calendar-contacts-server (net/calendar-contacts-server) Add to my watchlist

Apple Calendar and Contacts Server configuration

ccs-calendarserver is a standards-compliant server implementing the CalDAV and CardDAV protocols, including iMIP and APNS. It provides a shared location on the network allowing multiple users to store and edit calendaring and contact information. This port provides a basic, working, easily modifiable configuration, previously used in macOS Server.app, and an nginx reverse proxy to handle modern crypto and isolate the backend server.

Version: 9.3.20200212 License: Apache-2 GitHub
Maintainers essandess
Categories net mail
Homepage https://www.calendarserver.org
Platforms {darwin any}
Variants
  • apns (Use Apple Push Notification Service (APNS))
  • initialize_always (Always initialize all configuration files. Intended for development and troubleshooting only. Working deployments must disable this variant to prevent configuration files being overwritten at the next upgrade. Existing configuration files are not overwritten by default.)

"calendar-contacts-server" depends on

lib (27)
run (2)
build (2)

Ports that depend on "calendar-contacts-server"

No ports


Port notes

Apple Calendar and Contacts Server is a standards-compliant server implementing the CalDAV and CardDAV protocols. Full deployment requires a working mail server, DNS configuration on both the LAN and the internet, including SPF and DKIM records, trusted TLS certificates, port forwarding, possibly a mail relay, and more.

Users must reconfigure this installation for their own system, network, and security model specifics by editing all necessary files and checking file permissions. A subset of these settings are visible in the files:

port contents calendar-contacts-server
port file calendar-contacts-server

These are the locations and network settings for the default configuration:

Calender and Contacts Server:
${prefix}/var/calendarserver/Library/CalendarServer/Config/calendarserver.plist

nginx Reverse Proxy:
${prefix}/var/calendarserver/Library/CalendarServer/etc/nginx.conf
ports: 8008, 8443, 8800, 8843

Personal data (note, outside ${prefix}):
/var/calendarserver/Library/CalendarServer/Data

Account and principal information is configurable in the file:
${prefix}/var/calendarserver/Library/CalendarServer/auth/accounts.xml

with baseline account records of the form:

<record>
<uid>7E1DE44E-F1E5-4656-93EF-1714B37877A5</uid>
<short-name>username</short-name>
<full-name>User Name</full-name>
<password>strong-password</password>
<email>username@example.com</email>
</record>

uid's can must be unique; on macOS two ways of generating uid's are the command `uuidgen`, or for local accounts and especially when migrating from an OpenDirectory-based server:

dscl . -read /Users/username GeneratedUID

A working Calendar and Contacts Server will allow local account authentication at these web pages (ports 8008 and 8800 are unencrypted):

http://host.example.com:8008
https://host.example.com:8443
http://host.example.com:8800
https://host.example.com:8843

TLS certificate updates must be included in calendar-contacts-server's proxy nginx.conf and, if installed, mail-server dovecot's conf.d/10-ssl.conf, and postfix's master.cf. Instructions are included as comments in:

sudo vi ${prefix}/var/calendarserver/Library/CalendarServer/etc/nginx.conf
sudo vi ${prefix}/etc/dovecot/conf.d/10-ssl.conf
sudo vi ${prefix}/etc/postfix/main.cf

Calendars and Contacts backup:

TS=$(date ''+%F'')
mkdir -p -m 0700 /tmp/caldav_$TS/calendars
mkdir -p -m 0700 /tmp/caldav_$TS/contacts
${prefix}/var/calendarserver/Library/CalendarServer/ccs-calendarserver/bin/calendarserver_export --config ${prefix}/var/calendarserver/Library/CalendarServer/Config/calendarserver.plist --all --calendars --directory=/tmp/caldav_$TS/calendars
${prefix}/var/calendarserver/Library/CalendarServer/ccs-calendarserver/bin/calendarserver_export --config ${prefix}/var/calendarserver/Library/CalendarServer/Config/calendarserver.plist --all --contacts --directory=/tmp/caldav_$TS/contacts

Known issues:
* All local accounts have access to calendarserver's password using

security find-generic-password -a calendarserver@host.example.com -g

If this Keychain item is missing, it must be added with a corresponding password for the calendarserver user:

sudo /usr/bin/security add-generic-password \
-a calendarserver@host.example.com \
-s org.calendarserver -T /usr/bin/security \
-w 'a-strong-passphrase' \
-A /Library/Keychains/System.keychain
sudo dscl . passwd /Users/calendarserver 'a-strong-passphrase'

This is a hack to provide twistedcaldav authentication access. See: https://github.com/apple/ccs-calendarserver/blob/master/twistedcaldav/util.py An alternate approach must be used if non-trusted local accounts exist on the Calendar and Contacts Server.

