2025-12-15 21:34:45 +11:00
5 changed files with 76 additions and 3 deletions
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@ -27,9 +27,7 @@

  # hardened openssh
  services.openssh = {
-    passwordAuthentication = false;
    allowSFTP = false;
-    challengeResponseAuthentication = false;
    extraConfig = ''
      AllowTcpForwarding yes
      X11Forwarding no
@ -37,6 +35,10 @@
      AllowStreamLocalForwarding no
      AuthenticationMethods publickey
    '';
+    settings = {
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+    };
  };

  system.stateVersion = "24.11";
--- a/modules/nixos/bundles/server.nix
+++ b/modules/nixos/bundles/server.nix
@ -11,6 +11,7 @@
    "homepage-dashboard"
    "immich"
    "jellyfin"
+    "karakeep"
    "lidarr"
    "miniflux"
    "nginx"
@ -19,6 +20,7 @@
    "prowlarr"
    "qbittorrent"
    "radarr"
+    "radicale"
    "sonarr"
    "syncthing"
    "vaultwarden"
--- a/modules/nixos/features/homepage-dashboard.nix
+++ b/modules/nixos/features/homepage-dashboard.nix
@ -65,6 +65,13 @@ in
                "href" = "https://ntfy-sh.fi33.buzz/";
              };
            }
+            {
+              "Radicale" = {
+                "description" = "CalDAV/CardDAV service";
+                "icon" = "radicale.svg";
+                "href" = "https://radicale.fi33.buzz";
+              };
+            }
            {
              "Syncthing" = {
                "description" = "Decentralised file synchronisation";
--- a/modules/nixos/features/karakeep.nix
+++ b/modules/nixos/features/karakeep.nix
@ -0,0 +1,20 @@
+let
+  port = "5014";
+in
+{
+  services = {
+    karakeep = {
+      enable = true;
+      extraEnvironment = {
+        PORT = port;
+        DISABLE_NEW_RELEASE_CHECK = "true";
+      };
+    };
+
+    nginx.virtualHosts."karakeep.fi33.buzz" = {
+      forceSSL = true;
+      useACMEHost = "fi33.buzz";
+      locations."/".proxyPass = "http://localhost:${port}";
+    };
+  };
+}
--- a/modules/nixos/features/radicale.nix
+++ b/modules/nixos/features/radicale.nix
@ -0,0 +1,42 @@
+{
+  config,
+  ...
+}:
+let
+  port = "5003";
+in
+{
+  services = {
+    radicale = {
+      enable = true;
+      settings = {
+        server = {
+          hosts = [
+            "0.0.0.0:${port}"
+            "[::]:${port}"
+          ];
+        };
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = config.age.secrets.radicale.path;
+          htpasswd_encryption = "plain";
+        };
+        storage = {
+          filesystem_folder = "/srv/radicale";
+        };
+      };
+    };
+
+    nginx.virtualHosts."radicale.fi33.buzz" = {
+      forceSSL = true;
+      useACMEHost = "fi33.buzz";
+      locations."/".proxyPass = "http://localhost:${port}";
+    };
+  };
+
+  # secrets
+  age.secrets."radicale" = {
+    file = ../../../secrets/radicale.age;
+    owner = "radicale";
+  };
+}