calendar-contacts-server (net/calendar-contacts-server) Add to my watchlist
Apple Calendar and Contacts Server configurationccs-calendarserver is a standards-compliant server implementing the CalDAV and CardDAV protocols, including iMIP and APNS. It provides a shared location on the network allowing multiple users to store and edit calendaring and contact information. This port provides a basic, working, easily modifiable configuration, previously used in macOS Server.app, and an nginx reverse proxy to handle modern crypto and isolate the backend server.
Version: 9.3.20200212 License: Apache-2 GitHubMaintainers | essandess |
Categories | net mail |
Homepage | https://www.calendarserver.org |
Platforms | {darwin any} |
Variants |
|
"calendar-contacts-server" depends on
lib (27)
run (2)
build (2)
Ports that depend on "calendar-contacts-server"
No ports
Port notes
Apple Calendar and Contacts Server is a standards-compliant server implementing the CalDAV and CardDAV protocols. Full deployment requires a working mail server, DNS configuration on both the LAN and the internet, including SPF and DKIM records, trusted TLS certificates, port forwarding, possibly a mail relay, and more.
Users must reconfigure this installation for their own system, network, and security model specifics by editing all necessary files and checking file permissions. A subset of these settings are visible in the files:
port contents calendar-contacts-server
port file calendar-contacts-server
These are the locations and network settings for the default configuration:
Calender and Contacts Server:
${prefix}/var/calendarserver/Library/CalendarServer/Config/calendarserver.plist
nginx Reverse Proxy:
${prefix}/var/calendarserver/Library/CalendarServer/etc/nginx.conf
ports: 8008, 8443, 8800, 8843
Personal data (note, outside ${prefix}):
/var/calendarserver/Library/CalendarServer/Data
Account and principal information is configurable in the file:
${prefix}/var/calendarserver/Library/CalendarServer/auth/accounts.xml
with baseline account records of the form:
<record>
<uid>7E1DE44E-F1E5-4656-93EF-1714B37877A5</uid>
<short-name>username</short-name>
<full-name>User Name</full-name>
<password>strong-password</password>
<email>username@example.com</email>
</record>
uid's can must be unique; on macOS two ways of generating uid's are the command `uuidgen`, or for local accounts and especially when migrating from an OpenDirectory-based server:
dscl . -read /Users/username GeneratedUID
A working Calendar and Contacts Server will allow local account authentication at these web pages (ports 8008 and 8800 are unencrypted):
http://host.example.com:8008
https://host.example.com:8443
http://host.example.com:8800
https://host.example.com:8843
TLS certificate updates must be included in calendar-contacts-server's proxy nginx.conf and, if installed, mail-server dovecot's conf.d/10-ssl.conf, and postfix's master.cf. Instructions are included as comments in:
sudo vi ${prefix}/var/calendarserver/Library/CalendarServer/etc/nginx.conf
sudo vi ${prefix}/etc/dovecot/conf.d/10-ssl.conf
sudo vi ${prefix}/etc/postfix/main.cf
Calendars and Contacts backup:
TS=$(date ''+%F'')
mkdir -p -m 0700 /tmp/caldav_$TS/calendars
mkdir -p -m 0700 /tmp/caldav_$TS/contacts
${prefix}/var/calendarserver/Library/CalendarServer/ccs-calendarserver/bin/calendarserver_export --config ${prefix}/var/calendarserver/Library/CalendarServer/Config/calendarserver.plist --all --calendars --directory=/tmp/caldav_$TS/calendars
${prefix}/var/calendarserver/Library/CalendarServer/ccs-calendarserver/bin/calendarserver_export --config ${prefix}/var/calendarserver/Library/CalendarServer/Config/calendarserver.plist --all --contacts --directory=/tmp/caldav_$TS/contacts
Known issues:
* All local accounts have access to calendarserver's password using
security find-generic-password -a calendarserver@host.example.com -g
If this Keychain item is missing, it must be added with a corresponding password for the calendarserver user:
sudo /usr/bin/security add-generic-password \
-a calendarserver@host.example.com \
-s org.calendarserver -T /usr/bin/security \
-w 'a-strong-passphrase' \
-A /Library/Keychains/System.keychain
sudo dscl . passwd /Users/calendarserver 'a-strong-passphrase'
This is a hack to provide twistedcaldav authentication access. See: https://github.com/apple/ccs-calendarserver/blob/master/twistedcaldav/util.py An alternate approach must be used if non-trusted local accounts exist on the Calendar and Contacts Server.
