yeah

.gitignore

@@ -1,5 +1,6 @@
 .direnv
 server.log
+shell.nix
 mem.go
 nxcaldav
 in/

config.yaml

@@ -3,74 +3,21 @@ database:
 server:
   bind_address: 0.0.0.0:14243
   default_class: CONFIDENTIAL
-  public_url: http://nxc.nx2.site/
+  public_url: http://example.com/
-  email_domain: nx2.site
+  email_domain: example.com
   redaction_text: '[-]'
 
 smtp:
   host: localhost
   port: 587
   user: nxcaldav@nx2.site
-  password: Vastly-Wrinkle9-Corsage
+  password_cmd: echo "Vastly-Wrinkle9-Corsage"
 
 users:
-  - name: daniel
-    password: ll
-    groups:
-      - family
-  - name: lennart
-    password: ll
-    groups:
-      - family
-  - name: shared
-    password: Oxidant-Ageless3-Dispersed
 
 calendars:
-  - id: preservation
-    owner: lennart
-    color: '#F6F5F4'
-  - id: effort
-    owner: lennart
-    color: '#FF0000'
-  - id: experience
-    owner: lennart
-    color: '#2C33FF'
-  - id: leisure
-    owner: lennart
-    color: '#10B400'
-  - id: daniel
-    owner: daniel
-    color: '#ff2222'
-  - access:
-    - group: family
-      mode: read-write
-    id: family
-    owner: shared
-    color: '#999999'
 
 address_books:
-  - id: contacts
-    owner: lennart
-  - id: contacts
-    owner: daniel
-  - id: family
-    owner: shared
-    access:
-      - group: family
-        mode: read-write
 
 aggregates:
-- access:
-  - group: family
-    mode: read-only
-  - ics: future-only
-  id: lennart-aggregat
-  owner: lennart
-  color: '#dd9999'
-  sources:
-    - preservation
-    - effort
-    - experience
-    - leisure
-    - family
 

export_events.py

@@ -1,4 +1,3 @@
-#!/usr/bin/env python3
 import os
 import argparse
 import psycopg2

import_events.py

@@ -1,4 +1,3 @@
-#!/usr/bin/env python3
 import os
 import argparse
 import psycopg2

internal/backend/db.go

@@ -8,7 +8,6 @@ import (
 	"log"
 	"net/http"
 	"net/url"
-	"os/exec"
 	"path"
 	"slices"
 	"strings"
@@ -140,16 +139,9 @@ func (b *DBBackend) initSchema(ctx context.Context) error {
 }
 
 func (b *DBBackend) resolvePassword(u config.User) (string, error) {
-	var raw string
+	raw, err := config.ResolvePassword(u.Password, u.PasswordCmd)
-	if u.PasswordCmd != "" {
-		cmd := exec.Command("sh", "-c", u.PasswordCmd)
-		out, err := cmd.Output()
 	if err != nil {
-			return "", fmt.Errorf("failed to run password command for %s: %v", u.Name, err)
+		return "", fmt.Errorf("failed to resolve password for %s: %v", u.Name, err)
-		}
-		raw = strings.TrimSpace(string(out))
-	} else {
-		raw = u.Password
 	}
 
 	// If it already looks like a bcrypt hash, return as is.
@@ -237,6 +229,7 @@ func (b *DBBackend) syncConfig(ctx context.Context, cfg *config.Config) error {
 			if a.User != "" {
 				tUsers = append(tUsers, a.User)
 			}
+			tUsers = append(tUsers, a.Users...)
 			if a.Group != "" {
 				tUsers = append(tUsers, groupMembers[a.Group]...)
 			}
@@ -307,6 +300,7 @@ func (b *DBBackend) syncConfig(ctx context.Context, cfg *config.Config) error {
 			if a.User != "" {
 				tUsers = append(tUsers, a.User)
 			}
+			tUsers = append(tUsers, a.Users...)
 			if a.Group != "" {
 				tUsers = append(tUsers, groupMembers[a.Group]...)
 			}
@@ -358,6 +352,7 @@ func (b *DBBackend) syncConfig(ctx context.Context, cfg *config.Config) error {
 			if a.User != "" {
 				tUsers = append(tUsers, a.User)
 			}
+			tUsers = append(tUsers, a.Users...)
 			if a.Group != "" {
 				tUsers = append(tUsers, groupMembers[a.Group]...)
 			}
@@ -1473,3 +1468,18 @@ func (b *DBBackend) DeleteAddressObject(ctx context.Context, p string) error {
 func (b *DBBackend) QueryAddressObjects(ctx context.Context, p string, query *carddav.AddressBookQuery) ([]carddav.AddressObject, error) {
 	return b.ListAddressObjects(ctx, p, nil)
 }
+
+func (b *DBBackend) HasAddressBooks(ctx context.Context) (bool, error) {
+	username, err := b.getUsername(ctx)
+	if err != nil {
+		return false, err
+	}
+	var exists bool
+	err = b.pool.QueryRow(ctx, `
+		SELECT EXISTS (
+			SELECT 1 FROM addressbooks 
+			WHERE owner_id = (SELECT id FROM users WHERE name = $1)
+			OR id IN (SELECT addressbook_id FROM addressbook_access WHERE user_id = (SELECT id FROM users WHERE name = $1))
+		)`, username).Scan(&exists)
+	return exists, err
+}

