TITLE: Self-hosting address books
DATE: 2022-01-19
TAGS: archlinuxarm archlinux software carddav addressbook freesoftware
-------------------------
I wanted to self-host a server to sync my contacts across devices. One that uses
an open protocol (CardDAV) and easy to self-host.
[Radicale](https://radicale.org) was very easy to set up on Arch, but
[davx5](https://www.davx5.com) client (Android) couldn't sync the changes.
[Xandikos](https://xandikos.org) works flawlessly in combination with nginx. The
package is in Arch repos but required some assembly:

  # (as root)
  mkdir /var/lib/xandikos /etc/xandikos
  chown xandikos:xandikos /var/lib/xandikos
  useradd -U -s /usr/bin/nologin xandikos
  htpasswd -c /etc/xandikos/htpasswd usr

`/etc/systemd/system/xandikos.service`, ugly hack here because Xandikos can't
use an existing socket:

  [Unit]
  Description=Xandikos CalDAV/CardDAV server
  After=network.target
  [Install]
  WantedBy=multi-user.target
  [Service]
  RuntimeDirectory=xandikos
  RuntimeDirectoryMode=0770
  User=xandikos
  Group=http
  ExecStart=/usr/bin/xandikos \
    -d /var/lib/xandikos \
    --current-user-principal=/usr \
    -l /run/xandikos/socket
  ExecStartPost=/usr/bin/sh -c 'sleep 2; chmod g+w /run/xandikos/socket'
  Restart=on-failure
  KillSignal=SIGQUIT
  Type=simple

`/etc/nginx/sites-available/xandikos`:

  upstream xandikos {
      server unix:/run/xandikos/socket; # nginx will need write permissions here
  }
  server {
      server_name home-dav;
      # Service discovery, see RFC 6764
      location = /.well-known/caldav {
          return 307 $scheme://$host/user/calendars;
      }
      location = /.well-known/carddav {
          return 307 $scheme://$host/user/contacts;
      }
      location / {
          proxy_set_header Host $http_host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_redirect off;
          proxy_buffering off;
          proxy_pass http://xandikos;
          auth_basic "Login required";
          auth_basic_user_file /etc/xandikos/htpasswd;
      }
      listen 192.168.2.1:8099;
  }

Add this line to [nftables](https://wiki.archlinux.org/title/Nftables) ruleset
to allow sync on LAN only:

  tcp dport 8099 ip saddr { 192.168.2.0/24 } ip daddr 192.168.2.1 accept comment "Accept connections to xandikos behind nginx"

To sync to local directories I use
[vdirsyncer](https://vdirsyncer.pimutils.org), on Android - davx5 (in
[F-Droid](https://f-droid.org) repos).