From b68799a44848a66fad31a00ef6b99a1bd07a7af6 Mon Sep 17 00:00:00 2001
From: Maniack Crudelis <maniackc_dev@crudelis.fr>
Date: Tue, 22 Nov 2022 13:29:11 +0100
Subject: [PATCH] Update config files to v3

---
 conf/config  | 171 +++++++++++++++++++++------------------------------
 conf/logging |  49 ---------------
 conf/rights  | 166 +++++++++++++++++++++++++++++++++----------------
 3 files changed, 181 insertions(+), 205 deletions(-)
 delete mode 100644 conf/logging

diff --git a/conf/config b/conf/config
index 91c9dab..c0dd781 100644
--- a/conf/config
+++ b/conf/config
@@ -15,41 +15,29 @@
 # IPv4 syntax: address:port
 # IPv6 syntax: [address]:port
 # For example: 0.0.0.0:9999, [::]:9999
-# IPv6 adresses are configured to only allow IPv6 connections
-#hosts = 0.0.0.0:5232
+hosts = localhost:__PORT__
 
-# Daemon flag
-#daemon = False
+# Max parallel connections
+#max_connections = 8
 
-# File storing the PID in daemon mode
-#pid =
+# Max size of request body (bytes)
+#max_content_length = 100000000
+
+# Socket timeout (seconds)
+#timeout = 30
 
 # SSL flag, enable HTTPS protocol
 #ssl = False
 
 # SSL certificate path
-#certificate = /etc/apache2/ssl/server.crt
+#certificate = /etc/ssl/radicale.cert.pem
 
 # SSL private key
-#key = /etc/apache2/ssl/server.key
+#key = /etc/ssl/radicale.key.pem
 
-# SSL Protocol used. See python's ssl module for available values
-#protocol = PROTOCOL_SSLv23
-
-# Ciphers available. See python's ssl module for available ciphers
-#ciphers =
-
-# Reverse DNS to resolve client address in logs
-dns_lookup = True
-
-# Root URL of Radicale (starting and ending with a slash)
-base_prefix = __PATH__
-
-# Possibility to allow URLs cleaned by a HTTP server, without the base_prefix
-#can_skip_base_prefix = False
-
-# Message displayed in the client when a password is needed
-#realm = Radicale - Password Required
+# CA certificate for validating clients. This can be used to secure
+# TCP traffic between Radicale and a reverse proxy
+#certificate_authority =
 
 
 [encoding]
@@ -61,89 +49,63 @@ request = utf-8
 stock = utf-8
 
 
-[well-known]
-
-# Path where /.well-known/caldav/ is redirected
-#caldav = '/%(user)s/caldav/'
-
-# Path where /.well-known/carddav/ is redirected
-#carddav = '/%(user)s/carddav/'
-
-
 [auth]
 
 # Authentication method
-# Value: None | htpasswd | IMAP | LDAP | PAM | courier | http | remote_user | custom
-type = LDAP
-
-# Custom authentication handler
-#custom_handler =
+# Value: none | htpasswd | remote_user | http_x_remote_user
+#type = none
+type = htpasswd
 
 # Htpasswd filename
-#htpasswd_filename = /etc/radicale/users
+htpasswd_filename = /etc/radicale/users
 
 # Htpasswd encryption method
-# Value: plain | sha1 | ssha | crypt
-#htpasswd_encryption = crypt
+# Value: plain | bcrypt | md5
+# bcrypt requires the installation of radicale[bcrypt].
+htpasswd_encryption = bcrypt
+
+# Incorrect authentication delay (seconds)
+#delay = 1
+
+# Message displayed in the client when a password is needed
+#realm = Radicale - Password Required
+
+# LDAP doesn't work for now...
+# type = radicale_auth_ldap
 
 # LDAP server URL, with protocol and port
-ldap_url = ldap://localhost:389/
+# ldap_url = ldap://localhost:389/
 
 # LDAP base path
-ldap_base = ou=users,dc=yunohost,dc=org
+# ldap_base = ou=users,dc=yunohost,dc=org
 
 # LDAP login attribute
-ldap_attribute = uid
+# ldap_attribute = uid
 
 # LDAP filter string
 # placed as X in a query of the form (&(...)X)
 # example: (objectCategory=Person)(objectClass=User)(memberOf=cn=calenderusers,ou=users,dc=example,dc=org)
-# leave empty if no additional filter is needed
-ldap_filter =
+# ldap_filter = 
 
 # LDAP dn for initial login, used if LDAP server does not allow anonymous searches
 # Leave empty if searches are anonymous
-#ldap_binddn =
+# ldap_binddn = 
 