internal/backend/email.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"github.com/emersion/go-ical"
+	"nxcaldav/internal/config"
 )
 
 // sendInvitation sends an iMIP (RFC 6047) invitation email.
@@ -99,8 +100,14 @@ func (b *DBBackend) sendInvitation(senderName, recipientEmail, summary, descript
 			if err = c.StartTLS(tlsConfig); err != nil { return err }
 		}
 	}
-	if b.smtp.User != "" && b.smtp.Password != "" {
+
-		auth := smtp.PlainAuth("", b.smtp.User, b.smtp.Password, b.smtp.Host)
+	smtpPassword, err := config.ResolvePassword(b.smtp.Password, b.smtp.PasswordCmd)
+	if err != nil {
+		return fmt.Errorf("failed to resolve SMTP password: %v", err)
+	}
+
+	if b.smtp.User != "" && smtpPassword != "" {
+		auth := smtp.PlainAuth("", b.smtp.User, smtpPassword, b.smtp.Host)
 		if err = c.Auth(auth); err != nil { return err }
 	}
 

internal/config/config.go

@@ -1,8 +1,10 @@
 package config
 
 import (
+	"fmt"
 	"net/url"
 	"os"
+	"os/exec"
 	"slices"
 	"strings"
 
@@ -11,6 +13,7 @@ import (
 
 type Access struct {
 	User   string   `yaml:"user,omitempty"`
+	Users  []string `yaml:"users,omitempty"`
 	Group  string   `yaml:"group,omitempty"`
 	Groups string   `yaml:"groups,omitempty"`
 	Mode   string   `yaml:"mode"` // "read-only" or "read-write"
@@ -68,6 +71,7 @@ type SMTPConfig struct {
 	Port        int    `yaml:"port"`
 	User        string `yaml:"user"`
 	Password    string `yaml:"password"`
+	PasswordCmd string `yaml:"password_cmd"`
 }
 
 type Config struct {
@@ -79,6 +83,18 @@ type Config struct {
 	AddressBooks []AddressBook  `yaml:"address_books"`
 	Aggregates   []Aggregate    `yaml:"aggregates"`
 }
+
+func ResolvePassword(password, passwordCmd string) (string, error) {
+	if passwordCmd != "" {
+		cmd := exec.Command("sh", "-c", passwordCmd)
+		out, err := cmd.Output()
+		if err != nil {
+			return "", fmt.Errorf("failed to run password command: %v", err)
+		}
+		return strings.TrimSpace(string(out)), nil
+	}
+	return password, nil
+}
 func (c *Config) setDefaults() {
 	if c.Server.BindAddress == ""  { c.Server.BindAddress = ":8080" }
 	if c.Server.Redaction == ""    { c.Server.Redaction = "Busy" }

internal/extra/injector.go

@@ -107,10 +107,23 @@ func InjectColor(r *http.Request, ctx context.Context, handler http.Handler, w h
 	w.Write(body)
 }
 
