From d241321971ecfe569eed65ac76d08fcf176b2be9 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Sun, 13 Jul 2025 20:01:05 -0700 Subject: [PATCH 01/12] radicale: initial commit --- kustomizations/radicale/README.md | 13 +++ kustomizations/radicale/files/config | 13 +++ kustomizations/radicale/ingress.yaml | 28 +++++ kustomizations/radicale/kustomization.yaml | 21 ++++ kustomizations/radicale/secret-generator.yaml | 6 + kustomizations/radicale/service.yaml | 11 ++ kustomizations/radicale/serviceaccount.yaml | 5 + kustomizations/radicale/statefulset.yaml | 69 ++++++++++++ kustomizations/radicale/users.enc.yaml | 103 ++++++++++++++++++ 9 files changed, 269 insertions(+) create mode 100644 kustomizations/radicale/README.md create mode 100644 kustomizations/radicale/files/config create mode 100644 kustomizations/radicale/ingress.yaml create mode 100644 kustomizations/radicale/kustomization.yaml create mode 100644 kustomizations/radicale/secret-generator.yaml create mode 100644 kustomizations/radicale/service.yaml create mode 100644 kustomizations/radicale/serviceaccount.yaml create mode 100644 kustomizations/radicale/statefulset.yaml create mode 100644 kustomizations/radicale/users.enc.yaml diff --git a/kustomizations/radicale/README.md b/kustomizations/radicale/README.md new file mode 100644 index 0000000..d6cf228 --- /dev/null +++ b/kustomizations/radicale/README.md @@ -0,0 +1,13 @@ +# Radicale + +## Creating an account + +Currently to create a radicale account you will need to generate and hash a password with `htpasswd` and `bcrypt`. + +You can generate your password using a password manager or `openssl` with at least 32 characters. + +```sh +htpasswd -Bn @distrust.co +``` + +You will then need to add the output to users.enc.yaml which is encrypted with SOPS diff --git a/kustomizations/radicale/files/config b/kustomizations/radicale/files/config new file mode 100644 index 0000000..f3dae5f --- /dev/null +++ b/kustomizations/radicale/files/config @@ -0,0 +1,13 @@ +[server] +hosts = 0.0.0.0:5232 + +[auth] +type = htpasswd +htpasswd_filename = /config/user +htpasswd_encryption = bcrypt + +[rights] +type = owner_only + +[storage] +filesystem_folder = /var/lib/radicale/collections diff --git a/kustomizations/radicale/ingress.yaml b/kustomizations/radicale/ingress.yaml new file mode 100644 index 0000000..9b9d800 --- /dev/null +++ b/kustomizations/radicale/ingress.yaml @@ -0,0 +1,28 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: radicale-ingress + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + cert-manager.io/cluster-issuer: letsencrypt + external-dns.alpha.kubernetes.io/hostname: radicale.distrust.co + nginx.ingress.kubernetes.io/proxy-buffer-size: "16k" + nginx.ingress.kubernetes.io/proxy-buffers-number: "8" +spec: + ingressClassName: nginx + tls: + - hosts: + - radicale.distrust.co + secretName: radicale-tls + rules: + - host: radicale.distrust.co + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: radicale + port: + number: 5232 diff --git a/kustomizations/radicale/kustomization.yaml b/kustomizations/radicale/kustomization.yaml new file mode 100644 index 0000000..97f82a4 --- /dev/null +++ b/kustomizations/radicale/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +labels: + - pairs: + app.kubernetes.io/name: radicale + includeSelectors: true +resources: +- ./statefulset.yaml +- ./service.yaml +- ./serviceaccount.yaml +- ./ingress.yaml +enerators: +- secret-generator.yaml +configMapGenerator: + - name: radicale + files: + - config=files/config +images: + - name: radicale + newName: drgrovellc/radicale + digest: sha256:055e686577ec543b33ff905b09f798a3a178393c14799a85867d86519a8d0a35 diff --git a/kustomizations/radicale/secret-generator.yaml b/kustomizations/radicale/secret-generator.yaml new file mode 100644 index 0000000..df6261d --- /dev/null +++ b/kustomizations/radicale/secret-generator.yaml @@ -0,0 +1,6 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: radicale-secrets +files: + - ./users.enc.yaml diff --git a/kustomizations/radicale/service.yaml b/kustomizations/radicale/service.yaml new file mode 100644 index 0000000..ed469f3 --- /dev/null +++ b/kustomizations/radicale/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: radicale +spec: + type: ClusterIP + ports: + - port: 5232 + targetPort: http + protocol: TCP + name: http diff --git a/kustomizations/radicale/serviceaccount.yaml b/kustomizations/radicale/serviceaccount.yaml new file mode 100644 index 0000000..6bb69e3 --- /dev/null +++ b/kustomizations/radicale/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: radicale +automountServiceAccountToken: true diff --git a/kustomizations/radicale/statefulset.yaml b/kustomizations/radicale/statefulset.yaml new file mode 100644 index 0000000..d3e8b15 --- /dev/null +++ b/kustomizations/radicale/statefulset.yaml @@ -0,0 +1,69 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: radicale +spec: + template: + spec: + serviceAccountName: radicale + securityContext: + runAsNonRoot: true + runAsUser: 1000 + fsGroup: 1000 + containers: + - name: radicale + image: radicale + env: + - name: RADICALE_CONFIG + value: /config/config + ports: + - name: http + containerPort: 5232 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - ALL + volumeMounts: + - name: config + mountPath: /config/config + subPath: config + - name: user + mountPath: /config/user + subPath: users + - name: radicale + mountPath: /var/lib/radicale + volumes: + - name: config + configMap: + name: radicale + items: + - key: config + path: config + - name: user + secret: + optional: true + secretName: radicale-users + items: + - key: users + path: users + volumeClaimTemplates: + - metadata: + name: radicale + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 5Gi diff --git a/kustomizations/radicale/users.enc.yaml b/kustomizations/radicale/users.enc.yaml new file mode 100644 index 0000000..96a29da --- /dev/null +++ b/kustomizations/radicale/users.enc.yaml @@ -0,0 +1,103 @@ +data: ENC[AES256_GCM,data:6uHlO1HW3qJXmwoCkAtvlmVj10NTSzblkYrgT6+OjcY64b7+AAZZtefwNjXvTQ8fDXbbrGAK2SK5Rlbcy08W6Rl/JDKAiomSqmrSfXpszEdumkdciODm2wOosTC6EjRudPpnfliqowisAszNTanH7mocsOClqww6XVAMmtzHKbjzYUeg4Iyz5MOCIrtNHxiA/Eb0UGvtGhbuqgci/zSly6bvzV2eMZl9XtDn1fhKM5IMqFwt5OpSIfOG,iv:Ew42raYQoumx9KQWzlLnBf/75RdwbBXKnoSfEVA38y8=,tag:lRDMH+eRGhfKAQNEsI6HFg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2025-07-13T19:45:29Z" + mac: ENC[AES256_GCM,data:6MBapMxTVHBUxGFZdoS8pc682CAzqH49s/m/gl1n94tUc5S3x7YLcB29Ebmj4g5yLCqWLmc7bYbvlfviNrE8WZAKVEQhWd16J4Sl91q2JUmlRDyMJjHzxZEEZaZ7Wc1fgVsbJw0kRTxYGSg+J5rreirYl0IllVh/yFNmy+36yIk=,iv:Bk2EkF4BwJM4oBebOeiUzKExvthvEsLhUdR6iLsEDlk=,tag:+6Skc/pm8t+lXwacO5vG/w==,type:str] + pgp: + - created_at: "2025-07-13T06:51:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82rPM2mSf/aARAAjtuwpAk5OCIRUXTwig8V+Md3mzZ5B/mXaEipSL+bz8aK + Nro9p82GsnMIgHS7qpMwcc53NSNL0wmju3tcB/TaFsRVot1QTcIraPP2saDx02Mm + wKg0pcqDk55X+htHY1iYZS9JO1bVz7EmJjPsfcEdvBm2JNCjZeNToy7mnjFWBBlu + OqX0V2qrWcm3lG2HMBUGOHQ8o3iC7OWBTIKSDMx8dJb7L4NlB3LxtfsibmsrvOk1 + AtUXKf6DjjRcRV3LiVFFhswPfbUx9uYrNLQM3g2J5jxyoWHVCLdVqsBGe03zxmlA + iAglRbYNbhayoWH/1j/10VbtEuRSURKtCPWysaOr+u/UOWpbRi0S3WTkx2E603wC + k2msofhS8iQv8Dp2Y5zcdFvLnWpCzdXFWPedLE08fKKHkht40Pdh8rq09Y8eepAT + HUvuaJSfG1/RZX3IRoyHTyFmVrRF1ZEPDxcMKD8Kx3Vn7dfXVO3Bxx7dBTyY4UzO + Vzx8KJBulCib2jDY0CqBNL50Kgy935rHhBRUlx4MBxhSKnkKHIiXYalINZUxHUxn + YzztQbxLnOgb94z2dEPEu6xxgSLC40XNY65SzwtEKHkR7QNkyRqm1VXbT6tEpYRg + VgDKZgBWLQ68G+DDkDbUCkGy4w3umMSfuX8rlNEUG9C0Kk5CXffyKqA8J3+T97bS + XAGZYbFMTTgpa1Z/vnmAfsr/CUvAUflkgtvJH7wxXVL41a/12IQ/kx1mxMxh3JjS + 0R2phlMwSy5ct1scgJQZIc+fvgjMthNl1b5XqnWE0eRwVduKpi3/uzCZhzXd + =tMGM + -----END PGP MESSAGE----- + fp: 6B61ECD76088748C70590D55E90A401336C8AAA9 + - created_at: "2025-07-13T06:51:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw95Vf08z8oUARAAzSCXQxhGwwO1cQjgpy539UqhS/3SDqB2c2fAm8rvKMEq + E8dtU5/Oc5FRhRRWEIP9XeDJlPz9rDn4E3KYa0ZYNUchl75ItHID6oBg3OOSZmIN + ciVaffQXyRa6pRCjeaQU9VZY67FBbCueBbCe/mYyGZQMfHg4Y2asOIr3qOgYIgnC + sAZoG2NT+9deabzLY8irLTAM5IMbO59ulM0H7j0IdTLB9D7u+fU7EMg9jQb/J9ha + IITSh7jGhpNbtJ0neRyUnX26r50JeLY4b1UCAd1HjA5Rycgrx1rXoZbmGB4dFZ0V + ZiIaGBe/8BF5GGXkHJgO/Y5g+jfpmO6HYV5NrCB049nd82YowK9LkgMNp3V1vPn6 + 5RxWsVSV29CyplO6rEq9lH2VHB1HLkboOomklVDyG9mo+jbY3TL/Ak4nWfx+96rV + JSyAadEtC+HcXN5ECDO+F7uAEDi0isdWF97xgARvjyDezEEyxTA8xWsIpL8LRWjZ + IBlihxlpyQJ13WSFP6tAp60wO83LLJiC9rvuIBmrCUwKb+LtxUqrWtZnZ8yIsCXk + V1xqGixSigR3RJvbSzICKdMDuhs+cghiurTkKNE2QG9+NQeees2DUIqURjRM//Av + 6hEJxjH/bJ2JlA1/YIkYkMxc9WpKRXmitVaHpkoFumphVIfA4CbQZo/Nv2LbatDS + XAHAUl75H53Hf3awGph4kOoykimetr8i14bVM0Kr/jdAxcvJkanScej2huzTHzQK + ywl3clswBKzhfCBFejdhrrZoKsT1h7Mf23FEwhwP4aMcVZe+iSqoifWXKRM5 + =jFLv + -----END PGP MESSAGE----- + fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72 + - created_at: "2025-07-13T06:51:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4Dr/MjkOzuuRESAQdAEpot/CyllATM3Ycyb5dvalqAbJBHskFKLR7nbFc6Z2kw + R2XDTbHQ51WSv7teBei+gA9elRjrsx5RfUSh/mC/WrOZvnn4NyHf6cDkjtd3EO1I + 0lwBT732FGcKQEE7CZXoc/AwtCd66OYqwdYiiMm29LuVcW71UlrGkLFPyqQ+y2jb + Fl00rVXjHLLXFzcEfZf5+JFoPv3JM+h8nXQZEkpKI6Ykw9ZcxagoZyyySYdqtw== + =ZP5M + -----END PGP MESSAGE----- + fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA + - created_at: "2025-07-13T06:51:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA5Wf+FyJ+zFJAQ/7BIqCa7lsEE4tyhxoiA6DBO9/+xP4LlA/CPPCu4zWLb2T + zy0axtIWtdSAWecWXm0vQ9B+YB0Jbhb69Qj1mrjCgGyM8ckduBxvYlT1qbGREJCW + CtFqiAvWcDAsKZ3BOxA4GsqU4aGK9KMOZCcFGQx9Bg8CFpOx7gbMFb+VkziA/Dgx + FGvBmNvtqqdqV7yViUxvYAwb7Buik8e77FCyBc5fxdjGU34/x7AD0jPJcN3Ac0n0 + zqGBaM9ivs3G2R4rq2JVfWOdj/qmrH/P0CWDN8cOB7H37+IpvIjs80RIjguB4OFo + HxJFviuQ9LGpw8IKj2161iSccuAwhOpHdOLS8C6yzw7SJZncwCDeLlQWVhJb99ae + Tq23m68KYTkpM6cIT5iG4k/grgkKvqk82YNkMCktPBwsEQ/wxOH9ZQ9Ry1LRtmIF + BUH33sASnt3A3IAavYQucAcOkYsQJFlaLbeVoVS8J7nXA6xRzv9qaJeeulVIaBpc + fwSP6mI8mscrSp24F14EcP3n5W6Gr68oEw2qdUi3CFLtr+Ih8T2REWzOJYDIArCM + cY/tS1WVDDikmzS9aNcEt0okPz6HNaKu7qONby3L9XxSDxZYg4tmV/ZiWIZuvVwL + 6iipL+wYMYk3ot066ewoLqOeZcZH/04P9QgoNwnUaSqsfaIQfPJZCngyCEKdYNXS + XAGIFLlG48rAKmE7OYuOFQeuwgNpdFb07kaWw64NKTRxTkw0hZjm87CHfdZ3CPnX + Jp04LP46X74s+SiWmfHM5W21Ub68Li4l135DA3CKiOn+Sq04Q5xh0giSZWHG + =ikQP + -----END PGP MESSAGE----- + fp: F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D + - created_at: "2025-07-13T06:51:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA8KRInHl7Vz+AQ//blhfF6tdUKH+4HWC2p0hhCBwzZ/eGcDBvk66N4Yvo7w5 + k38fd/kI0EqKecagLNlScnS8mRwhjAaKwUGUjyWYQ5CkVEtb+SG2fAnEU57ju3xV + ei5P1lBfkcKPR5uSC9vXO/oCg7XHN9fAi67yh1paBhN7azjplm8BGunhFD7PzULO + b+g9xa1ueC2c4UpLd4rf55Us10tFJ/Id3QK5FhbB1L+Mae+Wjs0sxRN2qPmkiAvu + ilaPw7PfnztNs3bj6/pzyH1EdaeRIiZzoC+0e9LiA6bBkj4tSfAWEHH84uFYDv98 + gfSe5Lp5DEpoZSy2ecx3XOtCPSKGv8FfeVfwb4EZ/EyYRJDEkOAkEDPIlQs9agy0 + FYOiovwAjVAU2Y/IC5q0lVH4WQZGY/k+EVeu9ZAMHkZ1/TDIxva/WsMM91ja5uWC + LMRUXJ1TO/LjNI1T9XI20bKkl2WOj0Y/1YVOoJAxTbnkXzsn1xU7Qe7DiehYKl+d + OE+dNjN/D4DR5NmEfTPmsNEX6Z3sK1GyEOxw19/JM3QHIdjoKw3a15hQjxmM/ksH + KNEu0YQ/l7CDDnVT7MLDpjx1luoMQ9eW3I3hMAZgxkjkmTk2xeNYTAvDLFmKk2D8 + 7MFogZB2o2giaBgFgWB+9KCgzipHSlnIQd//BSvwtL1/GFILSPzLEfOWAXv2zE7S + XAHdCNhyj7n7zQDwDb5V84QxbUne/D22RY4NpJybMfrXuKW9n2fOD4wxiWZnl6hD + ieC1qFcETi20i2LzC2M3uJAz/LHVpyLaNNaaIDMZF3gme1yKe3/u46z1WJhX + =LEyb + -----END PGP MESSAGE----- + fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD + unencrypted_suffix: _unencrypted + version: 3.8.1 From 02df9bf36a1fc5ad2999de3b185faced7fa667f8 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Sat, 2 Aug 2025 20:12:18 -0700 Subject: [PATCH 02/12] images/radicale: initial commit --- images/radicale/Containerfile | 115 ++++++++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 images/radicale/Containerfile diff --git a/images/radicale/Containerfile b/images/radicale/Containerfile new file mode 100644 index 0000000..d7e7408 --- /dev/null +++ b/images/radicale/Containerfile @@ -0,0 +1,115 @@ +FROM stagex/core-busybox@sha256:cac5d773db1c69b832d022c469ccf5f52daf223b91166e6866d42d6983a3b374 AS busybox +FROM stagex/core-bzip2@sha256:57e9b2b4fea6718bbe463a10e44f5cffbaad2fecada2f8f7733189c1a28be2a4 AS bzip2 +FROM stagex/core-filesystem@sha256:2aaaea601e1725a8292c4c28e723db5761d892b869556f9b05c0983ba11fe30e AS filesystem +FROM stagex/core-gcc@sha256:125bd6306e7f37e57d377d5a189c0e499388aff42b22cc79acee6097357c617f AS gcc +FROM stagex/core-libffi@sha256:9acd18e59ca11fa727670725e69a976d96f85a00704dea6ad07870bff2bd4e8b AS libffi +FROM stagex/core-libunwind@sha256:4f3ead61255c1e58e7dc43a33043f297f8730ec88e068a4460e5fff09e503781 AS libunwind +FROM stagex/core-musl@sha256:d5f86324920cfc7fc34f0163502784b73161543ba0a312030a3ddff3ef8ab2f8 AS musl +FROM stagex/core-ncurses@sha256:6602a073bf9a408d1ed7c20ccc98fca974cd307fb8d1da6381fbca684a08169c AS ncurses +FROM stagex/core-openssl@sha256:8670a22fb76965f31bda1b61cd75ae39a96e1008deffe289a5d94ee4337b1cb2 AS openssl +FROM stagex/core-py-build@sha256:625b7c06114188524e8789ca5010444e13878c26e75645184b60256c0b586669 AS py-build +FROM stagex/core-py-dateutil@sha256:56a4aaeab67622b66607ec4621527039ee017e696dce3a510a12e0b5e31a5d05 AS py-dateutil +FROM stagex/core-py-flit@sha256:4f6007293e3ae1ac94ec97be03ce964321e3f0ad7311b527caa157f5fa2aa914 AS py-flit +FROM stagex/core-py-gpep517@sha256:1d4942c56e8f1651e2e7632ae2f2901a7573ed7e8184cb645348ab3b2d4a2f99 AS py-gpep517 +FROM stagex/core-py-installer@sha256:935c066ff446e3f2b2b269ce1d51a63c34596caceddc1abad2771c5003703625 AS py-installer +FROM stagex/core-py-pep517@sha256:678f8fe52d5d9944ba281f878f111b474b250899293676b851557623107763a5 AS py-pep517 +FROM stagex/core-py-setuptools@sha256:3558195868ec830242e047b22729b8a849336899dc105957843c9c4e75baacf0 AS py-setuptools +FROM stagex/core-py-toml@sha256:e8712e27a2e9d17f78892a4e4dd4f3823e86469143bd4eac2294d0e323f985d0 AS py-toml +FROM stagex/core-py-wheel@sha256:b5eded3ce06adbdd70ef452e7b7d07afbf0f23a2f8d6850b9511cc3f66c898c1 AS py-wheel +FROM stagex/core-python@sha256:5c5d86d66a9ebe4144154035230714b79c65227d9702fa2c2191a0451168014e AS python +FROM stagex/core-sqlite3@sha256:d8908d5a6c205639e6a408a92e7086edf3604f930775ee058a250e96b89255a2 AS sqlite3 +FROM stagex/core-zlib@sha256:b35b643642153b1620093cfe2963f5fa8e4d194fb2344a5786da5717018976c2 AS zlib +FROM stagex/pallet-python@sha256:2af6ef9ca77e667753b06cf85176ba1df7704b6d42a94d97ef5e217c6423955d AS pallet-python +FROM stagex/pallet-rust@sha256:81c39a3b42b0336e439aee3c90e9e1e4da1d32425451e7222198a978eb8c2623 AS pallet-rust +FROM stagex/user-linux-pam@sha256:dfa0f1699d18674c005b2ad860d56773dc7049ab6bcd1d6b07190ad993fd9e83 AS linux-pam +FROM stagex/user-py-bcrypt@sha256:d9d3cc2a2da4cd7ef89aa1b72553a87d41e6d8495415521d929e6ed4e38b7fdc AS py-bcrypt +FROM stagex/user-py-defusedxml@sha256:66577196a2c483ed5ef87dec43580b7e5843d4c06984ef2e3637e95bb902bf1c AS py-defusedxml +FROM stagex/user-py-ldap3@sha256:005726d9c3f4177a58d0c283c6ae248fb11c3b505025ce62a66da787055286ff AS py-ldap3 +FROM