* The CalendarServer service does not reliably start after reboot,
presumably due to an issue with launchd. A workaround
after rebooting is to issue the commands:

sudo port unload calendar-contacts-server ; sleep 5 ;\
sudo port load calendar-contacts-server

* The package ccs-calendarserver is written in Python 2.7, which will reach the end of its life on January 1st, 2020. A future version of pip will drop support for Python 2.7. Calendar and Contacts Server may be configured to use Apple Push Notification Service (APNS) with these steps:

1. Acquire APNS Mail certificates from a (virtual) macOS High Sierra 10.13 and Server.app version 5.6. Export the APNS certificates and keys from the Keychain into the files com.apple.servermgrd.apns.calendar.cer and com.apple.servermgrd.apns.calendar.key.p12. APNS certificates appear separately with names APSP:<UUID> that correspond to the certificate's User ID field, com.apple.calendar.XServer.<UUID>. APNS keys are simply named com.apple.servermgrd.apns.calendar. Repeat for the certificate com.apple.servermgrd.apns.contact.cer and key com.apple.servermgrd.apns.contact.key.p12. *Note*: APNS Mail certificate creation is deprecated on Server.app version 5.7+.

1. Acquire APNS Mail certificates from a (virtual) macOS High Sierra 10.13 and Server.app version 5.6. Export the certificates from the Keychain into the files com.apple.servermgrd.apns.calendar.p12 and com.apple.servermgrd.apns.contact.p12. *Note*: APNS Mail certificate creation is deprecated on Server.app version 5.7+.

2. Convert the APNS Mail certificates to cert, key, and chain PEM files, all named "apns:com.apple.*.pem":

openssl x509 -inform der -in com.apple.servermgrd.apns.calendar.cer \
| sed '/BEGIN CERTIFICATE/,$!d' > com.apple.calendar.cert.pem
openssl x509 -inform der -in com.apple.servermgrd.apns.contact.cer \
| sed '/BEGIN CERTIFICATE/,$!d' > com.apple.contact.cert.pem
openssl pkcs12 -in com.apple.servermgrd.apns.calendar.key.p12 \
-nodes -nocerts | sed '/BEGIN PRIVATE KEY/,$!d' \
> com.apple.calendarserver.key.pem.decrypted
openssl pkcs12 -in com.apple.servermgrd.apns.contact.key.p12 \
-nodes -nocerts | sed '/BEGIN PRIVATE KEY/,$!d' \
> com.apple.contact.key.pem.decrypted
sudo security add-generic-password -a apns:com.apple.calendar \
-s 'MacPorts Calendar and Contacts Server' \
-T /usr/bin/security \
-w $(openssl rand -base64 24) \
-U /Library/Keychains/System.keychain
sudo security add-generic-password -a apns:com.apple.contact \
-s 'MacPorts Calendar and Contacts Server' \
-T /usr/bin/security \
-w $(openssl rand -base64 24) \
-U /Library/Keychains/System.keychain
# encrypt the keys with these passphrases
openssl rsa -aes256 -in com.apple.calendar.key.pem.decrypted \
-out com.apple.calendar.key.pem
openssl rsa -aes256 -in com.apple.contact.key.pem.decrypted \
-out com.apple.contact.key.pem
# create the full PKI chain of trust
curl -LO https://www.apple.com/certificateauthority/AppleAAI2CA.cer
curl -LO https://www.apple.com/appleca/AppleIncRootCertificate.cer
openssl x509 -inform der -in AppleAAI2CA.cer \
-out AppleAAI2CA.cert.pem
openssl x509 -inform der -in AppleIncRootCertificate.cer \
-out AppleIncRootCertificate.cert.pem
cat com.apple.calendar.cert.pem \
AppleAAI2CA.cert.pem \
AppleIncRootCertificate.cert.pem \
> com.apple.calendar.chain.pem
cat com.apple.contact.cert.pem \
AppleAAI2CA.cert.pem \
AppleIncRootCertificate.cert.pem \
> com.apple.contact.chain.pem
openssl verify -CAfile com.apple.calendar.chain.pem \
com.apple.calendar.cert.pem
openssl verify -CAfile com.apple.contact.chain.pem \
com.apple.contact.cert.pem
sudo install -m 0644 -o calendarserver -g _calendar \
com.apple.calendar.cert.pem com.apple.contact.cert.pem \
com.apple.calendar.key.pem com.apple.contact.key.pem \
com.apple.calendar.chain.pem com.apple.contact.chain.pem \
${prefix}/var/calendarserver/Library/CalendarServer/Config/Certificates
sudo bash -c 'cd ${prefix}/var/calendarserver/Library/CalendarServer/Config/Certificates ; \
for f in com.apple.*.pem; do mv -f "${f}" "apns:${f}"; done'

3. Configure calendarserver for APNS by uncommenting this block in the file ${prefix}/var/calendarserver/Library/CalendarServer/Config/calendarserver.plist:

<key>Notifications</key>
<dict>
<key>Services</key>
<dict>
<key>APNS</key>
<dict>
<key>Enabled</key>
<true/>
</dict>
</dict>
</dict> Startup items (named 'calendarserver, calendarserver_proxy') have been generated that will aid in starting calendar-contacts-server with launchd. They are disabled by default. Execute the following command to start them, and to cause them to launch at startup:

sudo port load calendar-contacts-server


Port Health:

Loading Port Health

Installations (30 days)

1

Requested Installations (30 days)

1