-// modify caledar probfind
+func HandleDiscoveryOptions(r *http.Request, ctx context.Context, handler http.Handler, w http.ResponseWriter, be *backend.DBBackend) {
-//
+	buf := &bytes.Buffer{}
-// this again modeled after the Radicale response
+	rw := &responseWriter{w, buf, http.StatusOK}
-// Largly AI generated agian
+	handler.ServeHTTP(rw, r.WithContext(ctx))
+
+	if has, _ := be.HasAddressBooks(ctx); has {
+		dav := w.Header().Get("DAV")
+		if dav == "" {
+			w.Header().Set("DAV", "1, 3, addressbook, calendar-access")
+		} else if !strings.Contains(dav, "addressbook") {
+			w.Header().Set("DAV", dav+", addressbook")
+		}
+	}
+	w.WriteHeader(rw.status)
+	w.Write(buf.Bytes())
+}
+
 func HandleDiscoveryPropfind(r *http.Request, ctx context.Context, handler http.Handler, w http.ResponseWriter, be *backend.DBBackend) {
 	reqBody, _ := io.ReadAll(r.Body)
 	r.Body = io.NopCloser(bytes.NewBuffer(reqBody))
@@ -121,9 +134,19 @@ func HandleDiscoveryPropfind(r *http.Request, ctx context.Context, handler http.
 
 	body := buf.Bytes()
 
-	// 1. Unconditionally add namespaces to root tag
+	calHome, _ := be.CalendarHomeSetPath(ctx)
-	reMultistatus := regexp.MustCompile(`(<[a-zA-Z0-9]*:?multistatus)`)
+	cardHome, _ := be.AddressBookHomeSetPath(ctx)
-	body = reMultistatus.ReplaceAll(body, []byte(`$1 xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:card="urn:ietf:params:xml:ns:carddav"`))
+	hasAddressBooks, _ := be.HasAddressBooks(ctx)
+
+	// Ensure DAV: addressbook header is present if user has address books
+	if hasAddressBooks {
+		dav := w.Header().Get("DAV")
+		if dav == "" {
+			w.Header().Set("DAV", "1, 3, addressbook, calendar-access")
+		} else if !strings.Contains(dav, "addressbook") {
+			w.Header().Set("DAV", dav+", addressbook")
+		}
+	}
 
 	// 2. Response processing
 	reResponse := regexp.MustCompile(`(?s)<[a-zA-Z0-9]*:?response.*?>.*?</[a-zA-Z0-9]*:?response>`)
@@ -139,10 +162,7 @@ func HandleDiscoveryPropfind(r *http.Request, ctx context.Context, handler http.
 			return resp
 		}
 
-		calHome, _ := be.CalendarHomeSetPath(ctx)
+		// Strip these tags ONLY from non-200 propstats to avoid duplicates or 404 overrides
-		cardHome, _ := be.AddressBookHomeSetPath(ctx)
-
-		// Strip these tags ONLY from non-200 propstats
 		resp = rePropstat.ReplaceAllFunc(resp, func(ps []byte) []byte {
 			if !reStatusOk.Match(ps) {
 				reTags := regexp.MustCompile(`(?s)<[a-zA-Z0-9:]*(calendar-home-set|addressbook-home-set).*?/>|<[a-zA-Z0-9:]*(calendar-home-set|addressbook-home-set).*?>.*?</[a-zA-Z0-9:]*(calendar-home-set|addressbook-home-set)>`)
@@ -152,11 +172,13 @@ func HandleDiscoveryPropfind(r *http.Request, ctx context.Context, handler http.
 		})
 
 		props := ""
+		// Inject calendar-home-set if missing (with local namespace definition for safety)
 		if calHome != "" && !strings.Contains(string(resp), "calendar-home-set") {
-			props += fmt.Sprintf("<C:calendar-home-set><href xmlns=\"DAV:\">%s</href></C:calendar-home-set>", calHome)
+			props += fmt.Sprintf("<C:calendar-home-set xmlns:C=\"urn:ietf:params:xml:ns:caldav\"><href xmlns=\"DAV:\">%s</href></C:calendar-home-set>", calHome)
 		}
-		if cardHome != "" && !strings.Contains(string(resp), "addressbook-home-set") {
+		// Inject addressbook-home-set if missing and user has address books
-			props += fmt.Sprintf("<card:addressbook-home-set><href xmlns=\"DAV:\">%s</href></card:addressbook-home-set>", cardHome)
+		if hasAddressBooks && cardHome != "" && !strings.Contains(string(resp), "addressbook-home-set") {
+			props += fmt.Sprintf("<CARD:addressbook-home-set xmlns:CARD=\"urn:ietf:params:xml:ns:carddav\"><href xmlns=\"DAV:\">%s</href></CARD:addressbook-home-set>", cardHome)
 		}
 
 		if props == "" {

main.go

@@ -19,11 +19,9 @@ import (
 	"nxcaldav/internal/extra"
 )
 
