1 files changed, 49 insertions, 0 deletions

diff --git a/roles/radicale/files/rights b/roles/radicale/files/rights
new file mode 100644
index 0000000..9b9b253
--- /dev/null
+++ b/roles/radicale/files/rights
@@ -0,0 +1,49 @@
+#
+# /usr/local/etc/radicale/rights
+# File-based rights managements for Radicale
+#
+# Aaron LI
+# Created: 2017-04-27
+#
+
+# Authentication login is matched against the "user" key, and collection's
+# path is matched against the "collection" key.
+# You can use Python's ConfigParser interpolation values "%(login)s" and
+# "%(path)s".  You can also get groups from the user regex in the collection
+# with "{0}", "{1}", etc.
+#
+# For example, for the "user" key, ".+" means "authenticated user" and ".*"
+# means "anybody" (including anonymous users).
+#
+# * Section names are only used for naming the rule.
+# * Leading or ending slashes are trimmed from collection's path.
+# * The first rule matching both user and collection patterns will be returned.
+#
+# See: http://radicale.org/user_documentation/#idrights-management
+#
+
+# Use a domain-like authentication (user@device) for each owner/user
+# to achieve the application-specific passwords mechanism.
+[owner-devices]
+user: ([^@]+)@.+
+collection: {0}(/.*)?
+permission: rw
+
+# I use the authentication through IMAP provided by Dovecot, and I
+# implement the application-specific passwords mechanism, i.e., one
+# user may have different passwords for different devices/logins
+# identified with different username.
+# For example, a user "user@domain.com" may set different passwords
+# for such different usernames, e.g., "user@domain.com@laptop",
+# "user@domain.com@phone".
+#
+#[owner-imap-auth]
+#user: ^([^@]+)@.+\..+$
+#collection: ^{0}(/.+)?$
+#permission: rw
+
+# Any authenticated user can reach root collection
+#[read]
+#user = .+
+#collection =
+#permission = r