Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-09-11 15:08:33 +01:00

nixos/radicale: add settings option

The radicale version is no longer chosen automatically based on
system.stateVersion because that gave the impression that old versions
are still supported.
This commit is contained in:
Robert Schütz 2021-04-23 20:23:24 +02:00
parent 870b3a3054
commit 022c5b0922
3 changed files with 195 additions and 161 deletions

View file

@ -715,6 +715,13 @@ environment.systemPackages = [
The <package>yadm</package> dotfile manager has been updated from 2.x to 3.x, which has new (XDG) default locations for some data/state files. Most yadm commands will fail and print a legacy path warning (which describes how to upgrade/migrate your repository). If you have scripts, daemons, scheduled jobs, shell profiles, etc. that invoke yadm, expect them to fail or misbehave until you perform this migration and prepare accordingly.
Instead of determining <option>services.radicale.package</option>
automatically based on <option>system.stateVersion</option>, the latest
version is always used because old versions are not officially supported.

View file

@ -3,56 +3,101 @@
with lib;
cfg = config.services.radicale;
confFile = pkgs.writeText "radicale.conf" cfg.config;
defaultPackage = if versionAtLeast config.system.stateVersion "20.09" then {
pkg = pkgs.radicale3;
text = "pkgs.radicale3";
} else if versionAtLeast config.system.stateVersion "17.09" then {
pkg = pkgs.radicale2;
text = "pkgs.radicale2";
} else {
pkg = pkgs.radicale1;
text = "pkgs.radicale1";
format = pkgs.formats.ini {
listToValue = concatMapStringsSep ", " (generators.mkValueStringDefault { });
pkg = if isNull cfg.package then
options = {
services.radicale.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable Radicale CalDAV and CardDAV server.
confFile = if cfg.settings == { } then
pkgs.writeText "radicale.conf" cfg.config
format.generate "radicale.conf" cfg.settings;
rightsFile = format.generate "radicale.rights" cfg.rights;
in {
options.services.radicale = {
enable = mkEnableOption "Radicale CalDAV and CardDAV server";
package = mkOption {
description = "Radicale package to use.";
# Default cannot be pkgs.radicale because non-null values suppress
# warnings about incompatible configuration and storage formats.
type = with types; nullOr package // { inherit (package) description; };
default = null;
defaultText = "pkgs.radicale";
services.radicale.package = mkOption {
type = types.package;
default = defaultPackage.pkg;
defaultText = defaultPackage.text;
description = ''
Radicale package to use. This defaults to version 1.x if
<literal>system.stateVersion &lt; 17.09</literal>, version 2.x if
<literal>17.09 system.stateVersion &lt; 20.09</literal>, and
version 3.x otherwise.
services.radicale.config = mkOption {
config = mkOption {
type = types.str;
default = "";
description = ''
Radicale configuration, this will set the service
configuration file.
This option is mutually exclusive with <option>settings</option>.
This option is deprecated. Use <option>settings</option> instead.
services.radicale.extraArgs = mkOption {
settings = mkOption {
type = format.type;
default = { };
description = ''
Configuration for Radicale. See
<link xlink:href="https://radicale.org/3.0.html#documentation/configuration" />.
This option is mutually exclusive with <option>config</option>.
example = literalExample ''
server = {
hosts = [ "" "[::]:5232" ];
auth = {
type = "htpasswd";
htpasswd_filename = "/etc/radicale/users";
htpasswd_encryption = "bcrypt";
storage = {
filesystem_folder = "/var/lib/radicale/collections";
rights = mkOption {
type = format.type;
description = ''
Configuration for Radicale's rights file. See
<link xlink:href="https://radicale.org/3.0.html#documentation/authentication-and-rights" />.
This option only works in conjunction with <option>settings</option>.
Setting this will also set <option>settings.rights.type</option> and
<option>settings.rights.file</option> to approriate values.
default = { };
example = literalExample ''
root = {
user = ".+";
collection = "";
permissions = "R";
principal = {
user = ".+";
collection = "{user}";
permissions = "RW";
calendars = {
user = ".+";
collection = "{user}/[^/]+";
permissions = "rw";
extraArgs = mkOption {
type = types.listOf types.str;
default = [];
description = "Extra arguments passed to the Radicale daemon.";
@ -60,7 +105,38 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
assertions = [
assertion = cfg.settings == { } || cfg.config == "";
message = ''
The options services.radicale.config and services.radicale.settings
are mutually exclusive.
warnings = optional (isNull cfg.package && versionOlder config.system.stateVersion "17.09") ''
The configuration and storage formats of your existing Radicale
installation might be incompatible with the newest version.
For upgrade instructions see
Set services.radicale.package to suppress this warning.
'' ++ optional (isNull cfg.package && versionOlder config.system.stateVersion "20.09") ''
The configuration format of your existing Radicale installation might be
incompatible with the newest version. For upgrade instructions see
Set services.radicale.package to suppress this warning.
'' ++ optional (cfg.config != "") ''
The option services.radicale.config is deprecated.
Use services.radicale.settings instead.
services.radicale.settings.rights = mkIf (cfg.rights != { }) {
type = "from_file";
file = toString rightsFile;
environment.systemPackages = [ pkg ];
users.users.radicale =
{ uid = config.ids.uids.radicale;
@ -75,10 +151,11 @@ in
systemd.services.radicale = {
description = "A Simple Calendar and Contact Server";
after = [ "network.target" ];
requires = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = concatStringsSep " " ([
"${cfg.package}/bin/radicale" "-C" confFile
"${pkg}/bin/radicale" "-C" confFile
] ++ (
map escapeShellArg cfg.extraArgs
@ -88,5 +165,5 @@ in
meta.maintainers = with lib.maintainers; [ aneeshusa infinisil ];
meta.maintainers = with lib.maintainers; [ aneeshusa infinisil dotlambda ];