stagex/user-py-pam@sha256:9e3c8bf9d53d7652374fac20805318e7627f26f756217051e99b728b3373d859 AS py-pam +FROM stagex/user-py-passlib@sha256:d210aa185483dcffe4c15c72cf2efd5286e3551fb65025418d76ac567d745205 AS py-passlib +FROM stagex/user-py-pika@sha256:873d754f559b8072774176319d9efd7c7cee13d2dfeedf9fbc9f971470c1a985 AS py-pika +FROM stagex/user-py-pyasn1@sha256:826ddae08316596c758aa92d8ba15ced7b0b3f3601a9b7570fd95e4e09dbebaf AS py-pyasn1 +FROM stagex/user-py-pytz@sha256:d02fa1f128e27aa49040d35196c519c3633744e7fad7dfb13eb459a42957dc18 AS py-pytz +FROM stagex/user-py-requests@sha256:1d26793e53751887149b7ae48fb999f4e923e2d3a9c5dbec8e2bf5ee784a8a30 AS py-requests +FROM stagex/user-py-semantic-version@sha256:a03536939d365c0ed70214742631ff95a927c6a37dcc021872237b8575cd69d9 AS py-semantic-version +FROM stagex/user-py-setuptools-rust@sha256:694280bc5053b41dd11c3c0634988517dd3aa65dc86fafb16d8f1f38b4136a19 AS py-setuptools-rust +FROM stagex/user-py-setuptools-scm@sha256:9d1c56c43bc007a6f492a438c538013c367b7fe9dff388f998b560a148cf8817 AS py-setuptools-scm +FROM stagex/user-py-six@sha256:fb4cf37afcdc52a751e484dcd87b307e31d089a8b5824a0dc0df4da0a07a14a6 AS py-six +FROM stagex/user-py-vobject@sha256:c125fce2223592724816654b5a3400698d4adaba41f34065df31e9a98fcc9464 AS py-vobject +FROM stagex/user-py-waitress@sha256:271930c65e8399fcd4168470caa65ac7f44f942457d8828a6a20ff1557d9ffee AS py-waitress + +# radicale +FROM scratch AS build-radicale +COPY --from=pallet-python . / +COPY --from=py-bcrypt . / +COPY --from=py-build . / +COPY --from=py-defusedxml . / +COPY --from=py-installer . / +COPY --from=py-ldap3 . / +COPY --from=py-passlib . / +COPY --from=py-pep517 . / +COPY --from=py-pika . / +COPY --from=py-setuptools . / +COPY --from=py-toml . / +COPY --from=py-vobject . / +COPY --from=py-wheel . / +ADD \ + --checksum=sha256:dcbfb7ab0b2f89cab0f566ea179d768a5016597b0c1f177431a123de57509b3b \ + https://github.com/Kozea/Radicale/archive/refs/tags/v3.5.4.tar.gz \ + / +RUN tar zxvf /v3.5.4.tar.gz +WORKDIR /Radicale-3.5.4/ +RUN --network=none <<-EOF + set -eu + python -m build --wheel --no-isolation + python -m installer --destdir=/rootfs dist/*.whl + install -vDm 644 config -t /rootfs/etc/radicale/ + install -vDm 644 rights -t /rootfs/etc/radicale/ + touch users + install -vDm 644 users -t /rootfs/etc/radicale/ + install -vDm 644 radicale.wsgi -t /rootfs/usr/share/radicale/radicale.wsgi + install -vDm 644 CHANGELOG.md -t /rootfs/usr/share/doc/radicale/CHANGELOG.md + install -vDm 644 DOCUMENTATION.md -t /rootfs/usr/share/doc/radicale/DOCUMENTATION.md + install -vDm 644 README.md -t /rootfs/usr/share/doc/radicale/README.md + install -vDm 644 COPYING.md /rootfs/usr/share/licenses/radicale/COPYING.md + find /rootfs | grep -E "(/__pycache__$|\.pyc$|\.pyo$)" | xargs rm -rf +EOF + +FROM filesystem AS py-radicale +LABEL org.opencontainers.image.version=3.5.4 +LABEL org.opencontainers.image.licenses=GPL-3.0-or-later +COPY --from=build-radicale /rootfs / + +FROM filesystem AS radicale +LABEL org.opencontainers.image.authors="Distrust Team " +LABEL org.opencontainers.image.vendor="Distrust LLC" +LABEL org.opencontainers.image.source=https://git.distrust.co/public/stack/src/branch/main/images/radicale/Containerfile +COPY --from=busybox . / +COPY --from=gcc . / +COPY --from=musl . / +COPY --from=python . / +COPY --from=openssl . / +COPY --from=zlib . / +COPY --from=bzip2 . / +COPY --from=ncurses . / +COPY --from=sqlite3 . / +COPY --from=libffi . / +COPY --from=libunwind . / +COPY --from=linux-pam . / +COPY --from=py-bcrypt . / +COPY --from=py-dateutil . / +COPY --from=py-defusedxml . / +COPY --from=py-ldap3 . / +COPY --from=py-pam . / +COPY --from=py-passlib . / +COPY --from=py-pika . / +COPY --from=py-pyasn1 . / +COPY --from=py-radicale . / +COPY --from=py-requests . / +COPY --from=py-six . / +COPY --from=py-toml . / +COPY --from=py-vobject . / +EXPOSE 5232 +VOLUME /var/lib/radicale +ENTRYPOINT [ "/usr/bin/radicale" ] +CMD [ "--hosts", "0.0.0.0:5232,[::]:5232" ] From a548000f10d707796c29835604f68df4d4eada42 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Sat, 2 Aug 2025 22:29:40 -0700 Subject: [PATCH 03/12] kustomize/radicale: update image to latest iterration --- kustomizations/radicale/kustomization.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kustomizations/radicale/kustomization.yaml b/kustomizations/radicale/kustomization.yaml index 97f82a4..ea13ed5 100644 --- a/kustomizations/radicale/kustomization.yaml +++ b/kustomizations/radicale/kustomization.yaml @@ -17,5 +17,5 @@ configMapGenerator: - config=files/config images: - name: radicale - newName: drgrovellc/radicale - digest: sha256:055e686577ec543b33ff905b09f798a3a178393c14799a85867d86519a8d0a35 + newName: git.distrust.co/public/radicale + digest: sha256:53c80b2dea5a854e945288659284c26f57f8a0db4e73abb04c7150dbf795f72b From c7dd106712b29fc23951abebebdff483a2a7ef28 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Mon, 4 Aug 2025 06:52:18 -0700 Subject: [PATCH 04/12] chore: add anton user data for radicale --- kustomizations/radicale/users.enc.yaml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/kustomizations/radicale/users.enc.yaml b/kustomizations/radicale/users.enc.yaml index 96a29da..71b1eac 100644 --- a/kustomizations/radicale/users.enc.yaml +++ b/kustomizations/radicale/users.enc.yaml @@ -1,12 +1,7 @@ -data: ENC[AES256_GCM,data:6uHlO1HW3qJXmwoCkAtvlmVj10NTSzblkYrgT6+OjcY64b7+AAZZtefwNjXvTQ8fDXbbrGAK2SK5Rlbcy08W6Rl/JDKAiomSqmrSfXpszEdumkdciODm2wOosTC6EjRudPpnfliqowisAszNTanH7mocsOClqww6XVAMmtzHKbjzYUeg4Iyz5MOCIrtNHxiA/Eb0UGvtGhbuqgci/zSly6bvzV2eMZl9XtDn1fhKM5IMqFwt5OpSIfOG,iv:Ew42raYQoumx9KQWzlLnBf/75RdwbBXKnoSfEVA38y8=,tag:lRDMH+eRGhfKAQNEsI6HFg==,type:str] +data: ENC[AES256_GCM,data:fS7EDnE2y5ZPUDWoj6iSkFyjjDHGc7dyY+Wkr5ods7QLYrTn4vTeAKxcIwZDjpMeqTHqqBRFBbcDenV09MEtaRz3CgF1GGtqfBz2XA9Eak5PS7CWXMdQPye7gW0/ki0asRWMQrE3qFYQxPaWd2kMkZyBsgA7wz45XxdYZag4Su1nUz13pfEXaCBpBLtH5XW2QKoS6ZVUBCHw2QI5h8MW95pLYza0Tm9E6U8grI/ALR9K9DRL9zpTM39g6lm4XNueZengnwIFIoJflGP77+LJI2uMyTfsY67P2rorRmrSks2rxru+ufQOotgPMn8Qc+GOPUnjZ6/kAyf9jngYBa6x9fE3jBgxGeJZijaYrL39Bw==,iv:e5B/pngesajAkb9erAXrKouucLFfXUf2rQRwnSCG3+I=,tag:vJD18/UddaJMwfvlXHKaZg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2025-07-13T19:45:29Z" - mac: ENC[AES256_GCM,data:6MBapMxTVHBUxGFZdoS8pc682CAzqH49s/m/gl1n94tUc5S3x7YLcB29Ebmj4g5yLCqWLmc7bYbvlfviNrE8WZAKVEQhWd16J4Sl91q2JUmlRDyMJjHzxZEEZaZ7Wc1fgVsbJw0kRTxYGSg+J5rreirYl0IllVh/yFNmy+36yIk=,iv:Bk2EkF4BwJM4oBebOeiUzKExvthvEsLhUdR6iLsEDlk=,tag:+6Skc/pm8t+lXwacO5vG/w==,type:str] + lastmodified: "2025-08-04T13:51:14Z" + mac: ENC[AES256_GCM,data:DauDyxToDzms9haP8vNelyOT4g+/OmhAiaBSb6oJJB2GirBmAUSWircG0ylYXj5hlR+D3EYa8cKYZpysSXVAAnSNsUZBfwkpR13QDPjPQQKXDarf0E9Myj/1E6ssqnelP0FkRt8fJZ9sRgY/oEK7f3giLlWSjnkT1b3KHo8Nzlg=,iv:sNVDLhr9xXu17x1XIsEHdhSLjrvnaSksNYe4tbjoAjk=,tag:3EXfxuOvYlHdYNjnujzYTg==,type:str] pgp: - created_at: "2025-07-13T06:51:55Z" enc: |- @@ -100,4 +95,4 @@ sops: -----END PGP MESSAGE----- fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.10.2 From 202b25e86b8a10cb21380b6d89897cf4c988637d Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Sun, 13 Jul 2025 20:01:05 -0700 Subject: [PATCH 05/12] radicale: initial commit --- kustomizations/radicale/README.md | 13 +++ kustomizations/radicale/files/config | 13 +++ kustomizations/radicale/ingress.yaml | 28 +++++ kustomizations/radicale/kustomization.yaml | 21 ++++ kustomizations/radicale/secret-generator.yaml | 6 + kustomizations/radicale/service.yaml | 11 ++ kustomizations/radicale/serviceaccount.yaml | 5 + kustomizations/radicale/statefulset.yaml | 69 ++++++++++++ kustomizations/radicale/users.enc.yaml | 103 ++++++++++++++++++ 9 files changed, 269 insertions(+) create mode 100644 kustomizations/radicale/README.md create mode 100644 kustomizations/radicale/files/config create mode 100644 kustomizations/radicale/ingress.yaml create mode 100644 kustomizations/radicale/kustomization.yaml create mode 100644 kustomizations/radicale/secret-generator.yaml create mode 100644 kustomizations/radicale/service.yaml create mode 100644 kustomizations/radicale/serviceaccount.yaml create mode 100644 kustomizations/radicale/statefulset.yaml create mode 100644 kustomizations/radicale/users.enc.yaml diff --git a/kustomizations/radicale/README.md b/kustomizations/radicale/README.md new file mode 100644 index 0000000..d6cf228 --- /dev/null +++ b/kustomizations/radicale/README.md @@ -0,0 +1,13 @@ +# Radicale + +## Creating an account + +Currently to create a radicale account you will need to generate and hash a password with `htpasswd` and `bcrypt`. + +You can generate your password using a password manager or `openssl` with at least 32 characters. + +```sh +htpasswd -Bn @distrust.co +``` + +You will then need to add the output to users.enc.yaml which is encrypted with SOPS diff --git a/kustomizations/radicale/files/config b/kustomizations/radicale/files/config new file mode 100644 index 0000000..f3dae5f --- /dev/null +++ b/kustomizations/radicale/files/config @@ -0,0 +1,13 @@ +[server] +hosts = 0.0.0.0:5232 + +[auth] +type = htpasswd +htpasswd_filename = /config/user +htpasswd_encryption = bcrypt + +[rights] +type = owner_only + +[storage] +filesystem_folder = /var/lib/radicale/collections diff --git a/kustomizations/radicale/ingress.yaml b/kustomizations/radicale/ingress.yaml new file mode 100644 index 0000000..9b9d800 --- /dev/null +++ b/kustomizations/radicale/ingress.yaml @@ -0,0 +1,28 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: radicale-ingress + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + cert-manager.io/cluster-issuer: letsencrypt + external-dns.alpha.kubernetes.io/hostname: radicale.distrust.co + nginx.ingress.kubernetes.io/proxy-buffer-size: "16k" + nginx.ingress.kubernetes.io/proxy-buffers-number: "8" +spec: + ingressClassName: nginx + tls: + - hosts: + - radicale.distrust.co + secretName: radicale-tls + rules: + - host: radicale.distrust.co + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: radicale + port: + number: 5232 diff --git a/kustomizations/radicale/kustomization.yaml b/kustomizations/radicale/kustomization.yaml new file mode 100644 index 0000000..97f82a4 --- /dev/null +++ b/kustomizations/radicale/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +labels: + - pairs: + app.kubernetes.io/name: radicale + includeSelectors: true +resources: +- ./statefulset.yaml +- ./service.yaml +- ./serviceaccount.yaml +- ./ingress.yaml +enerators: +- secret-generator.yaml +configMapGenerator: + - name: radicale + files: + - config=files/config +images: + - name: radicale + newName: drgrovellc/radicale + digest: sha256:055e686577ec543b33ff905b09f798a3a178393c14799a85867d86519a8d0a35 diff --git a/kustomizations/radicale/secret-generator.yaml b/kustomizations/radicale/secret-generator.yaml new file mode 100644 index 0000000..df6261d --- /dev/null +++ b/kustomizations/radicale/secret-generator.yaml @@ -0,0 +1,6 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: radicale-secrets +files: + - ./users.enc.yaml diff --git a/kustomizations/radicale/service.yaml b/kustomizations/radicale/service.yaml new file mode 100644 index 0000000..ed469f3 --- /dev/null +++ b/kustomizations/radicale/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: radicale +spec: + type: ClusterIP + ports: + - port: 5232 + targetPort: http + protocol: TCP + name: http diff --git a/kustomizations/radicale/serviceaccount.yaml b/kustomizations/radicale/serviceaccount.yaml new file mode 100644 index 0000000..6bb69e3 --- /dev/null +++ b/kustomizations/radicale/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: radicale +automountServiceAccountToken: true diff --git a/kustomizations/radicale/statefulset.yaml b/kustomizations/radicale/statefulset.yaml new file mode 100644 index 0000000..d3e8b15 --- /dev/null +++ b/kustomizations/radicale/statefulset.yaml @@ -0,0 +1,69 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: radicale +spec: + template: + spec: + serviceAccountName: radicale + securityContext: + runAsNonRoot: true + runAsUser: 1000 + fsGroup: 1000 + containers: + - name: radicale + image: radicale + env: + - name: RADICALE_CONFIG + value: /config/config + ports: + - name: http + containerPort: 5232 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - ALL + volumeMounts: + - name: config + mountPath: /config/config + subPath: config + - name: user + mountPath: /config/user + subPath: users + - name: radicale + mountPath: /var/lib/radicale + volumes: + - name: config + configMap: + name: radicale + items: + - key: config + path: config + - name: user + secret: + optional: true + secretName: radicale-users + items: + - key: users + path: users + volumeClaimTemplates: + - metadata: + name: radicale + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 5Gi diff --git a/kustomizations/radicale/users.enc.yaml b/kustomizations/radicale/users.enc.yaml new file mode 100644 index 0000000..96a29da --- /dev/null +++ b/kustomizations/radicale/users.enc.yaml @@ -0,0 +1,103 @@ +data: ENC[AES256_GCM,data:6uHlO1HW3qJXmwoCkAtvlmVj10NTSzblkYrgT6+OjcY64b7+AAZZtefwNjXvTQ8fDXbbrGAK2SK5Rlbcy08W6Rl/JDKAiomSqmrSfXpszEdumkdciODm2wOosTC6EjRudPpnfliqowisAszNTanH7mocsOClqww6XVAMmtzHKbjzYUeg4Iyz5MOCIrtNHxiA/Eb0UGvtGhbuqgci/zSly6bvzV2eMZl9XtDn1fhKM5IMqFwt5OpSIfOG,iv:Ew42raYQoumx9KQWzlLnBf/75RdwbBXKnoSfEVA38y8=,tag:lRDMH+eRGhfKAQNEsI6HFg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2025-07-13T19:45:29Z" + mac: ENC[AES256_GCM,data:6MBapMxTVHBUxGFZdoS8pc682CAzqH49s/m/gl1n94tUc5S3x7YLcB29Ebmj4g5yLCqWLmc7bYbvlfviNrE8WZAKVEQhWd16J4Sl91q2JUmlRDyMJjHzxZEEZaZ7Wc1fgVsbJw0kRTxYGSg+J5rreirYl0IllVh/yFNmy+36yIk=,iv:Bk2EkF4BwJM4oBebOeiUzKExvthvEsLhUdR6iLsEDlk=,tag:+6Skc/pm8t+lXwacO5vG/w==,type:str] + pgp: + - created_at: "2025-07-13T06:51:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82rPM2mSf/aARAAjtuwpAk5OCIRUXTwig8V+Md3mzZ5B/mXaEipSL+bz8aK + Nro9p82GsnMIgHS7qpMwcc53NSNL0wmju3tcB/TaFsRVot1QTcIraPP2saDx02Mm + wKg0pcqDk55X+htHY1iYZS9JO1bVz7EmJjPsfcEdvBm2JNCjZeNToy7mnjFWBBlu + OqX0V2qrWcm3lG2HMBUGOHQ8o3iC7OWBTIKSDMx8dJb7L4NlB3LxtfsibmsrvOk1 + AtUXKf6DjjRcRV3LiVFFhswPfbUx9uYrNLQM3g2J5jxyoWHVCLdVqsBGe03zxmlA + iAglRbYNbhayoWH/1j/10VbtEuRSURKtCPWysaOr+u/UOWpbRi0S3WTkx2E603wC + k2msofhS8iQv8Dp2Y5zcdFvLnWpCzdXFWPedLE08fKKHkht40Pdh8rq09Y8eepAT + HUvuaJSfG1/RZX3IRoyHTyFmVrRF1ZEPDxcMKD8Kx3Vn7dfXVO3Bxx7dBTyY4UzO + Vzx8KJBulCib2jDY0CqBNL50Kgy935rHhBRUlx4MBxhSKnkKHIiXYalINZUxHUxn + YzztQbxLnOgb94z2dEPEu6xxgSLC40XNY65SzwtEKHkR7QNkyRqm1VXbT6tEpYRg + VgDKZgBWLQ68G+DDkDbUCkGy4w3umMSfuX8rlNEUG9C0Kk5CXffyKqA8J3+T97bS + XAGZYbFMTTgpa1Z/vnmAfsr/CUvAUflkgtvJH7wxXVL41a/12IQ/kx1mxMxh3JjS + 0R2phlMwSy5ct1scgJQZIc+fvgjMthNl1b5XqnWE0eRwVduKpi3/uzCZhzXd + =tMGM + -----END PGP MESSAGE----- + fp: 6B61ECD76088748C70590D55E90A401336C8AAA9 + - created_at: "2025-07-13T06:51:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw95Vf08z8oUARAAzSCXQxhGwwO1cQjgpy539UqhS/3SDqB2c2fAm8rvKMEq + E8dtU5/Oc5FRhRRWEIP9XeDJlPz9rDn4E3KYa0ZYNUchl75ItHID6oBg3OOSZmIN + ciVaffQXyRa6pRCjeaQU9VZY67FBbCueBbCe/mYyGZQMfHg4Y2asOIr3qOgYIgnC + sAZoG2NT+9deabzLY8irLTAM5IMbO59ulM0H7j0IdTLB9D7u+fU7EMg9jQb/J9ha + IITSh7jGhpNbtJ0neRyUnX26r50JeLY4b1UCAd1HjA5Rycgrx1rXoZbmGB4dFZ0V + ZiIaGBe/8BF5GGXkHJgO/Y5g+jfpmO6HYV5NrCB049nd82YowK9LkgMNp3V1vPn6 + 5RxWsVSV29CyplO6rEq9lH2VHB1HLkboOomklVDyG9mo+jbY3TL/Ak4nWfx+96rV + JSyAadEtC+HcXN5ECDO+F7uAEDi0isdWF97xgARvjyDezEEyxTA8xWsIpL8LRWjZ + IBlihxlpyQJ13WSFP6tAp60wO83LLJiC9rvuIBmrCUwKb+LtxUqrWtZnZ8yIsCXk + V1xqGixSigR3RJvbSzICKdMDuhs+cghiurTkKNE2QG9+NQeees2DUIqURjRM//Av + 6hEJxjH/bJ2JlA1/YIkYkMxc9WpKRXmitVaHpkoFumphVIfA4CbQZo/Nv2LbatDS + XAHAUl75H53Hf3awGph4kOoykimetr8i14bVM0Kr/jdAxcvJkanScej2huzTHzQK + ywl3clswBKzhfCBFejdhrrZoKsT1h7Mf23FEwhwP4aMcVZe+iSqoifWXKRM5 + =jFLv + -----END PGP MESSAGE----- + fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72 + - created_at: "2025-07-13T06:51:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4Dr/MjkOzuuRESAQdAEpot/CyllATM3Ycyb5dvalqAbJBHskFKLR7nbFc6Z2kw + R2XDTbHQ51WSv7teBei+gA9elRjrsx5RfUSh/mC/WrOZvnn4NyHf6cDkjtd3EO1I + 0lwBT732FGcKQEE7CZXoc/AwtCd66OYqwdYiiMm29LuVcW71UlrGkLFPyqQ+y2jb + Fl00rVXjHLLXFzcEfZf5+JFoPv3JM+h8nXQZEkpKI6Ykw9ZcxagoZyyySYdqtw== + =ZP5M + -----END PGP MESSAGE----- + fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA + - created_at: "2025-07-13T06:51:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA5Wf+FyJ+zFJAQ/7BIqCa7lsEE4tyhxoiA6DBO9/+xP4LlA/CPPCu4zWLb2T + zy0axtIWtdSAWecWXm0vQ9B+YB0Jbhb69Qj1mrjCgGyM8ckduBxvYlT1qbGREJCW + CtFqiAvWcDAsKZ3BOxA4GsqU4aGK9KMOZCcFGQx9Bg8CFpOx7gbMFb+VkziA/Dgx + FGvBmNvtqqdqV7yViUxvYAwb7Buik8e77FCyBc5fxdjGU34/x7AD0jPJcN3Ac0n0 + zqGBaM9ivs3G2R4rq2JVfWOdj/qmrH/P0CWDN8cOB7H37+IpvIjs80RIjguB4OFo + HxJFviuQ9LGpw8IKj2161iSccuAwhOpHdOLS8C6yzw7SJZncwCDeLlQWVhJb99ae + Tq23m68KYTkpM6cIT5iG4k/grgkKvqk82YNkMCktPBwsEQ/wxOH9ZQ9Ry1LRtmIF + BUH33sASnt3A3IAavYQucAcOkYsQJFlaLbeVoVS8J7nXA6xRzv9qaJeeulVIaBpc + fwSP6mI8mscrSp24F14EcP3n5W6Gr68oEw2qdUi3CFLtr+Ih8T2REWzOJYDIArCM + cY/tS1WVDDikmzS9aNcEt0okPz6HNaKu7qONby3L9XxSDxZYg4tmV/ZiWIZuvVwL + 6iipL+wYMYk3ot066ewoLqOeZcZH/04P9QgoNwnUaSqsfaIQfPJZCngyCEKdYNXS + XAGIFLlG48rAKmE7OYuOFQeuwgNpdFb07kaWw64NKTRxTkw0hZjm87CHfdZ3CPnX + Jp04LP46X74s+SiWmfHM5W21Ub68Li4l135DA3CKiOn+Sq04Q5xh0giSZWHG + =ikQP + -----END PGP MESSAGE----- + fp: F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D + - created_at: "2025-07-13T06:51:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA8KRInHl7Vz+AQ//blhfF6tdUKH+4HWC2p0hhCBwzZ/eGcDBvk66N4Yvo7w5 + k38fd/kI0EqKecagLNlScnS8mRwhjAaKwUGUjyWYQ5CkVEtb+SG2fAnEU57ju3xV + ei5P1lBfkcKPR5uSC9vXO/oCg7XHN9fAi67yh1paBhN7azjplm8BGunhFD7PzULO + b+g9xa1ueC2c4UpLd4rf55Us10tFJ/Id3QK5FhbB1L+Mae+Wjs0sxRN2qPmkiAvu + ilaPw7PfnztNs3bj6/pzyH1EdaeRIiZzoC+0e9LiA6bBkj4tSfAWEHH84uFYDv98 + gfSe5Lp5DEpoZSy2ecx3XOtCPSKGv8FfeVfwb4EZ/EyYRJDEkOAkEDPIlQs9agy0 + FYOiovwAjVAU2Y/IC5q0lVH4WQZGY/k+EVeu9ZAMHkZ1/TDIxva/WsMM91ja5uWC + LMRUXJ1TO/LjNI1T9XI20bKkl2WOj0Y/1YVOoJAxTbnkXzsn1xU7Qe7DiehYKl+d + OE+dNjN/D4DR5NmEfTPmsNEX6Z3sK1GyEOxw19/JM3QHIdjoKw3a15hQjxmM/ksH + KNEu0YQ/l7CDDnVT7MLDpjx1luoMQ9eW3I3hMAZgxkjkmTk2xeNYTAvDLFmKk2D8 + 7MFogZB2o2giaBgFgWB+9KCgzipHSlnIQd//BSvwtL1/GFILSPzLEfOWAXv2zE7S + XAHdCNhyj7n7zQDwDb5V84QxbUne/D22RY4NpJybMfrXuKW9n2fOD4wxiWZnl6hD + ieC1qFcETi20i2LzC2M3uJAz/LHVpyLaNNaaIDMZF3gme1yKe3/u46z1WJhX + =LEyb + -----END PGP MESSAGE----- + fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD + unencrypted_suffix: _unencrypted + version: 3.8.1 From 117c4a2f13f4b23bb2203bf8bc68b88873feb9a9 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Sat, 2 Aug 2025 20:12:18 -0700 Subject: [PATCH 06/12] images/radicale: initial commit --- images/radicale/Containerfile | 115 ++++++++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 images/radicale/Containerfile diff --git a/images/radicale/Containerfile b/images/radicale/Containerfile new file mode 100644 index 0000000..d7e7408 --- /dev/null +++ b/images/radicale/Containerfile @@ -0,0 +1,115 @@ +FROM stagex/core-busybox@sha256:cac5d773db1c69b832d022c469ccf5f52daf223b91166e6866d42d6983a3b374 AS busybox +FROM stagex/core-bzip2@sha256:57e9b2b4fea6718bbe463a10e44f5cffbaad2fecada2f8f7733189c1a28be2a4 AS bzip2 +FROM stagex/core-filesystem@sha256:2aaaea601e1725a8292c4c28e723db5761d892b869556f9b05c0983ba11fe30e AS filesystem +FROM stagex/core-gcc@sha256:125bd6306e7f37e57d377d5a189c0e499388aff42b22cc79acee6097357c617f AS gcc +FROM stagex/core-libffi@sha256:9acd18e59ca11fa727670725e69a976d96f85a00704dea6ad07870bff2bd4e8b AS libffi +FROM stagex/core-libunwind@sha256:4f3ead61255c1e58e7dc43a33043f297f8730ec88e068a4460e5fff09e503781 AS libunwind +FROM stagex/core-musl@sha256:d5f86324920cfc7fc34f0163502784b73161543ba0a312030a3ddff3ef8ab2f8 AS musl +FROM stagex/core-ncurses@sha256:6602a073bf9a408d1ed7c20ccc98fca974cd307fb8d1da6381fbca684a08169c AS ncurses +FROM stagex/core-openssl@sha256:8670a22fb76965f31bda1b61cd75ae39a96e1008deffe289a5d94ee4337b1cb2 AS openssl +FROM stagex/core-py-build@sha256:625b7c06114188524e8789ca5010444e13878c26e75645184b60256c0b586669 AS py-build +FROM stagex/core-py-dateutil@sha256:56a4aaeab67622b66607ec4621527039ee017e696dce3a510a12e0b5e31a5d05 AS py-dateutil +FROM stagex/core-py-flit@sha256:4f6007293e3ae1ac94ec97be03ce964321e3f0ad7311b527caa157f5fa2aa914 AS py-flit +FROM stagex/core-py-gpep517@sha256:1d4942c56e8f1651e2e7632ae2f2901a7573ed7e8184cb645348ab3b2d4a2f99 AS py-gpep517 +FROM stagex/core-py-installer@sha256:935c066ff446e3f2b2b269ce1d51a63c34596caceddc1abad2771c5003703625 AS py-installer +FROM stagex/core-py-pep517@sha256:678f8fe52d5d9944ba281f878f111b474b250899293676b851557623107763a5 AS py-pep517 +FROM stagex/core-py-setuptools@sha256:3558195868ec830242e047b22729b8a849336899dc105957843c9c4e75baacf0 AS py-setuptools +FROM stagex/core-py-toml@sha256:e8712e27a2e9d17f78892a4e4dd4f3823e86469143bd4eac2294d0e323f985d0 AS py-toml +FROM stagex/core-py-wheel@sha256:b5eded3ce06adbdd70ef452e7b7d07afbf0f23a2f8d6850b9511cc3f66c898c1 AS py-wheel +FROM stagex/core-python@sha256:5c5d86d66a9ebe4144154035230714b79c65227d9702fa2c2191a0451168014e AS python +FROM stagex/core-sqlite3@sha256:d8908d5a6c205639e6a408a92e7086edf3604f930775ee058a250e96b89255a2 AS sqlite3 +FROM stagex/core-zlib@sha256:b35b643642153b1620093cfe2963f5fa8e4d194fb2344a5786da5717018976c2 AS zlib +FROM stagex/pallet-python@sha256:2af6ef9ca77e667753b06cf85176ba1df7704b6d42a94d97ef5e217c6423955d AS pallet-python +FROM stagex/pallet-rust@sha256:81c39a3b42b0336e439aee3c90e9e1e4da1d32425451e7222198a978eb8c2623 AS pallet-rust +FROM stagex/user-linux-pam@sha256:dfa0f1699d18674c005b2ad860d56773dc7049ab6bcd1d6b07190ad993fd9e83 AS linux-pam +FROM stagex/user-py-bcrypt@sha256:d9d3cc2a2da4cd7ef89aa1b72553a87d41e6d8495415521d929e6ed4e38b7fdc AS py-bcrypt +FROM stagex/user-py-defusedxml@sha256:66577196a2c483ed5ef87dec43580b7e5843d4c06984ef2e3637e95bb902bf1c AS py-defusedxml +FROM stagex/user-py-ldap3@sha256:005726d9c3f4177a58d0c283c6ae248fb11c3b505025ce62a66da787055286ff AS py-ldap3 +FROM stagex/user-py-pam@sha256:9e3c8bf9d53d7652374fac20805318e7627f26f756217051e99b728b3373d859 AS py-pam +FROM stagex/user-py-passlib@sha256:d210aa185483dcffe4c15c72cf2efd5286e3551fb65025418d76ac567d745205 AS py-passlib +FROM stagex/user-py-pika@sha256:873d754f559b8072774176319d9efd7c7cee13d2dfeedf9fbc9f971470c1a985 AS py-pika +FROM stagex/user-py-pyasn1@sha256:826ddae08316596c758aa92d8ba15ced7b0b3f3601a9b7570fd95e4e09dbebaf AS py-pyasn1 +FROM