicale
+#
+# References
+# * http://radicale.org/logging/
+# * https://docs.python.org/3/library/logging.config.html
+#
+# Aaron LI
+# Created: 2017-04-27
+#
+
+
+# NOTE: uWSGI will capture the console output, so no longer need to
+#       log into a separate file.
+
+[loggers]
+keys = root
+
+[handlers]
+keys = console
+
+[formatters]
+keys = full
+
+#
+# Loggers
+#
+
+[logger_root]
+handlers = console
+
+#
+# Handlers
+#
+
+[handler_console]
+class = StreamHandler
+level = INFO
+#level = DEBUG
+args = (sys.stdout,)
+formatter = full
+
+#
+# Formatters
+#
+
+[formatter_full]
+format = %(asctime)s - %(levelname)s: %(message)s
+datefmt = %b %d %H:%M:%S
diff --git a/roles/radicale/files/rights b/roles/radicale/files/rights
new file mode 100644
index 0000000..9b9b253
--- /dev/null
+++ b/roles/radicale/files/rights
@@ -0,0 +1,49 @@
+#
+# /usr/local/etc/radicale/rights
+# File-based rights managements for Radicale
+#
+# Aaron LI
+# Created: 2017-04-27
+#
+
+# Authentication login is matched against the "user" key, and collection's
+# path is matched against the "collection" key.
+# You can use Python's ConfigParser interpolation values "%(login)s" and
+# "%(path)s".  You can also get groups from the user regex in the collection
+# with "{0}", "{1}", etc.
+#
+# For example, for the "user" key, ".+" means "authenticated user" and ".*"
+# means "anybody" (including anonymous users).
+#
+# * Section names are only used for naming the rule.
+# * Leading or ending slashes are trimmed from collection's path.
+# * The first rule matching both user and collection patterns will be returned.
+#
+# See: http://radicale.org/user_documentation/#idrights-management
+#
+
+# Use a domain-like authentication (user@device) for each owner/user
+# to achieve the application-specific passwords mechanism.
+[owner-devices]
+user: ([^@]+)@.+
+collection: {0}(/.*)?
+permission: rw
+
+# I use the authentication through IMAP provided by Dovecot, and I
+# implement the application-specific passwords mechanism, i.e., one
+# user may have different passwords for different devices/logins
+# identified with different username.
+# For example, a user "user@domain.com" may set different passwords
+# for such different usernames, e.g., "user@domain.com@laptop",
+# "user@domain.com@phone".
+#
+#[owner-imap-auth]
+#user: ^([^@]+)@.+\..+$
+#collection: ^{0}(/.+)?$
+#permission: rw
+
+# Any authenticated user can reach root collection
+#[read]
+#user = .+
+#collection =
+#permission = r
diff --git a/roles/radicale/handlers/main.yml b/roles/radicale/handlers/main.yml
new file mode 100644
index 0000000..94ab252
--- /dev/null
+++ b/roles/radicale/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: reload-radicale
+  command: service uwsgi reload radicale
diff --git a/roles/radicale/tasks/main.yml b/roles/radicale/tasks/main.yml
new file mode 100644
index 0000000..dbd6839
--- /dev/null
+++ b/roles/radicale/tasks/main.yml
@@ -0,0 +1,65 @@
+---
+# NOTE: Radicale requires nginx.
