staging/radicale

README.md

@@ -28,6 +28,9 @@ A questo punto lanciando `./ansible-playbook test_playbook.yml` tutti i server s
 
 Un ruolo ansible quindi non è nient'altro che una lista di operazioni.
 
+Per poter eseguire solo alcuni ruoli di alto livello possiamo usare i tag:
+`ansible-playbook --tags radicale infra.yml`.
+
 #### Password / Keys
 Per le informazioni sensibili (password del database, dell'account di admin, una chiave ssh) viene usato [passwordstore](https://www.passwordstore.org/), il path usato è specificato nell'inventory con la variabile `passwordstore_path`.
 

infra.yml

@@ -28,6 +28,13 @@
   roles: ['stable/common', 'stable/gancio']
   vars_files: vars/gancio.yml
 
+# RADICALE
+- name: Radicale
+  hosts: radicale
+  tags: radicale
+  roles: ['stable/common', 'staging/radicale']
+  vars_files: vars/gancio.yml
+
 # TEST
 - name: Test
   hosts: test

inventory.yml

@@ -13,6 +13,9 @@ farma:
 frontend:
   hosts: cisti.frontend
 
+radicale:
+  hosts: radicale.cose.belle
+
 test:
   hosts: cisti.jolly
   vars:

roles/staging/radicale/tasks/main.yml

@@ -0,0 +1,46 @@
+---
+
+- name: Install pip
+  apt:
+    pkg:
+      - python3-pip
+      - apache2-utils # yes, we need htpasswd
+
+- name: check for radicale user
+  user:
+    name: "radicale"
+    home: "/srv/radicale"
+    system: true
+    state: present
+
+- name: Installa radicale
+  pip:
+    name: radicale
+
+- name: Copy settings
+  template:
+    src: config.j2
+    dest: /srv/radicale/config
+    owner: radicale
+    group: radicale
+    mode: 0660
+
+- name: Copy service
+  template:
+    src: radicale.service.j2
+    dest: /etc/systemd/system/radicale.service
+    owner: radicale
+    group: radicale
+    mode: 0660
+
+- name: Enable radicale
+  ansible.builtin.systemd:
+    name: radicale
+    enabled: yes
+    masked: no
+
+- name: Make sure radicale is running
+  ansible.builtin.systemd:
+    state: restarted
+    daemon_reload: yes
+    name: radicale

roles/staging/radicale/templates/config.j2

@@ -0,0 +1,120 @@
+# -*- mode: conf -*-
+# vim:ft=cfg
+
+# Config file for Radicale - A simple calendar server
+#
+# Place it into /etc/radicale/config (global)
+# or ~/.config/radicale/config (user)
+#
+# The current values are the default ones
+
+
+[server]
+
+# CalDAV server hostnames separated by a comma
+# IPv4 syntax: address:port
+# IPv6 syntax: [address]:port
+# For example: 0.0.0.0:9999, [::]:9999
+hosts = radicale.cose.belle:5232
+
+# Max parallel connections
+#max_connections = 8
+
+# Max size of request body (bytes)
+#max_content_length = 100000000
+
+# Socket timeout (seconds)
+#timeout = 30
+
+# SSL flag, enable HTTPS protocol
+#ssl = False
+
+# SSL certificate path
+#certificate = /etc/ssl/radicale.cert.pem
+
+# SSL private key
+#key = /etc/ssl/radicale.key.pem
+
+# CA certificate for validating clients. This can be used to secure
+# TCP traffic between Radicale and a reverse proxy
+#certificate_authority =
+
+
+[encoding]
+
+# Encoding for responding requests
+#request = utf-8
+
+# Encoding for storing local collections
+#stock = utf-8
+
+
+[auth]
+
+# Authentication method
+# Value: none | htpasswd | remote_user | http_x_remote_user
+type = htpasswd
+
+# Htpasswd filename
+htpasswd_filename = /srv/radicale/users
+
+# Htpasswd encryption method
+# Value: plain | bcrypt | md5
+# bcrypt requires the installation of radicale[bcrypt].
+htpasswd_encryption = bcrypt
+
+# Incorrect authentication delay (seconds)
+#delay = 1
+
+# Message displayed in the client when a password is needed
+#realm = Radicale - Password Required
+
+
+[rights]
+
+# Rights backend
+# Value: none | authenticated | owner_only | owner_write | from_file
+#type = owner_only
+
+# File for rights management from_file
+#file = /etc/radicale/rights
+
+
+[storage]
+
+# Storage backend
+# Value: multifilesystem
+#type = multifilesystem
+
+# Folder for storing local collections, created if not present
+filesystem_folder = /srv/radicale/storage
+
+# Delete sync token that are older (seconds)
+#max_sync_token_age = 2592000
+
+# Command that is run after changes to storage
+# Example: ([ -d .git ] || git init) && git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s)
+#hook =
+
+
+[web]
+
+# Web interface backend
+# Value: none | internal
+type = internal
+
+
+[logging]
+
+# Threshold for the logger
+# Value: debug | info | warning | error | critical
+#level = warning
+
+# Don't include passwords in logs
+#mask_passwords = True
+
+
+[headers]
+
+# Additional HTTP headers
+#Access-Control-Allow-Origin = *

roles/staging/radicale/templates/radicale.service.j2

@@ -0,0 +1,25 @@
+[Unit]
+Description=A simple CalDAV (calendar) and CardDAV (contact) server
+After=network.target
+Requires=network.target
+
+[Service]
+ExecStart=env python3 -m radicale --config /srv/radicale/config
+Restart=on-failure
+StartLimitInterval=30
+User=radicale
+UMask=0027
+
+# Optional security settings
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+NoNewPrivileges=true
+ReadWritePaths=/srv/radicale
+
+[Install]
+WantedBy=multi-user.target