diff options
| -rw-r--r-- | deploy.yml | 2 | ||||
| -rw-r--r-- | group_vars/all/vars.yml | 25 | ||||
| -rw-r--r-- | group_vars/all/vault.yml | 115 | ||||
| -rw-r--r-- | roles/radicale/files/_gitignore | 5 | ||||
| -rw-r--r-- | roles/radicale/files/logging | 50 | ||||
| -rw-r--r-- | roles/radicale/files/rights | 49 | ||||
| -rw-r--r-- | roles/radicale/handlers/main.yml | 3 | ||||
| -rw-r--r-- | roles/radicale/tasks/main.yml | 65 | ||||
| -rw-r--r-- | roles/radicale/templates/config.j2 | 90 | ||||
| -rw-r--r-- | roles/radicale/templates/radicale.passwd.j2 | 15 |
10 files changed, 374 insertions, 45 deletions
@@ -19,5 +19,7 @@ tags: shadowsocks - role: znc tags: znc + - role: radicale + tags: radicale # vim: set ft=yaml sw=2: # diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 948bdbf..4536b9f 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -21,6 +21,7 @@ domains: - mail - www - git + - dav - name: aaronly.me sub: - www @@ -158,4 +159,28 @@ znc: channels: - dragonflybsd +radicale: + home: /home/radicale + etcdir: /usr/local/etc/radicale2 + wwwdir: /usr/local/www/radicale2 + users: + - name: aly + pass: "{{ vault_radicale_users_aly_pass }}" + devices: + - name: laptop + pass: "{{ vault_radicale_users_aly_pass_laptop }}" + - name: office + pass: "{{ vault_radicale_users_aly_pass_office }}" + - name: phone + pass: "{{ vault_radicale_users_aly_pass_phone }}" + - name: tablet + pass: "{{ vault_radicale_users_aly_pass_tablet }}" + - name: lulu + pass: "{{ vault_radicale_users_lulu_pass }}" + devices: + - name: phone + pass: "{{ vault_radicale_users_lulu_pass_phone }}" + - name: tablet + pass: "{{ vault_radicale_users_lulu_pass_tablet }}" + # vim: set ft=yaml sw=2: # diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index b69aff4..7215c61 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,46 +1,71 @@ $ANSIBLE_VAULT;1.1;AES256 -31636433343664393661363232663562393138343436323136323336623166333334303563653166 -6534346164373231323433393630396530616135353866620a646632653362373739373938393733 -64623565663834313037656237633862353833666464663639653933653033326333306231323364 -3037366636646137300a666263306430616362313330386337313662646238613735313865653330 -61643762373437353039336266646139646261353037633139376434643335626330623431393037 -32366239636331316433356439353033616435626238333566336162646337386533373232353938 -65336365386436613039633861656465363937646165666562373730363335343635356338626236 -39376361656266396334626535653332346662343863306566373731386564636136343531346666 -62633332336639393463363434376436343030306661653431663030326665323835653532383063 -65326536323138303232336533356462633632356231396365306239326238623135366466393230 -36336634343565326130303562633166653862616563303064393939366666633938633930636433 -33386365353362663665303437363238623637373931373238643763306632643631633863363163 -35353838386331393936383631373937653438333534616161306431626362323863323463386130 -61663038333765396332373166646634323032636130346334643837636534346162616336393735 -30363930393937326664376332336165383039343866373961373834643066343762633530313330 -65633662636133666362383730303664333166376635663063336461343066636332653831373639 -61616232383862373637623531313632313833393064333137653663393365336465636530653532 -64363133343330343932663461643539313536373763643930373735376165313837353939323330 -34396130396330336165623031663136613839353662396430626436326561613565646237303166 -31366434303565363034376633373664366531653563336539646233316332306239626464303339 -35323033643532313836643732363165666362343437336265303666666138383031656166353531 -37333839613537303035653963646134623730343261633037343437313865656639383339366539 -37353062366631306432353835376333303837666265303539343562306237643638313630646366 -65626465303331336466393135346665356132393230303664386537616134393463353839393231 -36383462326636313931393436653534323337336431623935313536656662653361373462376436 -34343736363334363136383038336634333461613135393835303264373563613931383035393734 -62383739376663336233356532393432303436373435623261393562613837333865373036373838 -34633532346666633066353763383538316632303364633436663336326330363739663537323762 -39323963623637373236343662353833316637386537313962326264646630636633623138613361 -65626366333337386562373237656337646234666365303831373939376531346632623331366363 -32323333646364653732653136353332633633346232623332636232623362303163343934323563 -64303965383836323531316435356361313766343563326337663161363263323634356437666334 -33633633636562663132366237396338646437633532623266363361666335343431613862313963 -30366630303132613434303966323238386264626662366539623537653135373363633039346664 -37616531313761326631323637363735333134343665613133393534313834646166386463633734 -62316631343332393465353132396431343831383062336165333061653938396231333937373331 -32663061623962376463306561316237626261646232626231633736333564623533646661656662 -37353639653036323535366438356664366235383331643232376465663862313535316364353737 -34666635663264613030323933333361346530633939626464323933336634303266633966326530 -66643336303566633139633664356261366233626133333365346337393034356266656538663738 -34623134303361663565383161616261636130623761353738363365366533383732666430316661 -62393066346438616265343333636362363662343237633737333662306435306338333565313933 -38396665306464616330626364623931613062663365303761613839616233623237363665323266 -64336136303064323634666537613661313132343663393034393665313739656430633334653065 -64303966376361613962646436373434643034646130623638616238313561626265 +34336433353338333831623136623462333135306662666134663062396330363937616638323066 +6131353738326439396333623862666263303262656431380a353135656337366439633832303131 +62656235303330653235383131646637663334616463326263643863373035313763353033306562 +3361346131343033640a643336633334313336626635373333653136386161356366333730323937 +63663634666362393163366131343264366431363231333331393338356136323934336232373136 +35313563353936303766343835613837353635656461333238313735353565396663636637336165 +32343064383131656266343065623064323064346365363663396165393333303761656265393935 +38343062303265336363663563303936393637613734326331393534383834613333336533653835 +61383063653230366566376236306232363266343365343438653734336366656166343836626333 +33646461313936326634343735376136303365333539643061383634646432343339623931663562 +36303937623732333532313432316337363634333834303061383438653464633763383563316331 +31396562656462653764636438646134646465653439373430393930653266373166306138396161 +64313539633839343230343466613833346634666262656661666639356536343866303262373461 +33643235326365656565376634316236373363386261613339366335393866346237613966346162 +32623763366436303835303731313063306564393438373337356666383263653236613535623536 +66383036353065303564616437633761393931633065393730626661393430313836313065643336 +33363036626463316430323631386533383531353734646130646232626134396361313634323737 +37336530663561626134366465393861376137306161623636383565653933393366353666636461 +66633837336563356436316135633833373062633062376565343734643030323731366139343732 +64326135653533303565393638346638343833613338366463633735306636623636646531306630 +38393462373132636435356430613031663836346263343339373231616662626166376533393333 +62633430336231363731313930653334663066343934366461363136343363303332396530663830 +66636437393130663164653264613665343461353236333864343230656232303032343338336462 +31303038663963656362303964363864393934383463373266616437326537376264376136363635 +33613063363439373065353865326636393134633332653264393566636335336166636538666531 +36636465306636613664353433383162663633656637383730643038623334616238663830383832 +65383035663666653937623835663930643838653833663332623062633464626636373461336164 +31616535633834373134633032616238333036626539346435633839373337653030316338663465 +32623562636538303833353434656134653136633339646139336339613965363237353938306166 +66613832613537383961613239616166383534336562376666316462653264343538353039366130 +61613331356264326162666163383432623563333036346634346639623632386637373033663661 +38373464313931613434653236393765373835636166366435633531393361323561353764363037 +35653832396237343962383638363637626135643735303562653339626366363163366364346336 +38663039386433613338316461386564623530623663643465363134653436363365383633663663 +62393263646534663265636566383665356664613131613933613633636663646536373239663338 +65366132356162323938396566343330643732653630356137316630323939396530313733366637 +65643061616663613561346239393466663630326364303565613564343331346164346364343039 +34643034346564643530346662393734343733666337363233303433313735363764653963383866 +66663562643738356265336131623466656265383930396333666261656365383337643936363937 +34303235663433626662323534323263356164623061313832623166323666613466383334653637 +61613262343230623338633938306461636565623364613539643865376234336663636432366661 +35653863646464646238386365633662373665633736343233663537326238623937666364313832 +65396335386365393566366536393665326161363530303034366337333130323230343335666364 +33356562303161646230303332656265393339626636623436313238363337363535343933663437 +31643539653566353362353436336131333339373437353866323434623830633764366631343036 +33666464636632643661666434383930626365656333316135333337366163393631353136666234 +32333763643335363662343634343030313239626661663061393933306139303630353131346266 +31366638623162626566353936313934663538656361623665663761656363346666383835613139 +64396635646438306438303439346465376636363663386132653532393139666631636537633361 +35316661633935643265333562646530666238646237346362643735633463383338636661616538 +37636336393030393137613536666537386437343539663065376234313064346166306665323334 +62626261396266383336663862663063636532313361663732386231636230653766373664323431 +37323062343764316432343836393630623937646461353737393261663661323762306138373438 +65363563613961386336353061336363633161653034326131623230333235653432663965383531 +34653136333664633631366462373131383930376132616464653134366332393539323565336265 +35306135666533373861666438633339346435623463316666386333363264373036613161613732 +65663931313961346431666534333537633664623439343563343436626565306665613831393063 +32326639323833666233336131636433363935616631396633623733373931656561613237633732 +33366436366538653466363530623333333134373035373339653465663536663666613637386330 +36323233626262303962633461393231623362303437356333316135393963386465636665376237 +35363865343465373265353430646530366631326166303130343632396432633065663934373732 +62623730626334346134396161373966643436613761386230633266316239636465393239653365 +36363435326238663433373465353235616132646561333230303035333239663130643131623731 +38356163353433366137373530346630356161636664623561353638316633313833343536343439 +62393864653338316234353663616631356264316437346634316664376234663931613231383034 +62623139626665636130303763363631663664333031636465366163306233373935386337653831 +38373738346438656234373465643937326234396662366139663530386565313130313938353335 +39356262663234393430336365353438376365666265393963373065633833363263333036623939 +37396133393834646236323762333834303263643331656563633164356430373138366464633366 +3831666331373363333130616632616362373438313038393531 diff --git a/roles/radicale/files/_gitignore b/roles/radicale/files/_gitignore new file mode 100644 index 0000000..464ffb6 --- /dev/null +++ b/roles/radicale/files/_gitignore @@ -0,0 +1,5 @@ +# http://radicale.org/versioning/ + +.Radicale.cache +.Radicale.lock +.Radicale.tmp-* diff --git a/roles/radicale/files/logging b/roles/radicale/files/logging new file mode 100644 index 0000000..07fae21 --- /dev/null +++ b/roles/radicale/files/logging @@ -0,0 +1,50 @@ +# +# /usr/local/etc/radicale/logging +# Logging configurations for Radicale +# +# References +# * http://radicale.org/logging/ +# * https://docs.python.org/3/library/logging.config.html +# +# Aaron LI +# Created: 2017-04-27 +# + + +# NOTE: uWSGI will capture the console output, so no longer need to +# log into a separate file. + +[loggers] +keys = root + +[handlers] +keys = console + +[formatters] +keys = full + +# +# Loggers +# + +[logger_root] +handlers = console + +# +# Handlers +# + +[handler_console] +class = StreamHandler +level = INFO +#level = DEBUG +args = (sys.stdout,) +formatter = full + +# +# Formatters +# + +[formatter_full] +format = %(asctime)s - %(levelname)s: %(message)s +datefmt = %b %d %H:%M:%S diff --git a/roles/radicale/files/rights b/roles/radicale/files/rights new file mode 100644 index 0000000..9b9b253 --- /dev/null +++ b/roles/radicale/files/rights @@ -0,0 +1,49 @@ +# +# /usr/local/etc/radicale/rights +# File-based rights managements for Radicale +# +# Aaron LI +# Created: 2017-04-27 +# + +# Authentication login is matched against the "user" key, and collection's +# path is matched against the "collection" key. +# You can use Python's ConfigParser interpolation values "%(login)s" and +# "%(path)s". You can also get groups from the user regex in the collection +# with "{0}", "{1}", etc. +# +# For example, for the "user" key, ".+" means "authenticated user" and ".*" +# means "anybody" (including anonymous users). +# +# * Section names are only used for naming the rule. +# * Leading or ending slashes are trimmed from collection's path. +# * The first rule matching both user and collection patterns will be returned. +# +# See: http://radicale.org/user_documentation/#idrights-management +# + +# Use a domain-like authentication (user@device) for each owner/user +# to achieve the application-specific passwords mechanism. +[owner-devices] +user: ([^@]+)@.+ +collection: {0}(/.*)? +permission: rw + +# I use the authentication through IMAP provided by Dovecot, and I +# implement the application-specific passwords mechanism, i.e., one +# user may have different passwords for different devices/logins +# identified with different username. +# For example, a user "user@domain.com" may set different passwords +# for such different usernames, e.g., "user@domain.com@laptop", +# "user@domain.com@phone". +# +#[owner-imap-auth] +#user: ^([^@]+)@.+\..+$ +#collection: ^{0}(/.+)?$ +#permission: rw + +# Any authenticated user can reach root collection +#[read] +#user = .