Docker and config

2025-02-05 15:34:33 -05:00 · 2025-02-05 15:34:33 -05:00 · a2683187f9
commit a2683187f9
parent 49f57f61a2
5 changed files with 242 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,4 @@
+.DS_Store
+.env
+generate-bcrypt-hash.py
+config/users
--- a/README.md
+++ b/README.md
@ -1,2 +1,30 @@
 # radicale

+[Radicale](https://radicale.org/v3.html) is a small but powerful CalDAV (calendars, to-do lists) and CardDAV (contacts) server. The Docker configuration is based off of the work in [docker-radicale](https://github.com/tomsquest/docker-radicale).
+
+## Quick start
+1. All of the necessary files to start a Radicale server are in this repo. Begin by editing the following lines in the docker-compose.yaml file to reflect your hostname and the email address you want to use for Let's Encrypt.
+
+``` yaml
+services:
+  radicale:
+    labels:
+      - "traefik.http.routers.radicale.rule=Host(`radicale.moeny.ai`)"
+```
+
+and
+
+``` yaml
+services:
+  traefik:
+    command:
+      - --certificatesresolvers.le.acme.email=radicale@moeny.ai
+```
+
+Make sure you also have a domain DNS A record pointed to your server's public IP for the hostname you gave to traefik. To set up your own DNS server, see our [bind9 repo](https://gitea.moeny.ai/moeny/bind9).
+
+2. Rename `config/users.sample` to `users` and edit the usernames and passwords it contains. Ensure that each line contains a username and bcrypt-hashed password, separated by a colon (:).
+
+3. Once ready, run `docker-compose up -d` to start the server.
+
+4. You should then be able to access Radicale at the URL you set up with traefik earlier. The usernames and passwords to log in are the ones added to the `users` file. Use the non-hashed password. 
--- a/config/config
+++ b/config/config
@ -0,0 +1,138 @@
+# -*- mode: conf -*-
+# vim:ft=cfg
+
+# Config file for Radicale - A simple calendar server
+#
+# Place it into /etc/radicale/config (global)
+# or ~/.config/radicale/config (user)
+#
+# The current values are the default ones
+
+
+[server]
+
+# CalDAV server hostnames separated by a comma
+# IPv4 syntax: address:port
+# IPv6 syntax: [address]:port
+# Hostname syntax (using "getaddrinfo" to resolve to IPv4/IPv6 adress(es)): hostname:port
+# For example: 0.0.0.0:9999, [::]:9999, localhost:9999
+#hosts = localhost:5232
+hosts = 0.0.0.0:5232
+
+# Max parallel connections
+#max_connections = 8
+
+# Max size of request body (bytes)
+#max_content_length = 100000000
+
+# Socket timeout (seconds)
+#timeout = 30
+
+# SSL flag, enable HTTPS protocol
+#ssl = False
+
+# SSL certificate path
+#certificate = /etc/ssl/radicale.cert.pem
+
+# SSL private key
+#key = /etc/ssl/radicale.key.pem
+
+# CA certificate for validating clients. This can be used to secure
+# TCP traffic between Radicale and a reverse proxy
+#certificate_authority =
+
+
+[encoding]
+
+# Encoding for responding requests
+#request = utf-8
+
+# Encoding for storing local collections
+#stock = utf-8
+
+
+[auth]
+
+# Authentication method
+# Value: none | htpasswd | remote_user | http_x_remote_user
+type = htpasswd
+
+# Htpasswd filename
+htpasswd_filename = /config/users
+
+# Htpasswd encryption method
+# Value: plain | bcrypt | md5 | sha256 | sha512 | autodetect
+# bcrypt requires the installation of 'bcrypt' module.
+htpasswd_encryption = bcrypt
+
+# Incorrect authentication delay (seconds)
+#delay = 1
+
+# Message displayed in the client when a password is needed
+#realm = Radicale - Password Required
+
+# Сonvert username to lowercase, must be true for case-insensitive auth providers
+#lc_username = False
+
+
+[rights]
+
+# Rights backend
+# Value: none | authenticated | owner_only | owner_write | from_file
+#type = owner_only
+
+# File for rights management from_file
+#file = /etc/radicale/rights
+
+# Permit delete of a collection (global)
+#permit_delete_collection = True
+
+
+[storage]
+
+# Storage backend
+# Value: multifilesystem | multifilesystem_nolock
+#type = multifilesystem
+
+# Folder for storing local collections, created if not present
+#filesystem_folder = /var/lib/radicale/collections
+filesystem_folder = /data/collections
+
+# Delete sync token that are older (seconds)
+#max_sync_token_age = 2592000
+
+# Command that is run after changes to storage
+# Example: ([ -d .git ] || git init) && git add -A && (git diff --cached --quiet || git commit -m "Changes by \"%(user)s\"")
+#hook =
+
+
+[web]
+
+# Web interface backend
+# Value: none | internal
+#type = internal
+
+
+[logging]
+
+# Threshold for the logger
+# Value: debug | info | warning | error | critical
+#level = info
+
+# Don't include passwords in logs
+#mask_passwords = True
+
+
+[headers]
+
+# Additional HTTP headers
+#Access-Control-Allow-Origin = *
+
+[hook]
+
+# Hook types
+# Value: none | rabbitmq
+#type = none
+#rabbitmq_endpoint =
+#rabbitmq_topic =
+#rabbitmq_queue_type = classic
--- a/config/users.sample
+++ b/config/users.sample
@ -0,0 +1,2 @@
+john:$2b$12$l1Se4qIaRlfOnaC1pGt32uNe/Dr61r4JrZQCNnY.kTx2KgJ70GPSm
+sarah:$2b$12$lKEHYHjrZ.QHpWQeB/feWe/0m4ZtckLI.cYkVOITW8/0xoLCp1/Wy
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -0,0 +1,70 @@
+# Can be enhanced with an additional compose file
+# See also https://docs.docker.com/compose/production/#modify-your-compose-file-for-production
+
+services:
+  radicale:
+    image: tomsquest/docker-radicale
+    container_name: radicale
+    init: true
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETUID
+      - SETGID
+      - CHOWN
+      - KILL
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+          pids: 50
+    healthcheck:
+      test: curl -f http://127.0.0.1:5232 || exit 1
+      interval: 30s
+      retries: 3
+    restart: always
+    volumes:
+      - ./data:/data
+      - ./config:/config:ro
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.radicale.rule=Host(`radicale.moeny.ai`)"
+      - "traefik.http.routers.radicale.entrypoints=https"
+      - "traefik.http.routers.radicale.tls.certresolver=le"
+      - "traefik.http.services.radicale.loadbalancer.server.port=5232"
+
+  traefik:
+    image: traefik:v2.10
+    container_name: traefik
+    restart: always
+    command:
+      - --api.insecure=false
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --entrypoints.web.address=:80
+      - --entrypoints.web.http.redirections.entryPoint.to=https
+      - --entrypoints.web.http.redirections.entryPoint.scheme=https
+      - --entrypoints.https.address=:443
+      - --certificatesresolvers.le.acme.tlschallenge=true
+      - --certificatesresolvers.le.acme.email=radicale@moeny.ai
+      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - traefik:/letsencrypt:rw
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - proxy
+
+networks:
+  proxy:
+    driver: bridge
+
+volumes:
+  traefik: { driver: local }