- adjust default directories for ssl keys, /etc/ssl/private isn't

going to be accessible by the uid running radicale - add a readme, showing people how to setup auth/crypto with/ok ian@
2011-04-17 14:54:47 +00:00 · 2011-04-17 14:54:47 +00:00 · 23b6854d1a
commit 23b6854d1a
parent c4ac868cc7
5 changed files with 45 additions and 9 deletions
--- a/productivity/radicale/Makefile
+++ b/productivity/radicale/Makefile
@ -1,11 +1,11 @@
-# $OpenBSD: Makefile,v 1.2 2011/04/15 16:44:27 sthen Exp $
+# $OpenBSD: Makefile,v 1.3 2011/04/17 14:54:47 sthen Exp $

 COMMENT =	simple CalDAV calendar server

 MODPY_EGG_VERSION = 0.4
 DISTNAME =	Radicale-${MODPY_EGG_VERSION}
 PKGNAME =	${DISTNAME:L}
-REVISION =	0
+REVISION =	1
 CATEGORIES =	productivity net

 HOMEPAGE =	http://www.radicale.org/
--- a/productivity/radicale/patches/patch-config
+++ b/productivity/radicale/patches/patch-config
@ -1,4 +1,4 @@
-$OpenBSD: patch-config,v 1.2 2011/04/15 16:44:27 sthen Exp $
+$OpenBSD: patch-config,v 1.3 2011/04/17 14:54:47 sthen Exp $
 --- config.orig	Sat Aug  7 13:22:58 2010
 +++ config	Fri Apr 15 17:42:39 2011
@@ -15,9 +15,9 @@ daemon = False
@ -6,10 +6,10 @@ $OpenBSD: patch-config,v 1.2 2011/04/15 16:44:27 sthen Exp $
 ssl = False
 # SSL certificate path (if needed)
 -certificate = /etc/apache2/ssl/server.crt
-+certificate = /etc/ssl/server.crt
+certificate = ${SYSCONFDIR}/radicale/server.crt
 # SSL private key (if needed)
 -key = /etc/apache2/ssl/server.key
-+key = /etc/ssl/private/server.key
+key = ${SYSCONFDIR}/radicale/private/server.key
 
 [encoding]
 # Encoding for responding requests
--- a/productivity/radicale/patches/patch-radicale_config_py
+++ b/productivity/radicale/patches/patch-radicale_config_py
@ -1,4 +1,4 @@
-$OpenBSD: patch-radicale_config_py,v 1.1.1.1 2011/04/15 15:47:17 sthen Exp $
+$OpenBSD: patch-radicale_config_py,v 1.2 2011/04/17 14:54:47 sthen Exp $
 --- radicale/config.py.orig	Fri Apr  1 22:44:18 2011
 +++ radicale/config.py	Fri Apr  1 22:45:40 2011
@@ -45,18 +45,18 @@ INITIAL_CONFIG = {
@ -7,8 +7,8 @@ $OpenBSD: patch-radicale_config_py,v 1.1.1.1 2011/04/15 15:47:17 sthen Exp $
         "ssl": "False",
 -        "certificate": "/etc/apache2/ssl/server.crt",
 -        "key": "/etc/apache2/ssl/server.key"},
-+        "certificate": "/etc/ssl/server.crt",
-+        "key": "/etc/ssl/private/server.key"},
+        "certificate": "${SYSCONFDIR}/radicale/server.crt",
+        "key": "${SYSCONFDIR}/radicale/private/server.key"},
     "encoding": {
         "request": "utf-8",
         "stock": "utf-8"},
--- a/productivity/radicale/pkg/PLIST
+++ b/productivity/radicale/pkg/PLIST
@ -1,4 +1,4 @@
-@comment $OpenBSD: PLIST,v 1.1.1.1 2011/04/15 15:47:17 sthen Exp $
+@comment $OpenBSD: PLIST,v 1.2 2011/04/17 14:54:47 sthen Exp $
@newgroup _radicale:672
@newuser _radicale:672:_radicale:daemon:radicale user:/nonexistent:/sbin/nologin
 bin/radicale
@ -19,6 +19,7 @@ lib/python${MODPY_VERSION}/site-packages/radicale/ical.py
 lib/python${MODPY_VERSION}/site-packages/radicale/ical.pyc
 lib/python${MODPY_VERSION}/site-packages/radicale/xmlutils.py
 lib/python${MODPY_VERSION}/site-packages/radicale/xmlutils.pyc
+share/doc/pkg-readmes/${FULLPKGNAME}
 share/doc/radicale/
 share/doc/radicale/COPYING
 share/doc/radicale/NEWS
@ -32,3 +33,4 @@ share/examples/radicale/config
@owner _radicale
@group _radicale
@sample /var/db/radicale/
+@sample ${SYSCONFDIR}/radicale/private/
--- a/productivity/radicale/pkg/README
+++ b/productivity/radicale/pkg/README
@ -0,0 +1,34 @@
+$OpenBSD: README,v 1.1 2011/04/17 14:54:47 sthen Exp $
+
+Running Radicale on OpenBSD
+===========================
+Radicale will run out of the box but with NO SECURITY.
+There are two things you should do to enable security:
+enable passwords and enable encryption.
+
+Authentication
+--------------
+To enable passwords, edit ${SYSCONFDIR}/radicale/config and change
+"type = fake" (i.e. passwords are not requested or checked) to
+"type = htpasswd".
+
+User password(s) may be created with htpasswd(1); e.g.
+"htpasswd -s ${SYSCONFDIR}/radicale/users username".
+
+By default all calendars may be accessed by any authenticated user.
+To restrict calendars so that "/user1/calendar_name" can ONLY be
+accessed by user1, also change "personal = False" to "personal = True".
+
+Encryption
+----------
+To enable encryption, you need both to change "ssl = False" to
+"ssl = True" in file "config", and install a certificate and key in
+the files named in "certificate" and "key".
+Note that it does not suffice to change these variables to point
+at a certificate installed in /etc/ssl because the key
+file will be unreadable (/etc/ssl/private has restricted
+directory permissions).
+Either copy your existing key and certificate to the locations
+in ${SYSCONFDIR} and owned by (and only readable by) the user _radicale,
+or, generate a self-signed RSA server certificate as described
+in ssl(8) (but changing /etc/ssl to ${SYSCONFDIR}/radicale).