 # LDAP password for initial login, used with ldap_binddn
-#ldap_password =
+# ldap_password = 
 
 # LDAP scope of the search
-ldap_scope = OneLevel
-
-# IMAP Configuration
-#imap_hostname = localhost
-#imap_port = 143
-#imap_ssl = False
-
-# PAM group user should be member of
-#pam_group_membership =
-
-# Path to the Courier Authdaemon socket
-#courier_socket =
-
-# HTTP authentication request URL endpoint
-#http_url =
-# POST parameter to use for username
-#http_user_parameter =
-# POST parameter to use for password
-#http_password_parameter =
-
-
-[git]
-
-# Git default options
-#committer = Radicale <radicale@example.com>
+# ldap_scope = OneLevel
 
+# LDAP extended option
+# If the server is samba, ldap_support_extended is should be no
+# ldap_support_extended = yes
 
 [rights]
 
 # Rights backend
-# Value: None | authenticated | owner_only | owner_write | from_file | custom
-type = from_file
-
-# Custom rights handler
-#custom_handler =
+# Value: none | authenticated | owner_only | owner_write | from_file
+#type = owner_only
 
 # File for rights management from_file
 file = /etc/radicale/rights
@@ -152,37 +114,35 @@ file = /etc/radicale/rights
 [storage]
 
 # Storage backend
-# -------
-# WARNING: ONLY "filesystem" IS DOCUMENTED AND TESTED,
-#          OTHER BACKENDS ARE NOT READY FOR PRODUCTION.
-# -------
-# Value: filesystem | multifilesystem | database | custom
-type = filesystem
-
-# Custom storage handler
-#custom_handler =
+# Value: multifilesystem | multifilesystem_nolock
+#type = multifilesystem
 
 # Folder for storing local collections, created if not present
 filesystem_folder = __FINALPATH__/collections
 
-# Database URL for SQLAlchemy
-# dialect+driver://user:password@host/dbname[?key=value..]
-# For example: sqlite:///var/db/radicale.db, postgresql://user:password@localhost/radicale
-# See http://docs.sqlalchemy.org/en/rel_0_8/core/engines.html#sqlalchemy.create_engine
-#database_url =
+# Delete sync token that are older (seconds)
+#max_sync_token_age = 2592000
+
+# Command that is run after changes to storage
+# Example: ([ -d .git ] || git init) && git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s)
+#hook =
+
+
+[web]
+
+# Web interface backend
+# Value: none | internal
+#type = internal
 
 
 [logging]
 
-# Logging configuration file
-# If no config is given, simple information is printed on the standard output
-# For more information about the syntax of the configuration file, see:
-# http://docs.python.org/library/logging.config.html
-config = /etc/radicale/logging
-# Set the default logging level to debug
-debug = False
-# Store all environment variables (including those set in the shell)
-full_environment = False
+# Threshold for the logger
+# Value: debug | info | warning | error | critical
+#level = warning
+
+# Don't include passwords in logs
+#mask_passwords = True
 