+
+- name: install packages
+  pkgng:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    # - py36-radicale2
+    - uwsgi-py36
+
+- name: create data directory
+  file:
+    path: "{{ radicale.home }}"
+    state: directory
+    owner: radicale
+    group: radicale
+    mode: 0700
+
+- name: generate config file
+  template:
+    src: config.j2
+    dest: "{{ radicale.etcdir }}/config"
+  notify: reload-radicale
+
+- name: copy extra config files
+  copy:
+    src: "{{ item }}"
+    dest: "{{ radicale.etcdir }}/{{ item | basename }}"
+  with_items:
+    - logging
+    - rights
+  notify: reload-radicale
+
+- name: copy gitignore for storage
+  copy:
+    src: _gitignore
+    dest: "{{ radicale.home }}/.gitignore"
+
+- name: create nginx auth/ dirctory
+  file:
+    path: /usr/local/etc/nginx/auth
+    state: directory
+
+- name: generate passwd for nginx
+  template:
+    src: radicale.passwd.j2
+    dest: /usr/local/etc/nginx/auth/radicale.passwd
+    group: www
+    mode: 0440
+  notify: reload-nginx
+
+- name: setup uwsgi in rc.conf
+  blockinfile:
+    path: /etc/rc.conf
+    marker: "# {mark} ANSIBLE MANAGED - uwsgi/radicale"
+    block: |
+      uwsgi_profiles="${uwsgi_profiles} radicale"
+      uwsgi_radicale_socket="/var/run/uwsgi-radicale.sock"
+      uwsgi_radicale_uid="radicale"
+      uwsgi_radicale_gid="radicale"
+      uwsgi_radicale_flags="-L --env RADICALE_CONFIG={{ radicale.etcdir }}/config --plugin python --wsgi-file {{ radicale.wwwdir }}/radicale.wsgi"
+
+- name: enable and start uwsgi
+  command: rcenable uwsgi
diff --git a/roles/radicale/templates/config.j2 b/roles/radicale/templates/config.j2
new file mode 100644
index 0000000..ca5e251
--- /dev/null
+++ b/roles/radicale/templates/config.j2
@@ -0,0 +1,90 @@
+#
+# /usr/local/etc/radicale/config
+# Radicale - A simple calendar and contact server
+#
+# http://radicale.org/
+# https://github.com/Kozea/Radicale
+#
+# Aaron LI
+# Created: 2017-04-27
+#
+
+
+# Not needed when using uWSGI
+[server]
+hosts = 127.0.0.1:5232
+daemon = True
+
+[auth]
+
+# Authentication method
+# Value: none | htpasswd | remote_user | http_x_remote_user
+#
+# * None
+#   Allows all usernames and passwords.  It also disables rights checking.
+# * htpasswd
+#   Use an Apache htpasswd file to store usernames and passwords.
+# * remote_user
+#   Takes the user name from the REMOTE_USER environment variable and
+#   disables HTTP authentication.  This can be used to provide the user
+#   name from a WSGI server.
+# * http_x_remote_user
+#   Takes the user name from the "X-Remote-User" HTTP header and disables
+#   HTTP authentication.  This can be used to provide the user name from
+#   a reverse proxy. 
+#
+#type = http_x_remote_user
+type = remote_user
+
+
+# Rights backend
+[rights]
+
+# Value: none | authenticated | owner_only | owner_write | from_file
+#
+# * None          : Everybody (including anonymous users) has read and
+#                   write access to all collections;
+# * authenticated : An authenticated users has read and write access
+#                   to all collections, anonymous users have no access
+#                   to these collections;
+# * owner_only    : Only owners have read and write access to their
+#                   own collections. The other users, authenticated or
+#                   anonymous, have no access to these collections;
+# * owner_write   : Authenticated users have read access to all collections,
+#                   but only owners have write access to their own
+#                   collections.  And anonymous users have no access;
+# * from_file     : Rights are based on a regex-based file whose name
+#                   is specified in this config file: [right]/file
+#
+type = owner_only
+
+
+# Storage backend
+[storage]
+
+type = multifilesystem
+filesystem_folder = {{ radicale.home }}
+
+# Command that is run after changes to storage
+# See: http://radicale.org/versioning/
+hook = ([ -d .git ] || git init) && git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s)
+
+
+# Web interface backend
+[web]
+
+# Value: none | internal
+#
+# * none : Just shows the message "Radicale works!".
+# * internal : Allows creation and management of address books and calendars.
+#
+#type = internal
+type = none
+
+
+[logging]
+config = {{ radicale.etcdir }}/logging
+# The logging config file just specified will provide finer controls, so
+# just set the default logging level to DEBUG.
+debug = True
+
diff --git a/roles/radicale/templates/radicale.passwd.j2 b/roles/radicale/templates/radicale.passwd.j2
new file mode 100644
index 0000000..8c59c79
--- /dev/null
+++ b/roles/radicale/templates/radicale.passwd.j2
@@ -0,0 +1,15 @@
+#
+# Password for Nginx auth for Radicale.
+#
+# Aaron LI
+#
+
+# name:pass
+{% for user in radicale.users %}
+# user: {{ user.name }}
+{{ user.name }}:{{ user.pass | cryptpass }}
+{% for dev in user.devices|default([]) %}
+{{ user.name }}@{{ dev.name }}:{{ dev.pass | cryptpass }}
+{% endfor %}{# devices #}
+{% endfor %}{# user #}
+# EOF