radicale and nginx

2 min read · data calendar

Check before you start:

  • you have a normally running site on nginx already.
  • your server has the directory /etc/nginx/sites-enabled/ enabled in the nginx config.

Installation and Service

Install radicale through your package manager (not pip). The standard radicale package should come with a nice systemd service file.

If the service comes already-started, stop it immediately:

1sudo systemctl stop radicale

Set up Passwords

Edit /etc/radicale/config, changing the [auth] section from this:

1#type = none

...to this:

1type = htpasswd

Make sure the service is off, as people may be able to sign in without a password at this point.

Next, find the htpasswd program. You might get it in the apache package or similar.

htpasswd allows you to generate passwords for users, and place them in /etc/radicale/users.

1PASS="$(xkcdpass)"
2htpasswd -nb $USER "$PASS" | sudo tee -a /etc/radicale/users
3echo "Your username is $USER"
4echo "Your password is $PASS"

Right now, you can't sign into the server except through the localhost, which is pointless. So now we add a subdomain to nginx.

 1
 2echo '
 3 server {
 4    if ($host = cal.DOMAIN) {
 5        return 301 https://$host$request_uri;
 6    } # managed by Certbot
 7
 8
 9     listen 80;
10     server_name cal.DOMAIN;
11                                                                                        
12     location / {
13         proxy_pass http://localhost:5232;
14         proxy_set_header Host $host;
15         proxy_set_header X-Real-IP $remote_addr;
16         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
17     }
18                                                                                        
19     return 301 https://$server_name$request_uri;
20 
21
22}
23                                                                                        
24 server {
25     listen 443 ssl;
26     server_name cal.DOMAIN;
27    ssl_certificate /etc/letsencrypt/live/cal.DOMAIN/fullchain.pem; # managed by Certbot
28    ssl_certificate_key /etc/letsencrypt/live/cal.DOMAIN/privkey.pem; # managed by Certbot
29                                                                                        
30     location / {
31         proxy_pass http://localhost:5232;
32         proxy_set_header Host $host;
33         proxy_set_header X-Real-IP $remote_addr;
34         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
35     }
36 
37}
38' > /etc/nginx/sites-available/radicale
39sudo ln -s /etc/nginx/sites-available/radicale /etc/nginx/sites-enables/

Finally, replace the example DOMAIN with your actual domain name.

1DOMAIN=whatever.com
2sudo sed -i "s/DOMAIN/$DOMAIN/g" /etc/nginx/sites-available/radicale

(optional: replace that cal. prefix with anything else)

Check nginx is happy:

1sudo nginx -t

You will almost certainly need a new SSL certificate for the site:

1sudo certbod -d cal.$DOMAIN

Start or restart both services:

1sudo systemctl start radicale
2sudo systemctl restart nginx

You should now be able to log into your calendar, and add it to a phone.

NB: you don't need the port number.