meow

2025-11-07 13:53:55 +01:00 · 2025-11-07 13:53:55 +01:00 · acea54db81
commit acea54db81
parent f63d3785e4
2 changed files with 65 additions and 1 deletions
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@ -24,6 +24,7 @@ in
    ./attic.nix
    ./ytdl-sub.nix
    ./snipe-it.nix
+    ./radicale.nix

    ../../nixos-modules/networking/tailscale.nix
    ../../nixos-modules/services/docker.nix
@ -201,7 +202,23 @@ in
              resolvers 10.88.0.1 # podman dns
            }
            uri /outpost.goauthentik.io/auth/caddy
-            copy_headers X-Authentik-Username X-Copyparty-Group X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Grafana-Role
+            copy_headers {
+              X-Authentik-Username
+              X-Copyparty-Group
+              X-Authentik-Groups
+              X-Authentik-Entitlements
+              X-Authentik-Email
+              X-Authentik-Name
+              X-Authentik-Uid
+              X-Authentik-Jwt
+              X-Authentik-Meta-Jwks
+              X-Authentik-Meta-Outpost
+              X-Authentik-Meta-Provider
+              X-Authentik-Meta-App
+              X-Authentik-Meta-Version
+              X-Grafana-Role
+              X-Authentik-Username>X-Remote-User
+            } 
          }
          reverse_proxy {args[:]} {
            transport http {
@ -272,6 +289,10 @@ in
      handle @auth {
        import podmanRedir http://authentik-server:9000
      }
+      @radicale host radicale.hailsatan.eu
+      handle @radicale {
+        import podmanRedirWithAuth http://[::1]:5232
+      }
      @grafana host grafana.hailsatan.eu
      handle @grafana {
        import podmanRedirWithAuth http://grafana:3000 
--- a/hosts/ds9/radicale.nix
+++ b/hosts/ds9/radicale.nix
@ -0,0 +1,43 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  services.radicale = {
+    enable = true;
+    settings = {
+      server.hosts = [ "[::1]:5232" ];
+      auth = {
+        type = "http_x_remote_user";
+        # remote_ip_source = "X-Remote-Addr";
+      };
+      storage = {
+        filesystem_folder = "/var/lib/radicale/collections";
+      };
+    };
+    rights = {
+      root = {
+        user = ".+";
+        collection = "";
+        permissions = "R";
+      };
+      principal = {
+        user = ".+";
+        collection = "{user}";
+        permissions = "RW";
+      };
+      calendars = {
+        user = ".+";
+        collection = "{user}/[^/]+";
+        permissions = "rw";
+      };
+
+    };
+  };
+  ragon.persist.extraDirectories = [
+    "/var/lib/radicale"
+  ];
+
+}