summaryrefslogtreecommitdiff
path: root/static/src/_posts/2022-01-01-dav-is-all-you-need.md
blob: 3f79d6c6e9f60abab97a8920112e0a9de6f65213 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
---
title: >-
    DAV is All You Need
description: >-
    Contacts, calendars, passwords, oh my!
tags: tech
---

For some time now I've been trying to find an alternative solution to Google
Keep for shared note taking. The motivation for this change was two-fold:

* Google sucks, and I'm trying to get their products out of my life in favor of
  self-hosted options.

* Google Keep _really_ sucks. Seriously, it can barely load on my Chromebook
  because of whatever bloated ass web framework they're using for it. It's just
  a note taking app!

So this weekend I buckled down and actually made the switch. The first step was
to find something to switch _to_, however, which ended up being not trivial.
There's a million different options in this space, but surprisingly few which
could fulfill the exact niche we need in our household:

* Fully open-source and open protocol. If it's not open it's not worth the
  bother of switching, cause we'll just have to do it all again once whatever
  product we switch to gets acqui-hired by a food delivery app.

* Self-hosted using a _simple_ server-side component. I'm talking something that
  listens on a public port and saves data to a file on disk, and _that's it_.
  No database processes, no message queues, no bullshit. We're not serving a
  million users here, there's no reason to broaden the attack surface
  unnecessarily.

* Multi-platform support, including mobile. Our primary use-case here is our
  grocery list, which needs to be accessible by everyone everywhere.

I've already got a Nextcloud instance running at home, and there is certainly a
notes extension for it, so that could have been an option here. But Nextcloud
very much does not fall into the second point above: it's not simple. It's a
giant PHP app that uses Postgres as a backend, has its own authentication and
session system, and has a plugin system. Frankly, it was easily the biggest
security hole on the entire server, and I wasn't eager to add usage to it.

Happily, I found another solution.

## WebDAV

There's a project called [Joplin](https://joplinapp.org/) which implements a
markdown-based notes system with clients for Android, iPhone, Linux, Mac, and
Windows. Somewhat interestingly there is _not_ a web client for it, but on
further reflection I don't think that's a big deal... no bloated javascript
frameworks to worry about at least.

In addition to their own cloud backend, Joplin supports a number of others, with
the most interesting being WebDAV. WebDAV is an XML-based extension to HTTP
which allows for basic write operations on the server-side, and which uses
HTTP's basic auth for authentication. You can interact with it using curl if you
like, it really can't get simpler.

[Caddy](https://caddyserver.com/) is the server I use to handle all incoming
HTTP requests to my server, and luckily there's a semi-official
[WebDAV](https://github.com/mholt/caddy-webdav) plugin which adds WebDAV
support. With that compiled in, the `Caddyfile` configuration is nothing more
than:

```
hostname.com {

    route {

        basicauth {
            sharedUser sharedPassword
        }


        webdav {
            root /data/webdav
        }

    }

}
```

With that in place, any Joplin client can be pointed at `hostname.com` using the
shared username/assword, and all data is stored directly to `/data/webdav` by
Caddy. Easy-peasy.

## CardDAV/CalDAV

Where WebDAV is an extension of HTTP to allow for remotely modifying files
genearlly, CardDAV and CalDAV are extensions of WebDAV for managing remote
stores of contacts and calendar events, respectively. At least, that's my
understanding.

Nextcloud has its own Web/Card/CalDAV service, and that's what I had been, up
till this point, using for syncing my contacts and calendar from my phone. But
now that I was setting up a separate WebDAV endpoint, I figured it'd be worth
setting up a separate Card/CalDAV service and get that much closer to getting
off Nextcloud entirely.

There is, as far as I know, no Card or CalDAV extension for Caddy, so I'd still
need a new service running. I came across
[radicale](https://radicale.org/v3.html), which fits the bill nicely. It's a
simple CalDAV and CardDAV server which saves directly to disk, much like the
Caddy WebDAV plugin. With that running, I needed only to add the following to my
`Caddyfile`, above the `webdav` directive:

```
handle /radicale/* {

    uri strip_prefix /radicale

    reverse_proxy 127.0.0.1:5454 {
        header_up X-Script-Name /radicale
    }

}
```

Now I could point the [DAVx5](https://www.davx5.com/) app on my phone to
`hostname.com/radicale` and boom, contact and calendar syncing was within reach.
I _did_ have a lot of problems getting DAVx5 working properly, but those were
more to do with Android than self-hosting, and I eventually worked through them.

## Passwords

At this point I considered that the only thing I was still really using
Nextcloud for was password management, a la Lastpass or 1Password. I have a lot
of gripes with Nextcloud's password manager, in addition to my aforementioned
grips with Nextcloud generally, so I thought it was worth seeing if some DAV or
another could be the final nail in Nextcloud's coffin.

A bit of searching around led me to [Tusk](https://subdavis.com/Tusk/), a chrome
extension which allows the chrome browser to fetch a
[KeePassXC](https://keepassxc.org/) database from a WebDAV server, decode it,
and autofill it into a website. Basically perfect. I had only to export my
passwords from Nextcloud as a CSV, import them into a fresh KDBX file using the
KeePassXC GUI, place the file in my WebDAV folder, and point Tusk at that.

I found the whole experience of using Tusk to be extremely pleasant. Everything
is very well labeled and described, and there's appropriate warnings and such in
places where someone might commit a security crime (e.g. using the same password
for WebDAV and their KDBX file).

My one gripe is that it seems to be very slow to unlock the file in practice. I
don't _think_ this has to do with my server, as Joplin is quite responsive, so
it could instead have to do with my KDBX file's decryption difficulty setting.
Perhaps Tusk is doing the decryption in userspace javascript... I'll have to
play with it some.

But it's a small price to be able to turn off Nextcloud completely, which I have
now done. I can sleep easier at night now, knowing there's not some PHP
equivalent to Log4j which is going to bite me in the ass one day while I'm on
vacation.