# Calendar Sovereignty - Self-Hosted Calendar Infrastructure ## Philosophy DAARION follows the principle of **digital sovereignty** - owning and controlling our communication infrastructure. Calendar is no exception. ## Current Stack ### Radicale + Caddy (Self-Hosted) ``` ┌─────────────────────────────────────────────────────────┐ │ DAARION Network │ │ │ │ ┌─────────────┐ ┌─────────────┐ │ │ │ Caddy │──────│ Radicale │ │ │ │ (TLS/Proxy) │ │ (CalDAV) │ │ │ └─────────────┘ └─────────────┘ │ │ │ │ │ │ │ ┌──────┴──────┐ │ │ │ │ │ │ │ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐ │ │ │ iOS │ │ Android │ │ Sofiia │ │ │ │ Calendar│ │ Calendar│ │ Agent │ │ │ └─────────┘ └─────────┘ └─────────┘ │ │ │ └─────────────────────────────────────────────────────────┘ ``` ### Why Self-Hosted? 1. **Data Ownership** - Your calendar data stays on your servers 2. **No Vendor Lock-in** - Not dependent on Google/Apple/Microsoft 3. **Privacy** - No third parties reading your schedule 4. **Cost** - Free open-source software 5. **Control** - Full control over access, backups, retention ## Radicale Configuration ### Features - CalDAV protocol support (RFC 4791) - CardDAV for contacts (optional) - HTTP Basic Auth - Server-side encryption (optional) - Web interface for users ### Endpoints - Base URL: `https://caldav.daarion.space` - Web Interface: `http://localhost:5232` (local only) ### User Management Users are created automatically on first login. No admin panel needed. ```bash # Access Radicale container docker exec -it daarion-radicale /bin/sh # View logs docker logs daarion-radicale ``` ## Client Configuration ### iOS 1. Settings → Calendar → Accounts → Add Account 2. Select "CalDAV" 3. Server: `caldav.daarion.space` 4. Username/Password: Your credentials ### Android (DAVDroid) 1. Install DAVdroid from F-Droid 2. Add Account → CalDAV 3. Server URL: `https://caldav.daarion.space` ### macOS 1. Calendar → Preferences → Accounts 2. Add Account → CalDAV 3. Server: `https://caldav.daarion.space` ### Thunderbird 1. Calendar → New Calendar 2. On the Network → CalDAV 3. Location: `https://caldav.daarion.space/username/` ## Security ### Network Isolation - Radicale listens only on internal Docker network - Caddy handles all external traffic - TLS 1.3 enforced by Caddy ### Authentication - HTTP Basic Auth (username/password) - Each user has isolated calendar space (`/username/`) - Credentials stored in Radicale config ### Firewall Rules Only allow: - Port 443 (HTTPS) - public - Port 5232 - internal only (localhost) ## Backup & Recovery ### Backup Script ```bash #!/bin/bash # backup-calendar.sh docker cp daarion-radicale:/data /backup/calendar-data tar -czf calendar-backup-$(date +%Y%m%d).tar.gz /backup/calendar-data ``` ### Restore ```bash docker cp /backup/calendar-data/. daarion-radicale:/data/ docker restart daarion-radicale ``` ## Monitoring ### Health Checks - Radicale: `docker inspect --format='{{.State.Health.Status}}' daarion-radicale` - Caddy: `curl -f http://localhost:8080/health || exit 1` ### Metrics - Calendar Service: `GET /metrics` - Account count, pending reminders ## Troubleshooting ### Common Issues #### "Cannot connect to CalDAV server" 1. Check Caddy is running: `docker ps | grep caddy` 2. Check DNS: `nslookup caldav.daarion.space` 3. Check TLS: `curl -vI https://caldav.daarion.space` #### "Authentication failed" 1. Check credentials in Radicale container 2. Verify user exists: `ls /data/` 3. Check Caddy logs: `docker logs daarion-caldav-proxy` #### "Calendar not syncing" 1. Force refresh on client 2. Check network connectivity 3. Verify SSL certificate: `openssl s_client -connect caldav.daarion.space:443` ## Future Enhancements 1. **Radicale Cluster** - Multiple Radicale instances with load balancing 2. **Two-Factor Auth** - Add TOTP to CalDAV authentication 3. **Encryption at Rest** - Encrypt calendar data on disk 4. **Audit Logging** - Track all calendar access 5. **Multiple Providers** - Add Google Calendar, iCloud as backup