View file

@ -1,140 +1,90 @@
import ./make-test-python.nix ({ lib, pkgs, ... }:
user = "someuser";
password = "some_password";
port = builtins.toString 5232;
port = "5232";
filesystem_folder = "/data/radicale";
common = { pkgs, ... }: {
cli = "${pkgs.calendar-cli}/bin/calendar-cli --caldav-user ${user} --caldav-pass ${password}";
in {
name = "radicale3";
meta.maintainers = with lib.maintainers; [ dotlambda ];
machine = { pkgs, ... }: {
services.radicale = {
enable = true;
config = ''
type = htpasswd
htpasswd_filename = /etc/radicale/htpasswd
htpasswd_encryption = bcrypt
filesystem_folder = /tmp/collections
settings = {
auth = {
type = "htpasswd";
htpasswd_filename = "/etc/radicale/users";
htpasswd_encryption = "bcrypt";
storage = {
inherit filesystem_folder;
hook = "git add -A && (git diff --cached --quiet || git commit -m 'Changes by '%(user)s)";
logging.level = "info";
rights = {
principal = {
user = ".+";
collection = "{user}";
permissions = "RW";
calendars = {
user = ".+";
collection = "{user}/[^/]+";
permissions = "rw";
systemd.services.radicale.path = [ pkgs.git ];
environment.systemPackages = [ pkgs.git ];
systemd.tmpfiles.rules = [ "d ${filesystem_folder} 0750 radicale radicale -" ];
# This puts unhashed secrets directly into the Nix store for ease of testing.
environment.etc."radicale/htpasswd".source = pkgs.runCommand "htpasswd" {} ''
environment.etc."radicale/users".source = pkgs.runCommand "htpasswd" {} ''
${pkgs.apacheHttpd}/bin/htpasswd -bcB "$out" ${user} ${password}
testScript = ''
machine.succeed("sudo -u radicale git -C ${filesystem_folder} init")
"sudo -u radicale git -C ${filesystem_folder} config --local user.email radicale@example.com"
"sudo -u radicale git -C ${filesystem_folder} config --local user.name radicale"
import ./make-test-python.nix ({ lib, ... }@args: {
name = "radicale";
meta.maintainers = with lib.maintainers; [ aneeshusa infinisil ];
with subtest("Test calendar and event creation"):
"${cli} --caldav-url http://localhost:${port}/${user} calendar create cal"
machine.succeed("test -d ${filesystem_folder}/collection-root/${user}/cal")
machine.succeed('test -z "$(ls ${filesystem_folder}/collection-root/${user}/cal)"')
"${cli} --caldav-url http://localhost:${port}/${user}/cal calendar add 2021-04-23 testevent"
machine.succeed('test -n "$(ls ${filesystem_folder}/collection-root/${user}/cal)"')
(status, stdout) = machine.execute(
"sudo -u radicale git -C ${filesystem_folder} log --format=oneline | wc -l"
assert status == 0, "git log failed"
assert stdout == "3\n", "there should be exactly 3 commits"
nodes = rec {
radicale = radicale1; # Make the test script read more nicely
radicale1 = lib.recursiveUpdate (common args) {
nixpkgs.overlays = [
(self: super: {
radicale1 = super.radicale1.overrideAttrs (oldAttrs: {
propagatedBuildInputs = with self.pythonPackages;