* The CalendarServer service does not reliably start after reboot,
presumably due to an issue with launchd. A workaround
after rebooting is to issue the commands:
sudo port unload calendar-contacts-server ; sleep 5 ;\
sudo port load calendar-contacts-server
* The package ccs-calendarserver is written in Python 2.7, which will reach the end of its life on January 1st, 2020. A future version of pip will drop support for Python 2.7. Calendar and Contacts Server may be configured to use Apple Push Notification Service (APNS) with these steps:
1. Acquire APNS Mail certificates from a (virtual) macOS High Sierra 10.13 and Server.app version 5.6. Export the APNS certificates and keys from the Keychain into the files com.apple.servermgrd.apns.calendar.cer and com.apple.servermgrd.apns.calendar.key.p12. APNS certificates appear separately with names APSP:<UUID> that correspond to the certificate's User ID field, com.apple.calendar.XServer.<UUID>. APNS keys are simply named com.apple.servermgrd.apns.calendar. Repeat for the certificate com.apple.servermgrd.apns.contact.cer and key com.apple.servermgrd.apns.contact.key.p12. *Note*: APNS Mail certificate creation is deprecated on Server.app version 5.7+.
1. Acquire APNS Mail certificates from a (virtual) macOS High Sierra 10.13 and Server.app version 5.6. Export the certificates from the Keychain into the files com.apple.servermgrd.apns.calendar.p12 and com.apple.servermgrd.apns.contact.p12. *Note*: APNS Mail certificate creation is deprecated on Server.app version 5.7+.
2. Convert the APNS Mail certificates to cert, key, and chain PEM files, all named "apns:com.apple.*.pem":
openssl x509 -inform der -in com.apple.servermgrd.apns.calendar.cer \
| sed '/BEGIN CERTIFICATE/,$!d' > com.apple.calendar.cert.pem
openssl x509 -inform der -in com.apple.servermgrd.apns.contact.cer \
| sed '/BEGIN CERTIFICATE/,$!d' > com.apple.contact.cert.pem
openssl pkcs12 -in com.apple.servermgrd.apns.calendar.key.p12 \
-nodes -nocerts | sed '/BEGIN PRIVATE KEY/,$!d' \
> com.apple.calendarserver.key.pem.decrypted
openssl pkcs12 -in com.apple.servermgrd.apns.contact.key.p12 \
-nodes -nocerts | sed '/BEGIN PRIVATE KEY/,$!d' \
> com.apple.contact.key.pem.decrypted
sudo security add-generic-password -a apns:com.apple.calendar \
-s 'MacPorts Calendar and Contacts Server' \
-T /usr/bin/security \
-w $(openssl rand -base64 24) \
-U /Library/Keychains/System.keychain
sudo security add-generic-password -a apns:com.apple.contact \
-s 'MacPorts Calendar and Contacts Server' \
-T /usr/bin/security \
-w $(openssl rand -base64 24) \
-U /Library/Keychains/System.keychain
# encrypt the keys with these passphrases
openssl rsa -aes256 -in com.apple.calendar.key.pem.decrypted \
-out com.apple.calendar.key.pem
openssl rsa -aes256 -in com.apple.contact.key.pem.decrypted \
-out com.apple.contact.key.pem
# create the full PKI chain of trust
curl -LO https://www.apple.com/certificateauthority/AppleAAI2CA.cer
curl -LO https://www.apple.com/appleca/AppleIncRootCertificate.cer
openssl x509 -inform der -in AppleAAI2CA.cer \
-out AppleAAI2CA.cert.pem
openssl x509 -inform der -in AppleIncRootCertificate.cer \
-out AppleIncRootCertificate.cert.pem
cat com.apple.calendar.cert.pem \
AppleAAI2CA.cert.pem \
AppleIncRootCertificate.cert.pem \
> com.apple.calendar.chain.pem
cat com.apple.contact.cert.pem \
AppleAAI2CA.cert.pem \
AppleIncRootCertificate.cert.pem \
> com.apple.contact.chain.pem
openssl verify -CAfile com.apple.calendar.chain.pem \
com.apple.calendar.cert.pem
openssl verify -CAfile com.apple.contact.chain.pem \
com.apple.contact.cert.pem
sudo install -m 0644 -o calendarserver -g _calendar \
com.apple.calendar.cert.pem com.apple.contact.cert.pem \
com.apple.calendar.key.pem com.apple.contact.key.pem \
com.apple.calendar.chain.pem com.apple.contact.chain.pem \
${prefix}/var/calendarserver/Library/CalendarServer/Config/Certificates
sudo bash -c 'cd ${prefix}/var/calendarserver/Library/CalendarServer/Config/Certificates ; \
for f in com.apple.*.pem; do mv -f "${f}" "apns:${f}"; done'
3. Configure calendarserver for APNS by uncommenting this block in the file ${prefix}/var/calendarserver/Library/CalendarServer/Config/calendarserver.plist:
<key>Notifications</key>
<dict>
<key>Services</key>
<dict>
<key>APNS</key>
<dict>
<key>Enabled</key>
<true/>
</dict>
</dict>
</dict> Startup items (named 'calendarserver, calendarserver_proxy') have been generated that will aid in starting calendar-contacts-server with launchd. They are disabled by default. Execute the following command to start them, and to cause them to launch at startup:
sudo port load calendar-contacts-server
Port Health:
Loading Port Health