stagex/user-py-pytz@sha256:d02fa1f128e27aa49040d35196c519c3633744e7fad7dfb13eb459a42957dc18 AS py-pytz +FROM stagex/user-py-requests@sha256:1d26793e53751887149b7ae48fb999f4e923e2d3a9c5dbec8e2bf5ee784a8a30 AS py-requests +FROM stagex/user-py-semantic-version@sha256:a03536939d365c0ed70214742631ff95a927c6a37dcc021872237b8575cd69d9 AS py-semantic-version +FROM stagex/user-py-setuptools-rust@sha256:694280bc5053b41dd11c3c0634988517dd3aa65dc86fafb16d8f1f38b4136a19 AS py-setuptools-rust +FROM stagex/user-py-setuptools-scm@sha256:9d1c56c43bc007a6f492a438c538013c367b7fe9dff388f998b560a148cf8817 AS py-setuptools-scm +FROM stagex/user-py-six@sha256:fb4cf37afcdc52a751e484dcd87b307e31d089a8b5824a0dc0df4da0a07a14a6 AS py-six +FROM stagex/user-py-vobject@sha256:c125fce2223592724816654b5a3400698d4adaba41f34065df31e9a98fcc9464 AS py-vobject +FROM stagex/user-py-waitress@sha256:271930c65e8399fcd4168470caa65ac7f44f942457d8828a6a20ff1557d9ffee AS py-waitress + +# radicale +FROM scratch AS build-radicale +COPY --from=pallet-python . / +COPY --from=py-bcrypt . / +COPY --from=py-build . / +COPY --from=py-defusedxml . / +COPY --from=py-installer . / +COPY --from=py-ldap3 . / +COPY --from=py-passlib . / +COPY --from=py-pep517 . / +COPY --from=py-pika . / +COPY --from=py-setuptools . / +COPY --from=py-toml . / +COPY --from=py-vobject . / +COPY --from=py-wheel . / +ADD \ + --checksum=sha256:dcbfb7ab0b2f89cab0f566ea179d768a5016597b0c1f177431a123de57509b3b \ + https://github.com/Kozea/Radicale/archive/refs/tags/v3.5.4.tar.gz \ + / +RUN tar zxvf /v3.5.4.tar.gz +WORKDIR /Radicale-3.5.4/ +RUN --network=none <<-EOF + set -eu + python -m build --wheel --no-isolation + python -m installer --destdir=/rootfs dist/*.whl + install -vDm 644 config -t /rootfs/etc/radicale/ + install -vDm 644 rights -t /rootfs/etc/radicale/ + touch users + install -vDm 644 users -t /rootfs/etc/radicale/ + install -vDm 644 radicale.wsgi -t /rootfs/usr/share/radicale/radicale.wsgi + install -vDm 644 CHANGELOG.md -t /rootfs/usr/share/doc/radicale/CHANGELOG.md + install -vDm 644 DOCUMENTATION.md -t /rootfs/usr/share/doc/radicale/DOCUMENTATION.md + install -vDm 644 README.md -t /rootfs/usr/share/doc/radicale/README.md + install -vDm 644 COPYING.md /rootfs/usr/share/licenses/radicale/COPYING.md + find /rootfs | grep -E "(/__pycache__$|\.pyc$|\.pyo$)" | xargs rm -rf +EOF + +FROM filesystem AS py-radicale +LABEL org.opencontainers.image.version=3.5.4 +LABEL org.opencontainers.image.licenses=GPL-3.0-or-later +COPY --from=build-radicale /rootfs / + +FROM filesystem AS radicale +LABEL org.opencontainers.image.authors="Distrust Team " +LABEL org.opencontainers.image.vendor="Distrust LLC" +LABEL org.opencontainers.image.source=https://git.distrust.co/public/stack/src/branch/main/images/radicale/Containerfile +COPY --from=busybox . / +COPY --from=gcc . / +COPY --from=musl . / +COPY --from=python . / +COPY --from=openssl . / +COPY --from=zlib . / +COPY --from=bzip2 . / +COPY --from=ncurses . / +COPY --from=sqlite3 . / +COPY --from=libffi . / +COPY --from=libunwind . / +COPY --from=linux-pam . / +COPY --from=py-bcrypt . / +COPY --from=py-dateutil . / +COPY --from=py-defusedxml . / +COPY --from=py-ldap3 . / +COPY --from=py-pam . / +COPY --from=py-passlib . / +COPY --from=py-pika . / +COPY --from=py-pyasn1 . / +COPY --from=py-radicale . / +COPY --from=py-requests . / +COPY --from=py-six . / +COPY --from=py-toml . / +COPY --from=py-vobject . / +EXPOSE 5232 +VOLUME /var/lib/radicale +ENTRYPOINT [ "/usr/bin/radicale" ] +CMD [ "--hosts", "0.0.0.0:5232,[::]:5232" ] From 4d1403f056a3b288722266dceb4244252525c50b Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Sat, 2 Aug 2025 22:29:40 -0700 Subject: [PATCH 07/12] kustomize/radicale: update image to latest iterration --- kustomizations/radicale/kustomization.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kustomizations/radicale/kustomization.yaml b/kustomizations/radicale/kustomization.yaml index 97f82a4..ea13ed5 100644 --- a/kustomizations/radicale/kustomization.yaml +++ b/kustomizations/radicale/kustomization.yaml @@ -17,5 +17,5 @@ configMapGenerator: - config=files/config images: - name: radicale - newName: drgrovellc/radicale - digest: sha256:055e686577ec543b33ff905b09f798a3a178393c14799a85867d86519a8d0a35 + newName: git.distrust.co/public/radicale + digest: sha256:53c80b2dea5a854e945288659284c26f57f8a0db4e73abb04c7150dbf795f72b From 4b912068fe4488d61696cfec9cd6e0a938e65c89 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Mon, 4 Aug 2025 13:54:16 -0700 Subject: [PATCH 08/12] k/radicale: fix yaml issues and secrets issues --- kustomizations/radicale/kustomization.yaml | 2 +- kustomizations/radicale/users.enc.yaml | 103 ++++----------------- 2 files changed, 20 insertions(+), 85 deletions(-) diff --git a/kustomizations/radicale/kustomization.yaml b/kustomizations/radicale/kustomization.yaml index ea13ed5..295b71f 100644 --- a/kustomizations/radicale/kustomization.yaml +++ b/kustomizations/radicale/kustomization.yaml @@ -9,7 +9,7 @@ resources: - ./service.yaml - ./serviceaccount.yaml - ./ingress.yaml -enerators: +generators: - secret-generator.yaml configMapGenerator: - name: radicale diff --git a/kustomizations/radicale/users.enc.yaml b/kustomizations/radicale/users.enc.yaml index a60721d..8c1f0ff 100644 --- a/kustomizations/radicale/users.enc.yaml +++ b/kustomizations/radicale/users.enc.yaml @@ -1,98 +1,33 @@ -data: ENC[AES256_GCM,data:fS7EDnE2y5ZPUDWoj6iSkFyjjDHGc7dyY+Wkr5ods7QLYrTn4vTeAKxcIwZDjpMeqTHqqBRFBbcDenV09MEtaRz3CgF1GGtqfBz2XA9Eak5PS7CWXMdQPye7gW0/ki0asRWMQrE3qFYQxPaWd2kMkZyBsgA7wz45XxdYZag4Su1nUz13pfEXaCBpBLtH5XW2QKoS6ZVUBCHw2QI5h8MW95pLYza0Tm9E6U8grI/ALR9K9DRL9zpTM39g6lm4XNueZengnwIFIoJflGP77+LJI2uMyTfsY67P2rorRmrSks2rxru+ufQOotgPMn8Qc+GOPUnjZ6/kAyf9jngYBa6x9fE3jBgxGeJZijaYrL39Bw==,iv:e5B/pngesajAkb9erAXrKouucLFfXUf2rQRwnSCG3+I=,tag:vJD18/UddaJMwfvlXHKaZg==,type:str] +apiVersion: ENC[AES256_GCM,data:WhA=,iv:Z/tFagnlvoAXt9yfp0aoRsZn78vPEKjl2OTqitQMjWo=,tag:1IYJWqgbknS61DXy4ppiug==,type:str] +kind: ENC[AES256_GCM,data:abMLEKUb,iv:e5Vq7fKAWwtZA88jPKR+tjmHevoDtduH9S8pQ1WanS4=,tag:8sDhvGn2Ob8Ap8RxZqjdXA==,type:str] +type: ENC[AES256_GCM,data:v/+vuXQ7,iv:N3q4jTPZBUm35gDeWZ5W5Q3ndZzWofTofi3Rv2/8GKY=,tag:l63mR0fmE1Self9J8vMI+w==,type:str] +metadata: + name: ENC[AES256_GCM,data:c0G89GGAPwPLp0dETOo=,iv:8PNpVILLyVCEgn97mO975+khTXZSzEWkSnsfDTjqbI4=,tag:AuOLzcVdRPOyBNlWoRVW8g==,type:str] +stringData: + users: ENC[AES256_GCM,data:Upo+TL0HwIPdLz+Pm7P0Tekdz4a30u87NA/zHKdYoRyBXx2J/8lAagAQ+6SYU/ac8mpzd3GFlMtKZCoasVnx3Z7CjoZlgC7tg/luCPHay1pyCXju5xKx0RVuzFhTpMPJ73BYHWRJis1s3JdiMwmd3GdQSbdVCZnpfEDzqilDjynVv/ZDUs3Q1k7TOECpuZBeSDfD1/HOdsOffAwp8vw=,iv:uGChKf14/+wfCt4bRPoiHVjHEfOqbX5GMbDjemphhRs=,tag:AtLW2MNMUUesK194cmQEeA==,type:str] sops: - lastmodified: "2025-08-04T13:51:14Z" - mac: ENC[AES256_GCM,data:DauDyxToDzms9haP8vNelyOT4g+/OmhAiaBSb6oJJB2GirBmAUSWircG0ylYXj5hlR+D3EYa8cKYZpysSXVAAnSNsUZBfwkpR13QDPjPQQKXDarf0E9Myj/1E6ssqnelP0FkRt8fJZ9sRgY/oEK7f3giLlWSjnkT1b3KHo8Nzlg=,iv:sNVDLhr9xXu17x1XIsEHdhSLjrvnaSksNYe4tbjoAjk=,tag:3EXfxuOvYlHdYNjnujzYTg==,type:str] + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2025-08-04T20:51:00Z" + mac: ENC[AES256_GCM,data:30BN6nYMM8152rHwyy6Vd9leXGX9AH3haYeSZXXA2bFwebNxdeY0037TwUhwuRmE6a17AW093pJxr+7SOarUU7CGntZn1h0W7+RIzPihha/aSb41Ytv1krl9pdLJgFWnShe4XyoSIoHYjdk5QeWW4jeU/Nq2iNTw0bdepfI+1XI=,iv:3xwOV6Q6u1b7zhSgiaNIMQOa3ZKti7XV/AtGrlkcjbI=,tag:TR3ZdE72aP4S5/0mt4m0VA==,type:str] pgp: - created_at: "2025-07-13T06:51:55Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA82rPM2mSf/aARAAjtuwpAk5OCIRUXTwig8V+Md3mzZ5B/mXaEipSL+bz8aK - Nro9p82GsnMIgHS7qpMwcc53NSNL0wmju3tcB/TaFsRVot1QTcIraPP2saDx02Mm - wKg0pcqDk55X+htHY1iYZS9JO1bVz7EmJjPsfcEdvBm2JNCjZeNToy7mnjFWBBlu - OqX0V2qrWcm3lG2HMBUGOHQ8o3iC7OWBTIKSDMx8dJb7L4NlB3LxtfsibmsrvOk1 - AtUXKf6DjjRcRV3LiVFFhswPfbUx9uYrNLQM3g2J5jxyoWHVCLdVqsBGe03zxmlA - iAglRbYNbhayoWH/1j/10VbtEuRSURKtCPWysaOr+u/UOWpbRi0S3WTkx2E603wC - k2msofhS8iQv8Dp2Y5zcdFvLnWpCzdXFWPedLE08fKKHkht40Pdh8rq09Y8eepAT - HUvuaJSfG1/RZX3IRoyHTyFmVrRF1ZEPDxcMKD8Kx3Vn7dfXVO3Bxx7dBTyY4UzO - Vzx8KJBulCib2jDY0CqBNL50Kgy935rHhBRUlx4MBxhSKnkKHIiXYalINZUxHUxn - YzztQbxLnOgb94z2dEPEu6xxgSLC40XNY65SzwtEKHkR7QNkyRqm1VXbT6tEpYRg - VgDKZgBWLQ68G+DDkDbUCkGy4w3umMSfuX8rlNEUG9C0Kk5CXffyKqA8J3+T97bS - XAGZYbFMTTgpa1Z/vnmAfsr/CUvAUflkgtvJH7wxXVL41a/12IQ/kx1mxMxh3JjS - 0R2phlMwSy5ct1scgJQZIc+fvgjMthNl1b5XqnWE0eRwVduKpi3/uzCZhzXd - =tMGM - -----END PGP MESSAGE----- + enc: "-----BEGIN PGP MESSAGE-----\n\nhQIMA82rPM2mSf/aARAAjtuwpAk5OCIRUXTwig8V+Md3mzZ5B/mXaEipSL+bz8aK\nNro9p82GsnMIgHS7qpMwcc53NSNL0wmju3tcB/TaFsRVot1QTcIraPP2saDx02Mm\nwKg0pcqDk55X+htHY1iYZS9JO1bVz7EmJjPsfcEdvBm2JNCjZeNToy7mnjFWBBlu\nOqX0V2qrWcm3lG2HMBUGOHQ8o3iC7OWBTIKSDMx8dJb7L4NlB3LxtfsibmsrvOk1\nAtUXKf6DjjRcRV3LiVFFhswPfbUx9uYrNLQM3g2J5jxyoWHVCLdVqsBGe03zxmlA\niAglRbYNbhayoWH/1j/10VbtEuRSURKtCPWysaOr+u/UOWpbRi0S3WTkx2E603wC\nk2msofhS8iQv8Dp2Y5zcdFvLnWpCzdXFWPedLE08fKKHkht40Pdh8rq09Y8eepAT\nHUvuaJSfG1/RZX3IRoyHTyFmVrRF1ZEPDxcMKD8Kx3Vn7dfXVO3Bxx7dBTyY4UzO\nVzx8KJBulCib2jDY0CqBNL50Kgy935rHhBRUlx4MBxhSKnkKHIiXYalINZUxHUxn\nYzztQbxLnOgb94z2dEPEu6xxgSLC40XNY65SzwtEKHkR7QNkyRqm1VXbT6tEpYRg\nVgDKZgBWLQ68G+DDkDbUCkGy4w3umMSfuX8rlNEUG9C0Kk5CXffyKqA8J3+T97bS\nXAGZYbFMTTgpa1Z/vnmAfsr/CUvAUflkgtvJH7wxXVL41a/12IQ/kx1mxMxh3JjS\n0R2phlMwSy5ct1scgJQZIc+fvgjMthNl1b5XqnWE0eRwVduKpi3/uzCZhzXd\n=tMGM\n-----END PGP MESSAGE----- " fp: 6B61ECD76088748C70590D55E90A401336C8AAA9 - created_at: "2025-07-13T06:51:55Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw95Vf08z8oUARAAzSCXQxhGwwO1cQjgpy539UqhS/3SDqB2c2fAm8rvKMEq - E8dtU5/Oc5FRhRRWEIP9XeDJlPz9rDn4E3KYa0ZYNUchl75ItHID6oBg3OOSZmIN - ciVaffQXyRa6pRCjeaQU9VZY67FBbCueBbCe/mYyGZQMfHg4Y2asOIr3qOgYIgnC - sAZoG2NT+9deabzLY8irLTAM5IMbO59ulM0H7j0IdTLB9D7u+fU7EMg9jQb/J9ha - IITSh7jGhpNbtJ0neRyUnX26r50JeLY4b1UCAd1HjA5Rycgrx1rXoZbmGB4dFZ0V - ZiIaGBe/8BF5GGXkHJgO/Y5g+jfpmO6HYV5NrCB049nd82YowK9LkgMNp3V1vPn6 - 5RxWsVSV29CyplO6rEq9lH2VHB1HLkboOomklVDyG9mo+jbY3TL/Ak4nWfx+96rV - JSyAadEtC+HcXN5ECDO+F7uAEDi0isdWF97xgARvjyDezEEyxTA8xWsIpL8LRWjZ - IBlihxlpyQJ13WSFP6tAp60wO83LLJiC9rvuIBmrCUwKb+LtxUqrWtZnZ8yIsCXk - V1xqGixSigR3RJvbSzICKdMDuhs+cghiurTkKNE2QG9+NQeees2DUIqURjRM//Av - 6hEJxjH/bJ2JlA1/YIkYkMxc9WpKRXmitVaHpkoFumphVIfA4CbQZo/Nv2LbatDS - XAHAUl75H53Hf3awGph4kOoykimetr8i14bVM0Kr/jdAxcvJkanScej2huzTHzQK - ywl3clswBKzhfCBFejdhrrZoKsT1h7Mf23FEwhwP4aMcVZe+iSqoifWXKRM5 - =jFLv - -----END PGP MESSAGE----- + enc: "-----BEGIN PGP MESSAGE-----\n\nhQIMAw95Vf08z8oUARAAzSCXQxhGwwO1cQjgpy539UqhS/3SDqB2c2fAm8rvKMEq\nE8dtU5/Oc5FRhRRWEIP9XeDJlPz9rDn4E3KYa0ZYNUchl75ItHID6oBg3OOSZmIN\nciVaffQXyRa6pRCjeaQU9VZY67FBbCueBbCe/mYyGZQMfHg4Y2asOIr3qOgYIgnC\nsAZoG2NT+9deabzLY8irLTAM5IMbO59ulM0H7j0IdTLB9D7u+fU7EMg9jQb/J9ha\nIITSh7jGhpNbtJ0neRyUnX26r50JeLY4b1UCAd1HjA5Rycgrx1rXoZbmGB4dFZ0V\nZiIaGBe/8BF5GGXkHJgO/Y5g+jfpmO6HYV5NrCB049nd82YowK9LkgMNp3V1vPn6\n5RxWsVSV29CyplO6rEq9lH2VHB1HLkboOomklVDyG9mo+jbY3TL/Ak4nWfx+96rV\nJSyAadEtC+HcXN5ECDO+F7uAEDi0isdWF97xgARvjyDezEEyxTA8xWsIpL8LRWjZ\nIBlihxlpyQJ13WSFP6tAp60wO83LLJiC9rvuIBmrCUwKb+LtxUqrWtZnZ8yIsCXk\nV1xqGixSigR3RJvbSzICKdMDuhs+cghiurTkKNE2QG9+NQeees2DUIqURjRM//Av\n6hEJxjH/bJ2JlA1/YIkYkMxc9WpKRXmitVaHpkoFumphVIfA4CbQZo/Nv2LbatDS\nXAHAUl75H53Hf3awGph4kOoykimetr8i14bVM0Kr/jdAxcvJkanScej2huzTHzQK\nywl3clswBKzhfCBFejdhrrZoKsT1h7Mf23FEwhwP4aMcVZe+iSqoifWXKRM5\n=jFLv\n-----END PGP MESSAGE----- " fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72 - created_at: "2025-07-13T06:51:55Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4Dr/MjkOzuuRESAQdAEpot/CyllATM3Ycyb5dvalqAbJBHskFKLR7nbFc6Z2kw - R2XDTbHQ51WSv7teBei+gA9elRjrsx5RfUSh/mC/WrOZvnn4NyHf6cDkjtd3EO1I - 0lwBT732FGcKQEE7CZXoc/AwtCd66OYqwdYiiMm29LuVcW71UlrGkLFPyqQ+y2jb - Fl00rVXjHLLXFzcEfZf5+JFoPv3JM+h8nXQZEkpKI6Ykw9ZcxagoZyyySYdqtw== - =ZP5M - -----END PGP MESSAGE----- + enc: "-----BEGIN PGP MESSAGE-----\n\nhF4Dr/MjkOzuuRESAQdAEpot/CyllATM3Ycyb5dvalqAbJBHskFKLR7nbFc6Z2kw\nR2XDTbHQ51WSv7teBei+gA9elRjrsx5RfUSh/mC/WrOZvnn4NyHf6cDkjtd3EO1I\n0lwBT732FGcKQEE7CZXoc/AwtCd66OYqwdYiiMm29LuVcW71UlrGkLFPyqQ+y2jb\nFl00rVXjHLLXFzcEfZf5+JFoPv3JM+h8nXQZEkpKI6Ykw9ZcxagoZyyySYdqtw==\n=ZP5M\n-----END PGP MESSAGE----- " fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA - created_at: "2025-07-13T06:51:55Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA5Wf+FyJ+zFJAQ/7BIqCa7lsEE4tyhxoiA6DBO9/+xP4LlA/CPPCu4zWLb2T - zy0axtIWtdSAWecWXm0vQ9B+YB0Jbhb69Qj1mrjCgGyM8ckduBxvYlT1qbGREJCW - CtFqiAvWcDAsKZ3BOxA4GsqU4aGK9KMOZCcFGQx9Bg8CFpOx7gbMFb+VkziA/Dgx - FGvBmNvtqqdqV7yViUxvYAwb7Buik8e77FCyBc5fxdjGU34/x7AD0jPJcN3Ac0n0 - zqGBaM9ivs3G2R4rq2JVfWOdj/qmrH/P0CWDN8cOB7H37+IpvIjs80RIjguB4OFo - HxJFviuQ9LGpw8IKj2161iSccuAwhOpHdOLS8C6yzw7SJZncwCDeLlQWVhJb99ae - Tq23m68KYTkpM6cIT5iG4k/grgkKvqk82YNkMCktPBwsEQ/wxOH9ZQ9Ry1LRtmIF - BUH33sASnt3A3IAavYQucAcOkYsQJFlaLbeVoVS8J7nXA6xRzv9qaJeeulVIaBpc - fwSP6mI8mscrSp24F14EcP3n5W6Gr68oEw2qdUi3CFLtr+Ih8T2REWzOJYDIArCM - cY/tS1WVDDikmzS9aNcEt0okPz6HNaKu7qONby3L9XxSDxZYg4tmV/ZiWIZuvVwL - 6iipL+wYMYk3ot066ewoLqOeZcZH/04P9QgoNwnUaSqsfaIQfPJZCngyCEKdYNXS - XAGIFLlG48rAKmE7OYuOFQeuwgNpdFb07kaWw64NKTRxTkw0hZjm87CHfdZ3CPnX - Jp04LP46X74s+SiWmfHM5W21Ub68Li4l135DA3CKiOn+Sq04Q5xh0giSZWHG - =ikQP - -----END PGP MESSAGE----- + enc: "-----BEGIN PGP MESSAGE-----\n\nhQIMA5Wf+FyJ+zFJAQ/7BIqCa7lsEE4tyhxoiA6DBO9/+xP4LlA/CPPCu4zWLb2T\nzy0axtIWtdSAWecWXm0vQ9B+YB0Jbhb69Qj1mrjCgGyM8ckduBxvYlT1qbGREJCW\nCtFqiAvWcDAsKZ3BOxA4GsqU4aGK9KMOZCcFGQx9Bg8CFpOx7gbMFb+VkziA/Dgx\nFGvBmNvtqqdqV7yViUxvYAwb7Buik8e77FCyBc5fxdjGU34/x7AD0jPJcN3Ac0n0\nzqGBaM9ivs3G2R4rq2JVfWOdj/qmrH/P0CWDN8cOB7H37+IpvIjs80RIjguB4OFo\nHxJFviuQ9LGpw8IKj2161iSccuAwhOpHdOLS8C6yzw7SJZncwCDeLlQWVhJb99ae\nTq23m68KYTkpM6cIT5iG4k/grgkKvqk82YNkMCktPBwsEQ/wxOH9ZQ9Ry1LRtmIF\nBUH33sASnt3A3IAavYQucAcOkYsQJFlaLbeVoVS8J7nXA6xRzv9qaJeeulVIaBpc\nfwSP6mI8mscrSp24F14EcP3n5W6Gr68oEw2qdUi3CFLtr+Ih8T2REWzOJYDIArCM\ncY/tS1WVDDikmzS9aNcEt0okPz6HNaKu7qONby3L9XxSDxZYg4tmV/ZiWIZuvVwL\n6iipL+wYMYk3ot066ewoLqOeZcZH/04P9QgoNwnUaSqsfaIQfPJZCngyCEKdYNXS\nXAGIFLlG48rAKmE7OYuOFQeuwgNpdFb07kaWw64NKTRxTkw0hZjm87CHfdZ3CPnX\nJp04LP46X74s+SiWmfHM5W21Ub68Li4l135DA3CKiOn+Sq04Q5xh0giSZWHG\n=ikQP\n-----END PGP MESSAGE----- " fp: F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D - created_at: "2025-07-13T06:51:55Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA8KRInHl7Vz+AQ//blhfF6tdUKH+4HWC2p0hhCBwzZ/eGcDBvk66N4Yvo7w5 - k38fd/kI0EqKecagLNlScnS8mRwhjAaKwUGUjyWYQ5CkVEtb+SG2fAnEU57ju3xV - ei5P1lBfkcKPR5uSC9vXO/oCg7XHN9fAi67yh1paBhN7azjplm8BGunhFD7PzULO - b+g9xa1ueC2c4UpLd4rf55Us10tFJ/Id3QK5FhbB1L+Mae+Wjs0sxRN2qPmkiAvu - ilaPw7PfnztNs3bj6/pzyH1EdaeRIiZzoC+0e9LiA6bBkj4tSfAWEHH84uFYDv98 - gfSe5Lp5DEpoZSy2ecx3XOtCPSKGv8FfeVfwb4EZ/EyYRJDEkOAkEDPIlQs9agy0 - FYOiovwAjVAU2Y/IC5q0lVH4WQZGY/k+EVeu9ZAMHkZ1/TDIxva/WsMM91ja5uWC - LMRUXJ1TO/LjNI1T9XI20bKkl2WOj0Y/1YVOoJAxTbnkXzsn1xU7Qe7DiehYKl+d - OE+dNjN/D4DR5NmEfTPmsNEX6Z3sK1GyEOxw19/JM3QHIdjoKw3a15hQjxmM/ksH - KNEu0YQ/l7CDDnVT7MLDpjx1luoMQ9eW3I3hMAZgxkjkmTk2xeNYTAvDLFmKk2D8 - 