(oldAttrs.propagatedBuildInputs or []) ++ [ passlib ];
system.stateVersion = "17.03";
radicale1_export = lib.recursiveUpdate radicale1 {
services.radicale.extraArgs = [
"--export-storage" "/tmp/collections-new"
system.stateVersion = "17.03";
radicale2_verify = lib.recursiveUpdate radicale2 {
services.radicale.extraArgs = [ "--debug" "--verify-storage" ];
system.stateVersion = "17.09";
radicale2 = lib.recursiveUpdate (common args) {
system.stateVersion = "17.09";
radicale3 = lib.recursiveUpdate (common args) {
system.stateVersion = "20.09";
with subtest("Test rights file"):
"${cli} --caldav-url http://localhost:${port}/${user} calendar create sub/cal"
"${cli} --caldav-url http://localhost:${port}/otheruser calendar create cal"
# This tests whether the web interface is accessible to an authenticated user
testScript = { nodes }: let
switchToConfig = nodeName: let
newSystem = nodes.${nodeName}.config.system.build.toplevel;
in "${newSystem}/bin/switch-to-configuration test";
in ''
with subtest("Check Radicale 1 functionality"):
"${switchToConfig "radicale1"} >&2"
"curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/"
with subtest("Export data in Radicale 2 format"):
radicale.succeed("systemctl stop radicale")
radicale.succeed("ls -al /tmp/collections")
radicale.fail("ls -al /tmp/collections-new")
with subtest("Radicale exits immediately after exporting storage"):
"${switchToConfig "radicale1_export"} >&2"
radicale.wait_until_fails("systemctl status radicale")
radicale.succeed("ls -al /tmp/collections")
radicale.succeed("ls -al /tmp/collections-new")
with subtest("Verify data in Radicale 2 format"):
radicale.succeed("rm -r /tmp/collections/${user}")
radicale.succeed("mv /tmp/collections-new/collection-root /tmp/collections")
"${switchToConfig "radicale2_verify"} >&2"
radicale.wait_until_fails("systemctl status radicale")
(retcode, logs) = radicale.execute("journalctl -u radicale -n 10")
assert (
retcode == 0 and "Verifying storage" in logs
), "Radicale 2 didn't verify storage"
assert (
"failed" not in logs and "exception" not in logs
), "storage verification failed"
with subtest("Check Radicale 2 functionality"):
"${switchToConfig "radicale2"} >&2"
(retcode, output) = radicale.execute(
"curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/"
assert (
retcode == 0 and "VCALENDAR" in output
), "Could not read calendar from Radicale 2"
radicale.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/")
with subtest("Check Radicale 3 functionality"):
"${switchToConfig "radicale3"} >&2"
(retcode, output) = radicale.execute(
"curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/"
assert (
retcode == 0 and "VCALENDAR" in output
), "Could not read calendar from Radicale 3"
radicale.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/")
with subtest("Test web interface"):
machine.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/")