Radicale is a Calendar and Address book Server. It's written in Python and implements the CalDAV and CardDAV standards.

Installation

on Buster

Buster has Radicale 2.x. If you're updating from 1.x you have to migrate your calendars and address books.

The recommended setup for production use is to serve system-wide by Apache via uWSGI with Apache-based authenticating. This is documented in the README.Debian.

The following documents a more lightweight serving directly by Radicale. Note that this is discouraged and not well tested for production use. It follows the "simple but solid setup" instructions from radicale.org, adapted for the Debian packages.

Install all packages

apt install radicale apache2-utils python3-bcrypt python3-passlib

Authentication

Create a "users" file with all user names and passwords:

htpasswd -c -B /etc/radicale/users user
htpasswd -B /etc/radicale/users user2

Then to set authentication to htpasswd with bcrypt encryption edit these instances in /etc/radicale/config:

[auth]
type = htpasswd
htpasswd_filename = /etc/radicale/users
htpasswd_encryption = bcrypt

Create essential directories

The provided SysV init script should take care of this. Otherwise you can do it manually:

mkdir -p /var/lib/radicale
chown radicale:radicale /var/lib/radicale
chmod g-w,o-rwx /var/lib/radicale

mkdir -p /var/log/radicale
chown radicale:adm /var/log/radicale
chmod g-w,o-rwx /var/log/radicale

Log to logfile

For troubleshooting having a verbose logfile is very helpful.

Enable it by changing /etc/radicale/config to have:

[logging]
config = /etc/radicale/logging

Then configure it by changing these instances in /etc/radicale/logging:

[handlers]
#keys = console
keys = file

[formatters]
#keys = simple
keys = full

[logger_root]
#level = WARNING
#level = INFO
level = DEBUG
#handlers = console
handlers = file

[handler_file]
class = FileHandler
# Note: Debian logrotate handles /var/log/radicale/*.log, but not /var/log/radicale/log
#       (the example given on radicale.org, including their own logfile rotation)
args = ('/var/log/radicale/radicale.log',)
formatter = full

[formatter_full]
format = %(asctime)s - [%(thread)x] %(levelname)s: %(message)s

Host addresses and SSL

Per default the radicale server is only reachable from localhost. To change this you can add other hostnames, e.g. the hostname of your machine in a local network. You may also configure radicale to encrypt traffic with SSL. After this change radicale will be available as https://localhost:5232 or e.g. https://hostname.local:5232.

With ssl enabled Radicale tries to use your existing selfsigned certificate /etc/ssl/private/ssl-cert-snakeoil.key, which is not readable by the radicale user. So first change this and add the user radicale to the ssl-cert group:

usermod -a -G ssl-cert radicale

Then edit /etc/radicale/config to have these values:

[server]
hosts = 127.0.0.1:5232, hostname.local:5232
ssl = true

On your clients to connect to your radicale server you probably have to add an exception for this certificate, because it is self-signed and not "authorized" by a trusted 3rd party (SEC_ERROR_UNKNOWN_ISSUER).

Run the simple radicale daemon automatically

To finally activate the init script run:

update-rc.d radicale enable

Radicale will then start automatically at system boot. You can manually control it with:

service radicale start
service radicale status
service radicale stop

on Stretch

Documentation not written yet.

Radicale Package on Stretch doesn't come with a systemd unit yet, so you might borrow one from Radicale website. If you do so, do not enable daemon in /etc/default/radicale since it makes use of init.d.

on Jessie

Deliver Radicale through Apache

The points above lead to a minimal installation. In a production environment it's advised to install a dedicated webserver. If you still don't want the uWSGI setup documented in the README.Debian, then here is an example using Apache.

Beware of the security risks of running backend services as same user and group as the public-facing frontend web server!

As we plan to let Apache start and manage Radicale, we go back to /etc/default/radicale and disable the daemon functionality there. Then we install the necessary packages. apt-get install apache2 libapache2-mod-wsgi

For python3-radicale you need libapache2-mod-wsgi-py3

In /etc/apache2/sites-available/ we create a radicale.conf.

<VirtualHost *:80>
    ServerName example.com

    WSGIDaemonProcess radicale user=www-data group=www-data threads=1
    WSGIScriptAlias / /usr/share/radicale/radicale.wsgi

    <Directory /usr/share/radicale>
        WSGIProcessGroup radicale
        WSGIApplicationGroup %{GLOBAL}
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

To enable this configuration and disable the default one we do

a2dissite 000-default.conf
a2ensite radicale.conf

As we start Radicale with the www-data user we need to allow it to write to the log files.

mkdir -p /var/log/radicale/
chown -R www-data /var/log/radicale/

The directory for the data also needs to be created (if it hasn't already) and the permissions applied to that.

mkdir -p /var/lib/radicale
chown -R www-data /var/lib/radicale/

After restarting the service you should be able to reach the "Radicale Works!" page on port 80 of your server and port 5232 should not answer anymore.