7MFogZB2o2giaBgFgWB+9KCgzipHSlnIQd//BSvwtL1/GFILSPzLEfOWAXv2zE7S - XAHdCNhyj7n7zQDwDb5V84QxbUne/D22RY4NpJybMfrXuKW9n2fOD4wxiWZnl6hD - ieC1qFcETi20i2LzC2M3uJAz/LHVpyLaNNaaIDMZF3gme1yKe3/u46z1WJhX - =LEyb - -----END PGP MESSAGE----- + enc: "-----BEGIN PGP MESSAGE-----\n\nhQIMA8KRInHl7Vz+AQ//blhfF6tdUKH+4HWC2p0hhCBwzZ/eGcDBvk66N4Yvo7w5\nk38fd/kI0EqKecagLNlScnS8mRwhjAaKwUGUjyWYQ5CkVEtb+SG2fAnEU57ju3xV\nei5P1lBfkcKPR5uSC9vXO/oCg7XHN9fAi67yh1paBhN7azjplm8BGunhFD7PzULO\nb+g9xa1ueC2c4UpLd4rf55Us10tFJ/Id3QK5FhbB1L+Mae+Wjs0sxRN2qPmkiAvu\nilaPw7PfnztNs3bj6/pzyH1EdaeRIiZzoC+0e9LiA6bBkj4tSfAWEHH84uFYDv98\ngfSe5Lp5DEpoZSy2ecx3XOtCPSKGv8FfeVfwb4EZ/EyYRJDEkOAkEDPIlQs9agy0\nFYOiovwAjVAU2Y/IC5q0lVH4WQZGY/k+EVeu9ZAMHkZ1/TDIxva/WsMM91ja5uWC\nLMRUXJ1TO/LjNI1T9XI20bKkl2WOj0Y/1YVOoJAxTbnkXzsn1xU7Qe7DiehYKl+d\nOE+dNjN/D4DR5NmEfTPmsNEX6Z3sK1GyEOxw19/JM3QHIdjoKw3a15hQjxmM/ksH\nKNEu0YQ/l7CDDnVT7MLDpjx1luoMQ9eW3I3hMAZgxkjkmTk2xeNYTAvDLFmKk2D8\n7MFogZB2o2giaBgFgWB+9KCgzipHSlnIQd//BSvwtL1/GFILSPzLEfOWAXv2zE7S\nXAHdCNhyj7n7zQDwDb5V84QxbUne/D22RY4NpJybMfrXuKW9n2fOD4wxiWZnl6hD\nieC1qFcETi20i2LzC2M3uJAz/LHVpyLaNNaaIDMZF3gme1yKe3/u46z1WJhX\n=LEyb\n-----END PGP MESSAGE----- " fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD unencrypted_suffix: _unencrypted version: 3.10.2 From 35778e160e29ac13a62ff3389a763a765c60c4e5 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Mon, 4 Aug 2025 16:08:17 -0700 Subject: [PATCH 09/12] k/radicale: add account for team@ to have a shared calendar --- kustomizations/radicale/users.enc.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kustomizations/radicale/users.enc.yaml b/kustomizations/radicale/users.enc.yaml index 8c1f0ff..fa51c86 100644 --- a/kustomizations/radicale/users.enc.yaml +++ b/kustomizations/radicale/users.enc.yaml @@ -4,15 +4,15 @@ type: ENC[AES256_GCM,data:v/+vuXQ7,iv:N3q4jTPZBUm35gDeWZ5W5Q3ndZzWofTofi3Rv2/8GK metadata: name: ENC[AES256_GCM,data:c0G89GGAPwPLp0dETOo=,iv:8PNpVILLyVCEgn97mO975+khTXZSzEWkSnsfDTjqbI4=,tag:AuOLzcVdRPOyBNlWoRVW8g==,type:str] stringData: - users: ENC[AES256_GCM,data:Upo+TL0HwIPdLz+Pm7P0Tekdz4a30u87NA/zHKdYoRyBXx2J/8lAagAQ+6SYU/ac8mpzd3GFlMtKZCoasVnx3Z7CjoZlgC7tg/luCPHay1pyCXju5xKx0RVuzFhTpMPJ73BYHWRJis1s3JdiMwmd3GdQSbdVCZnpfEDzqilDjynVv/ZDUs3Q1k7TOECpuZBeSDfD1/HOdsOffAwp8vw=,iv:uGChKf14/+wfCt4bRPoiHVjHEfOqbX5GMbDjemphhRs=,tag:AtLW2MNMUUesK194cmQEeA==,type:str] + users: ENC[AES256_GCM,data:rveIHF6gebDe92Ela+zICvOo8JhBJp8BkRb63pmKQEjEuCwCQN2xV326KA4c7T9rtL3VkNmgIVzyLMBhdN5FCtzpEZeyuSPaKSQta9A261gnFVxY5YqbgEXYs/iVq7Qtp7nSNL7f8E0RFZnM67N+D8jEkIyyYhUQt64Ec2TVVGX2lWpcoWgaA2MGGjdITzfc+AWqe8I+FwL0wmh4hbXrYRJH3yjYYiOoV0mQYhhFn0V8HZEzK/1tbO0Qrjxt5U0SBoBkjwEO/GtC4avl58RCtCv/xIeGRExEPGQTCNNH11w2I05p/Z0LVxhCUHY=,iv:jx4HbBWirtFUrZWaKT/mQaOxfhpggTeFdmOwQBFv52c=,tag:qO2bKZWyDK55I6WnCSaqOg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2025-08-04T20:51:00Z" - mac: ENC[AES256_GCM,data:30BN6nYMM8152rHwyy6Vd9leXGX9AH3haYeSZXXA2bFwebNxdeY0037TwUhwuRmE6a17AW093pJxr+7SOarUU7CGntZn1h0W7+RIzPihha/aSb41Ytv1krl9pdLJgFWnShe4XyoSIoHYjdk5QeWW4jeU/Nq2iNTw0bdepfI+1XI=,iv:3xwOV6Q6u1b7zhSgiaNIMQOa3ZKti7XV/AtGrlkcjbI=,tag:TR3ZdE72aP4S5/0mt4m0VA==,type:str] + lastmodified: "2025-08-04T22:04:26Z" + mac: ENC[AES256_GCM,data:yfDs8c7MPML1XD4O2IfUXJg3QT+cdknNw/RuG12FlwJ7uoB2B2EvTwJJh6FNfuBVGY3Ed4nHwCTdIva+nJyOYWt9rfGqettfn4hHbVXLQ0B82JSexLXGKs9RtVY1mG4vzk3N575v3+A82RtssCSF/O/puij9qrjnkpLk6YbqLMo=,iv:BrobW9hDUkTbKRQBqfkeeNExMOqbrjdupDvSzCn9WRQ=,tag:w8EJq0LG3pWaUqKZGAJtgg==,type:str] pgp: - created_at: "2025-07-13T06:51:55Z" enc: "-----BEGIN PGP MESSAGE-----\n\nhQIMA82rPM2mSf/aARAAjtuwpAk5OCIRUXTwig8V+Md3mzZ5B/mXaEipSL+bz8aK\nNro9p82GsnMIgHS7qpMwcc53NSNL0wmju3tcB/TaFsRVot1QTcIraPP2saDx02Mm\nwKg0pcqDk55X+htHY1iYZS9JO1bVz7EmJjPsfcEdvBm2JNCjZeNToy7mnjFWBBlu\nOqX0V2qrWcm3lG2HMBUGOHQ8o3iC7OWBTIKSDMx8dJb7L4NlB3LxtfsibmsrvOk1\nAtUXKf6DjjRcRV3LiVFFhswPfbUx9uYrNLQM3g2J5jxyoWHVCLdVqsBGe03zxmlA\niAglRbYNbhayoWH/1j/10VbtEuRSURKtCPWysaOr+u/UOWpbRi0S3WTkx2E603wC\nk2msofhS8iQv8Dp2Y5zcdFvLnWpCzdXFWPedLE08fKKHkht40Pdh8rq09Y8eepAT\nHUvuaJSfG1/RZX3IRoyHTyFmVrRF1ZEPDxcMKD8Kx3Vn7dfXVO3Bxx7dBTyY4UzO\nVzx8KJBulCib2jDY0CqBNL50Kgy935rHhBRUlx4MBxhSKnkKHIiXYalINZUxHUxn\nYzztQbxLnOgb94z2dEPEu6xxgSLC40XNY65SzwtEKHkR7QNkyRqm1VXbT6tEpYRg\nVgDKZgBWLQ68G+DDkDbUCkGy4w3umMSfuX8rlNEUG9C0Kk5CXffyKqA8J3+T97bS\nXAGZYbFMTTgpa1Z/vnmAfsr/CUvAUflkgtvJH7wxXVL41a/12IQ/kx1mxMxh3JjS\n0R2phlMwSy5ct1scgJQZIc+fvgjMthNl1b5XqnWE0eRwVduKpi3/uzCZhzXd\n=tMGM\n-----END PGP MESSAGE----- " From 89efffd2e9ca18f9a063ed3530030fa6c07ae2d9 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Mon, 4 Aug 2025 14:16:48 -0700 Subject: [PATCH 10/12] Makefile: fix 'make shell' --- Makefile | 7 +++++-- src/make/macros.mk | 4 ++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index a33fe85..f01f347 100644 --- a/Makefile +++ b/Makefile @@ -47,8 +47,8 @@ update-tools: ./src/make/update.sh .PHONY: shell -shell: out/tools-image.digest - $(call run-container, -v $${PWD}:/home/user/stack:rw, $(shell cat $<), /bin/bash) +shell: build-tools load-tools + $(call run-container, -v $${PWD}:/home/user/stack:rw, $(REGISTRY)/tools:latest, /bin/bash) .PHONY: credentials credentials: \ @@ -147,6 +147,9 @@ build-%: images/tools/Containerfile | out cd images/tools $(call build-container,$*,$(VERSION),$<,$(SOURCE_DATE_EPOCH),$(REVISION)) +load-%: build-% + $(call import-container,$*) + out/tools-image.digest: out build-tools .PHONY: plan diff --git a/src/make/macros.mk b/src/make/macros.mk index 68036cf..1479e72 100644 --- a/src/make/macros.mk +++ b/src/make/macros.mk @@ -48,3 +48,7 @@ define build-container $(dir $3) \ | tar -C out/image/$(1) -mx endef + +define import-container + tar -C out/image/$(1) -cf - . | docker load +endef From efa437b8a863d5a5f6d390735958c3d65b0f8603 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Mon, 4 Aug 2025 14:57:17 -0700 Subject: [PATCH 11/12] .bashrc: fix passing in arguments to wrapped tools --- .bashrc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.bashrc b/.bashrc index 34a7aca..4867e36 100644 --- a/.bashrc +++ b/.bashrc @@ -1,3 +1,3 @@ -alias k9s='sops exec-file --no-fifo ~/stack/secrets/production.kubeconfig "KUBECONFIG={} /usr/bin/k9s"' -alias kubectl='function _kubectl(){ sops exec-file --no-fifo ~/stack/secrets/production.kubeconfig "KUBECONFIG={} /usr/bin/kubectl $@"; };_kubectl' -alias talosctl='function _talosctl(){ sops exec-file --no-fifo ~/stack/secrets/production.talosconfig "TALOSCONFIG={} /usr/bin/talosctl $@"; };_talosctl' +alias k9s='function _k9s(){ sops exec-file --no-fifo "${HOME}/stack/secrets/production.kubeconfig" "KUBECONFIG={} /usr/bin/k9s $*"; };_k9s' +alias kubectl='function _kubectl(){ sops exec-file --no-fifo "${HOME}/stack/secrets/production.kubeconfig" "KUBECONFIG={} /usr/bin/kubectl $*"; };_kubectl' +alias talosctl='function _talosctl(){ sops exec-file --no-fifo "${HOME}/stack/secrets/production.talosconfig" "TALOSCONFIG={} /usr/bin/talosctl $*"; };_talosctl' From 0f74b74d1e421bd86bc611f50dffed57d6dbff51 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Tue, 5 Aug 2025 08:34:04 -0700 Subject: [PATCH 12/12] Add make target to push to container registry --- Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Makefile b/Makefile index f01f347..89fecbf 100644 --- a/Makefile +++ b/Makefile @@ -150,6 +150,9 @@ build-%: images/tools/Containerfile | out load-%: build-% $(call import-container,$*) +push-%: build-% load-% + docker push $(REGISTRY)/$*:$(VERSION) + out/tools-image.digest: out build-tools .PHONY: plan