+ +#collection = +#permission = r diff --git a/roles/radicale/handlers/main.yml b/roles/radicale/handlers/main.yml new file mode 100644 index 0000000..94ab252 --- /dev/null +++ b/roles/radicale/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: reload-radicale + command: service uwsgi reload radicale diff --git a/roles/radicale/tasks/main.yml b/roles/radicale/tasks/main.yml new file mode 100644 index 0000000..dbd6839 --- /dev/null +++ b/roles/radicale/tasks/main.yml @@ -0,0 +1,65 @@ +--- +# NOTE: Radicale requires nginx. + +- name: install packages + pkgng: + name: "{{ item }}" + state: present + with_items: + # - py36-radicale2 + - uwsgi-py36 + +- name: create data directory + file: + path: "{{ radicale.home }}" + state: directory + owner: radicale + group: radicale + mode: 0700 + +- name: generate config file + template: + src: config.j2 + dest: "{{ radicale.etcdir }}/config" + notify: reload-radicale + +- name: copy extra config files + copy: + src: "{{ item }}" + dest: "{{ radicale.etcdir }}/{{ item | basename }}" + with_items: + - logging + - rights + notify: reload-radicale + +- name: copy gitignore for storage + copy: + src: _gitignore + dest: "{{ radicale.home }}/.gitignore" + +- name: create nginx auth/ dirctory + file: + path: /usr/local/etc/nginx/auth + state: directory + +- name: generate passwd for nginx + template: + src: radicale.passwd.j2 + dest: /usr/local/etc/nginx/auth/radicale.passwd + group: www + mode: 0440 + notify: reload-nginx + +- name: setup uwsgi in rc.conf + blockinfile: + path: /etc/rc.conf + marker: "# {mark} ANSIBLE MANAGED - uwsgi/radicale" + block: | + uwsgi_profiles="${uwsgi_profiles} radicale" + uwsgi_radicale_socket="/var/run/uwsgi-radicale.sock" + uwsgi_radicale_uid="radicale" + uwsgi_radicale_gid="radicale" + uwsgi_radicale_flags="-L --env RADICALE_CONFIG={{ radicale.etcdir }}/config --plugin python --wsgi-file {{ radicale.wwwdir }}/radicale.wsgi" + +- name: enable and start uwsgi + command: rcenable uwsgi diff --git a/roles/radicale/templates/config.j2 b/roles/radicale/templates/config.j2 new file mode 100644 index 0000000..ca5e251 --- /dev/null +++ b/roles/radicale/templates/config.j2 @@ -0,0 +1,90 @@ +# +# /usr/local/etc/radicale/config +# Radicale - A simple calendar and contact server +# +# http://radicale.org/ +# https://github.com/Kozea/Radicale +# +# Aaron LI +# Created: 2017-04-27 +# + + +# Not needed when using uWSGI +[server] +hosts = 127.0.0.1:5232 +daemon = True + +[auth] + +# Authentication method +# Value: none | htpasswd | remote_user | http_x_remote_user +# +# * None +# Allows all usernames and passwords. It also disables rights checking. +# * htpasswd +# Use an Apache htpasswd file to store usernames and passwords. +# * remote_user +# Takes the user name from the REMOTE_USER environment variable and +# disables HTTP authentication. This can be used to provide the user +# name from a WSGI server. +# * http_x_remote_user +# Takes the user name from the "X-Remote-User" HTTP header and disables +# HTTP authentication. This can be used to provide the user name from +# a reverse proxy. +# +#type = http_x_remote_user +type = remote_user + + +# Rights backend +[rights] + +# Value: none | authenticated | owner_only | owner_write | from_file +# +# * None : Everybody (including anonymous users) has read and +# write access to all collections; +# * authenticated : An authenticated users has read and write access +# to all collections, anonymous users have no access +# to these collections; +# * owner_only : Only owners have read and write access to their +# own collections. The other users, authenticated or +# anonymous, have no access to these collections; +# * owner_write : Authenticated users have read access to all collections, +# but only owners have write access to their own +# collections. And anonymous users have no access; +# * from_file : Rights are based on a regex-based file whose name +# is specified in this config file: [right]/file +# +type = owner_only + + +# Storage backend +[storage] + +type = multifilesystem +filesystem_folder = {{ radicale.home }} + +# Command that is run after changes to storage +# See: http://radicale.org/versioning/ +hook = ([ -d .git ] || git init) && git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s) + + +# Web interface backend +[web] + +# Value: none | internal +# +# * none : Just shows the message "Radicale works!". +# * internal : Allows creation and management of address books and calendars. +# +#type = internal +type = none + + +[logging] +config = {{ radicale.etcdir }}/logging +# The logging config file just specified will provide finer controls, so +# just set the default logging level to DEBUG. +debug = True + diff --git a/roles/radicale/templates/radicale.passwd.j2 b/roles/radicale/templates/radicale.passwd.j2 new file mode 100644 index 0000000..8c59c79 --- /dev/null +++ b/roles/radicale/templates/radicale.passwd.j2 @@ -0,0 +1,15 @@ +# +# Password for Nginx auth for Radicale. +# +# Aaron LI +# + +# name:pass +{% for user in radicale.users %} +# user: {{ user.name }} +{{ user.name }}:{{ user.pass | cryptpass }} +{% for dev in user.devices|default([]) %} +{{ user.name }}@{{ dev.name }}:{{ dev.pass | cryptpass }} +{% endfor %}{# devices #} +{% endfor %}{# user #} +# EOF |