diff --git a/defaults/main.yaml b/defaults/main.yaml index 310da6a..9c1e6e7 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -14,8 +14,8 @@ radicale_config: #max_connections: 20 #max_connections: 100000000 #timeout: 30 - dns_lookup: false - #realm: Radicale Realm + + # Consider TLS directives carefully before activating them. #ssl: true #certificate: "/etc/ssl/radicale.cert.pem" @@ -29,16 +29,16 @@ radicale_config: auth: type: htpasswd htpasswd_filename: "{{ radicale_server_home_dir }}/users.htpasswd" - htpasswd_encryption: bcrypt + htpasswd_encryption: md5 delay: 1 + #realm: Radicale Realm rights: type: from_file file: "{{ radicale_server_home_dir }}/rights.conf" storage: type: multifilesystem filesystem_folder: "{{ radicale_server_home_dir }}/collections" - filesystem_locking: false - filesystem_fsync: true + # For an example of the `hook` directive in use, see # http://radicale.org/versioning/ #hook: @@ -48,7 +48,7 @@ radicale_config: #X-Extra-HTTP-Header: foo #X-Another-Header: bar #logging: - #debug: false + #level: false #mask_passwords: true #full_environment: false #config: "/etc/radicale/log.conf" @@ -62,4 +62,4 @@ radicale_users: # paste it here. This method allows a user to generate a password # for their account themselves, and then send you the hash rather # than the plaintext. - #bcrypt_hash: "$2y$05$t31SnKFWj9UcMr5Y96cl3uBFkdhelqkZn77TnquIeVb9sriEByUPK" + #md5_hash: "$2y$05$t31SnKFWj9UcMr5Y96cl3uBFkdhelqkZn77TnquIeVb9sriEByUPK" diff --git a/files/rights.conf b/files/rights.conf index 9d09141..05105cd 100644 --- a/files/rights.conf +++ b/files/rights.conf @@ -1,29 +1,18 @@ -################################################ -# Radicale user rights configuration file. # -# # -# See http://radicale.org/rights/ for details. # -################################################ +# Allow reading root collection for authenticated users +[root] +user: .+ +collection: +permissions: R -## The user "admin" can read and write any collection. -#[admin] -#user = admin -#collection = .* -#permission = rw +# Allow reading and writing principal collection (same as user name) +[principal] +user: .+ +collection: {user} +permissions: RW -# Authenticated users can list (discover) their own collections. -[owner-discover] -user = .+ -collection = ^%(login)s$ -permission = rw - -# Authenticated users can read and write their own collections. -[owner-write] -user = .+ -collection = ^%(login)s/.* -permission = rw - -# Everyone can read the root collection -[read] -user = .* -collection = -permission = r +# Allow reading and writing calendars and address books that are direct +# children of the principal collection +[calendars] +user: .+ +collection: {user}/[^/]+ +permissions: rw \ No newline at end of file diff --git a/tasks/main.yaml b/tasks/main.yaml index be656d0..60b6400 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -40,15 +40,15 @@ name: "{{ item.name }}" password: "{{ item.password }}" state: "{{ item.state | default('present') }}" - crypt_scheme: "bcrypt" + crypt_scheme: "apr_md5_crypt " loop: "{{ radicale_users }}" - name: Set Radicale user with password hash. - when: item.bcrypt_hash is defined + when: item.md5_hash is defined no_log: true lineinfile: path: "{{ radicale_config.auth.htpasswd_filename | default('/var/lib/radicale/users.htpasswd') }}" - line: "{{ item.name }}:{{ item.bcrypt_hash }}" + line: "{{ item.name }}:{{ item.md5_hash }}" state: "{{ item.state | default('present') }}" loop: "{{ radicale_users }}" diff --git a/templates/etc/radicale/config.j2 b/templates/etc/radicale/config.j2 index c441067..c48622b 100644 --- a/templates/etc/radicale/config.j2 +++ b/templates/etc/radicale/config.j2 @@ -26,12 +26,6 @@ max_content_length = {{ radicale_config.server.max_content_length | default(1000 {% if radicale_config.server.timeout is defined %} timeout = {{ radicale_config.server.timeout | default(30) | int }} {% endif %} -{% if radicale_config.server.dns_lookup is defined %} -dns_lookup = {{ radicale_config.server.dns_lookup | default(true) }} -{% endif %} -{% if radicale_config.server.realm is defined %} -realm = {{ radicale_config.server.realm | default('Radicale - Password Required') }} -{% endif %} {% if radicale_config.server.ssl is defined %} ssl = {{ radicale_config.server.ssl | default('false') }} {% endif %} @@ -78,6 +72,9 @@ delay = {{ radicale_config.auth.delay | default('1') }} {% endif %} {% endif %}{# END if radicale_config.auth is defined #} {% if radicale_config.rights is defined %} +{% if radicale_config.auth.realm is defined %} +realm = {{ radicale_config.auth.realm | default('Radicale - Password Required') }} +{% endif %} [rights] {% if radicale_config.rights.type is defined %} @@ -96,15 +93,9 @@ type = {{ radicale_config.storage.type | default('multifilesystem') }} {% if radicale_config.storage.filesystem_folder is defined %} filesystem_folder = {{ radicale_config.storage.filesystem_folder | default('/var/lib/radicale/collections') }} {% endif %} -{% if radicale_config.storage.filesystem_locking is defined %} -filesystem_locking = {{ radicale_config.storage.filesystem_locking | default(true) }} -{% endif %} {% if radicale_config.storage.max_sync_token_age is defined %} max_sync_token_age = {{ radicale_config.storage.max_sync_token_age | default(2592000) | int }} {% endif %} -{% if radicale_config.storage.filesystem_fsync is defined %} -filesystem_fsync = {{ radicale_config.storage.filesystem_fsync | default(true) }} -{% endif %} {% if radicale_config.storage.hook is defined %} hook = {{ radicale_config.storage.hook }} {% endif %} @@ -126,8 +117,8 @@ type = {{ radicale_config.web.type | default('internal') }} {% if radicale_config.logging is defined %} [logging] -{% if radicale_config.logging.debug is defined %} -debug = {{ radicale_config.logging.debug | default(false) }} +{% if radicale_config.logging.level is defined %} +level = {{ radicale_config.logging.level | default(false) }} {% endif %} {% if radicale_config.logging.mask_passwords is defined %} mask_passwords = {{ radicale_config.logging.mask_passwords | default(true) }}