-
-
 func main() {
 	// -- GET CONFIG
-	path := "config.yaml";
+	path := "config.yaml"
 	if len(os.Args) == 3 {
 		if os.Args[1] == "-c" {
 			path = os.Args[2]
@@ -41,18 +39,18 @@ func main() {
 		log.Fatalf("failed to initialize database backend: %v", err)
 	}
 
-
 	// -- GET CONTEXT AND DB
 	caldavHandler := &caldav.Handler{Backend: be}
 	carddavHandler := &carddav.Handler{Backend: be}
 	publicURL, _ := url.Parse(cfg.Server.PublicURL)
 
-
 	// -- DISCOVERIES
 	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 
 		scheme := r.URL.Scheme
-	    if scheme == "" { scheme = "http" }
+		if scheme == "" {
+			scheme = "http"
+		}
 
 		// set host (because reverse proxies exist)
 		if publicURL != nil && publicURL.Host != "" {
@@ -60,7 +58,7 @@ func main() {
 			r.URL.Host = publicURL.Host
 
 			// prioritize X-Forwarded-Proto, then PublicURL (e.g. Cloudfalre proxy)
-			scheme := publicURL.Scheme
+			scheme = publicURL.Scheme
 			if proto := r.Header.Get("X-Forwarded-Proto"); proto != "" {
 				scheme = proto
 			}
@@ -108,20 +106,25 @@ func main() {
 		principalPath := prefix + fmt.Sprintf("/%s/", user)
 		ctx := context.WithValue(r.Context(), "principal", principalPath)
 
-        // set header for carddav
+		// set header for carddav if user has address books
 		if slices.Contains([]string{
+			"/", prefix + "/",
 			"/.well-known/carddav",
 			prefix + "/.well-known/carddav",
 			principalPath,
 			strings.TrimSuffix(principalPath, "/"),
 		}, r.URL.Path) || strings.Contains(r.URL.Path, "/addressbooks/") {
+			if has, _ := be.HasAddressBooks(ctx); has {
 				w.Header().Add("DAV", "addressbook")
 			}
+		}
 
-        // for caldav discovery
+		// for caldav and carddav discovery
 		if slices.Contains([]string{
 			"/.well-known/caldav",
 			prefix + "/.well-known/caldav",
+			"/.well-known/carddav",
+			prefix + "/.well-known/carddav",
 		}, r.URL.Path) {
 			http.Redirect(w, r, fmt.Sprintf("%s://%s%s", scheme, r.Host, principalPath), http.StatusMovedPermanently)
 			return
@@ -144,24 +147,20 @@ func main() {
 			// catch weird requests
 		} else {
 
-            if strings.HasSuffix(r.URL.Path, user+"/") || strings.HasSuffix(r.URL.Path, user) {
+			if strings.HasSuffix(r.URL.Path, user+"/") || strings.HasSuffix(r.URL.Path, user) || r.URL.Path == "/" || r.URL.Path == prefix+"/" {
-                // For principal path, use merged discovery handler
+				// For principal path or root, use merged discovery handler
 				if r.Method == "PROPFIND" {
 					extra.HandleDiscoveryPropfind(r, ctx, caldavHandler, w, be)
+				} else if r.Method == "OPTIONS" {
+					extra.HandleDiscoveryOptions(r, ctx, caldavHandler, w, be)
 				} else {
 					caldavHandler.ServeHTTP(w, r.WithContext(ctx))
-                    // Ensure DAV header includes addressbook for OPTIONS
-                    if r.Method == "OPTIONS" {
-                        dav := w.Header().Get("DAV")
-                        if dav != "" && !strings.Contains(dav, "addressbook") {
-                            w.Header().Set("DAV", dav+", addressbook")
-                        }
-                    }
 				}
 			} else {
 				http.NotFound(w, r)
 			}
 		}
+	})
 
 	fmt.Printf("Starting CalDAV/CardDAV server on %s...\n", cfg.Server.BindAddress)
 	server := &http.Server{

shell.nix

@@ -1,12 +0,0 @@
-{ pkgs ? import <nixpkgs> { } }: let
-  my-python = pkgs.python312;
-  python-with-my-packages = my-python.withPackages (p: with p; [
-    ical
-    ics
-    caldav
-    pyyaml
-    psycopg2
-  ]);
-in pkgs.mkShell {
-  buildInputs = [ python-with-my-packages ];
-}