 
 [headers]
@@ -192,3 +152,10 @@ Access-Control-Allow-Origin = *
 Access-Control-Allow-Methods = GET, POST, OPTIONS, PROPFIND, PROPPATCH, REPORT, PUT, MOVE, DELETE, LOCK, UNLOCK
 Access-Control-Allow-Headers = User-Agent, Authorization, Content-type, Depth, If-match, If-None-Match, Lock-Token, Timeout, Destination, Overwrite, X-clie$
 Access-Control-Expose-Headers = Etag
+
+#type = LDAP
+#ldap_url = ldap://localhost:389/
+#ldap_base = ou=users,dc=yunohost,dc=org
+#ldap_attribute = uid
+#ldap_filter =
+#ldap_scope = OneLevel
diff --git a/conf/logging b/conf/logging
deleted file mode 100644
index 75363d8..0000000
--- a/conf/logging
+++ /dev/null
@@ -1,49 +0,0 @@
-# Loggers, handlers and formatters keys
-
-[loggers]
-# Loggers names, main configuration slots
-keys = root
-
-[handlers]
-# Logging handlers, defining logging output methods
-keys = console,file
-
-[formatters]
-# Logging formatters
-keys = simple,full
-
-
-# Loggers
-
-[logger_root]
-# Root logger
-level = INFO
-handlers = console,file
-
-
-# Handlers
-
-[handler_console]
-# Console handler
-class = StreamHandler
-level = INFO
-args = (sys.stdout,)
-formatter = simple
-
-[handler_file]
-# File handler
-class = FileHandler
-level = INFO
-args = ('/var/log/radicale/radicale.log',)
-formatter = full
-
-
-# Formatters
-
-[formatter_simple]
-# Simple output format
-format = %(message)s
-
-[formatter_full]
-# Full output format
-format = %(asctime)s - %(levelname)s: %(message)s
diff --git a/conf/rights b/conf/rights
index ecb1f13..ffb114d 100644
--- a/conf/rights
+++ b/conf/rights
@@ -1,12 +1,116 @@
-# Rights are based on a regex-based file whose name is specified in the config (section "right", key "file").
+# -*- mode: conf -*-
+# vim:ft=cfg
+
+# Rights management file for Radicale - A simple calendar server
 #
-# Authentication login is matched against the "user" key, and collection's path is matched against the "collection" key. You can use Python's ConfigParser interpolation values %(login)s and %(path)s. You can also get groups from the user regex in the collection with {0}, {1}, etc.
+# The default path for this file is /etc/radicale/rights
+# The path can be specified in the rights section of the configuration file
 #
-# For example, for the "user" key, ".+" means "authenticated user" and ".*" means "anybody" (including anonymous users).
-#
-# Section names are only used for naming the rule.
-#
-# Leading or ending slashes are trimmed from collection's path.
+# Section names are used for naming rules and must be unique.
+# The first rule matching both user and collection patterns will be used.
+
+
+# Example: owner_only plugin
+
+# Allow reading root collection for authenticated users
+#[root]
+#user: .+
+#collection:
+#permissions: R
+
+# Allow reading and writing principal collection (same as username)
+#[principal]
+#user: .+
+#collection: {user}
+#permissions: RW
+
+# Allow reading and writing calendars and address books that are direct
+# children of the principal collection
+#[calendars]
+#user: .+
+#collection: {user}/[^/]+
+#permissions: rw
+
+
+# Example: owner_write plugin
+# Only listed additional rules for the owner_only plugin example.
+
+# Allow reading principal collections of all users
+#[read-all-principals]
+#user: .+
+#collection: [^/]+
+#permissions: R
+
+# Allow reading all calendars and address books that are direct children of any
+# principal collection
+#[read-all-calendars]
+#user: .+
+#collection: [^/]+/[^/]+
+#permissions: r
+
+
+# Example: authenticated plugin
+
+# Allow reading and writing root and principal collections of all users
+#[root-and-principals]
+#user: .+
+#collection: [^/]*
+#permissions: RW
+
+# Allow reading and writing all calendars and address books that are direct
+# children of any principal collection
+#[calendars]
+#user: .+
+#collection: [^/]+/[^/]+
+#permissions: rw
+
+
+# Example: Allow user "admin" to read everything
+#[admin-read-all]
+#user: admin
+#collection: .*
+#permissions: Rr
+
+
+# Example: Allow everybody (including unauthenticated users) to read
+# the collection "public"
+
+# Allow reading collection "public" for authenticated users
+#[public-principal]
+#user: .+
+#collection: public
+#permissions: R
+
+# Allow reading all calendars and address books that are direct children of
+# the collection "public" for authenticated users
+#[public-calendars]
+#user: .+
+#collection: public/[^/]+
+#permissions: r
+
+# Allow access to public calendars and address books via HTTP GET for everyone
+#[public-calendars-restricted]
+#user: .*
+#collection: public/[^/]+
+#permissions: i
+
+# Example: Grant users of the form user@domain.tld read access to the
+# collection "domain.tld"
+
+# Allow reading the domain collection
+#[read-domain-principal]
+#user: .+@([^@]+)
+#collection: {0}
+#permissions: R
+
+# Allow reading all calendars and address books that are direct children of
+# the domain collection
+#[read-domain-calendars]
+#user: .+@([^@]+)
+#collection: {0}/[^/]+
+#permissions: r
+
+
 
 # User can read the root of all collection. And discovers your collection.
 [user-read-root-collection]
@@ -17,51 +121,5 @@ permission: r
 # Give read and write access to owners
 [owner-read-write]
 user: .+
-collection: ^%(login)s|^%(login)s/.*
+collection: ^{user}|^{user}/.*
 permission: rw
-
-
-
-### EXAMPLES:
-
-## Allow authenticated user to read all collections
-# [allow-everyone-read]
-# user: .+
-# collection: .*
-# permission: r
-
-## This means all users starting with "admin" may read any collection
-# [admin]
-# user: ^admin.*$
-# collection: .*
-# permission: r
-
-## A little more complex: give read access to users from a domain for all
-# collections of all the users (ie. user@domain.tld can read domain/\*).
-# [domain-wide-access]
-# user: ^.+@(.+)\..+$
-# collection: ^{0}/.+$
-# permission: r
-
-## This means all users may read and write any collection starting with public.
-# [public]
-# user: .*
-# collection: ^public(/.+)?$
-# permission: rw
-
-## Partage public en lecture seule d'un agenda
-# [public for readonly]
-# user: .*
-# collection: ^utilisateur/nom_calendrier.ics$
-# permission: r
-
-## Partage public en lecture/écriture d'un agenda
-# [public for read/write]
-# user: .*
-# collection: ^utilisateur/nom_calendrier.ics$
-# permission: rw
-
-# [user1 can read and write user2/shared2]
-# user: ^user1$
-# collection: ^user2/shared2.ics$
-# permission: rw