
Host your own contacts and calendars and share them across devices - acidburnNSA
https://partofthething.com/thoughts/host-your-own-contacts-and-calendars-and-share-them-across-devices/
======
Nux
People looking for easier ways, Nextcloud/Owncloud already does this and you
also get with file sync/backup/share for computer/smartphone and more as a
bonus; all you need is just a LAMP server.

~~~
octopoc
I have about 1TB of data that I tried to sync with NextCloud. The Windows
client crashed every night, so I finally gave up and moved to Syncthing. Has
anybody else had a similar experience?

~~~
dawnerd
For that much data rclone might be better.

------
tasn
While this is nice, and much better than using e.g Google, it is even better
to use an end-to-end encrypted solution. Messaging has underwent the same
transition in the last few years. Trusting the server, even if yours, is just
not enough.

I created [https://www.etesync.com](https://www.etesync.com) for that purpose
exactly, it does end-to-end encrypted sync for Android and desktop for your
contacts and calendar.

~~~
Tepix
When communicating with your own server using https, it is already end-to-end
encrypted.

~~~
tasn
While this may feel true, there are a few reasons why it's not.

1\. This assumes https can be trusted, that is, MITM is not a possibility.
This is a fair assumption for many people, but not for people whore are scared
of state actors, which is common for journalists in and citizens of some
countries. - This can be mitigated to an extent with certificate pinning, but
I don't think all software support it (correctly?) and it's another thing to
get wrong.

2\. This assumes your server is trusted. It is not. If it's hosted in a remote
location (e.g. VPS or even metal in a server farm), it can't be trusted. If
it's at your home, based on how much of a target you are, it can't be trusted.
Even if your server is physically secure, this assumes it won't be hacked, and
you should never assume a public facing server won't be.

Of course this all depends on your threat models, and this may not apply to
you, but https to your own server is definitely not the same, and given that
adding end-to-end is almost "free" for most users, it's a good idea to error
on the side of safety and just do it.

~~~
Tepix
Re: 1. You can deploy additional security measures such as certificate pinning
or a VPN tunnel to your CalDAV server if you have a high security requirement.

Re: 2. If your server is untrusted (because it's a remote virtual server) or
hacked, e2e will not protect you.

~~~
tasn
1\. That's exactly what I said, though you are just patching a broken system
here, why not just use a system that's resilient to all of this in the first
place like with end to end?

2\. How so? EteSync for example has a git like integrity verification (just
with HMAC instead of hash), so it's easy to check consistency across clients,
and the server can't forge anything. The worst the server/MITM can do is stop
syncing a specific client which would be easy to detect. A rogue server can't
even omit specific changes, only stop sync. So I don't agree with your
assertion.

------
willhackett
I've done this before. It becomes tedious to maintain, but I can imagine
myself doing it again in the future to allow me to do what cannot be done in
the common clouds (iCloud, G Suite, O365).

I would love a whitelist-only inbox. I'm sick of spam, marketing mail, etc.
I'd like one public email address that catches all the garbage. Then, I'd like
a private email address that accepts emails from my contacts, and bounces the
rest.

~~~
a3n
> Then, I'd like a private email address that accepts emails from my contacts,
> and bounces the rest.

You're doomed. Because at least one of your correspondents is going to upload
their contacts to some service, and that service is now aware of you.

~~~
jazoom
I think OP intends that mailbox to be the one that only accepts mail from a
whitelist of addresses.

------
dijit
I've been using radicale[0] for this for some time, it's a bit quirky with
thunderbird but I've had tremendous success with Apple Calendar for iOS and
the Contacts application.

And it's using standards (Carddav, Calddav) so you can be somewhat secure in
the knowledge that other programs can implement the protocol (or should). :)

[0]: [http://radicale.org/](http://radicale.org/)

EDIT: I guess I should have read the post, but eitherway I'm going to keep
this comment up as a review of the software.

------
sqeezy
Check out Mailinabox. This Project does most of it for you.
[https://mailinabox.email/](https://mailinabox.email/)

~~~
jacquesm
That's nice, thank you for the link.

------
upofadown
After spending way too much time messing around with stuff like DAV and
syncing using same, my current scheduling and reminder system is based on
this:

* [https://www.roaringpenguin.com/products/remind/](https://www.roaringpenguin.com/products/remind/)

Every day at 6am my server runs a cron job. If there are appointments I get an
email and an SMS. The server also makes a unique noise over the house PA
system (I live alone) but that is mostly because I can.

~~~
Rjevski
What exactly was wrong with a DAV server? I can't imagine it being more
complicated than what you've settled with.

~~~
peterwwillis
DAV was always incredibly unreliable when you tried to host it yourself.
Remember the original web servers + browsers, as one would support some new
feature and another would break it? It was like that.

SyncML was pretty rock solid and interoperable when you could find support for
it, but the damn thing was such a nightmare to implement that the only open
source implementations were buried inside groupware solutions.

------
gravypod
Something I've been looking for is a web service and android app that I can
self-host that will allow me to read and send SMSs from my desktop. The
important thing here is self hosted.

I think something like this would be really useful. I've seen services that
provide this via a 3rd party hosted service but I don't trust someone at some
random company not to read my messages.

~~~
kobeya
> I think something like this would be really useful. I've seen services that
> provide this via a 3rd party hosted service but I don't trust someone at
> some random company not to read my messages.

... do you know how SMS works? Specifically that it is sent in plaintext for
anyone who cares to listen anywhere along the path?

Maybe try Signal. It has a desktop app.

~~~
gravypod
> ... do you know how SMS works?

Yes. Does making a bad situation worse help anyone?

I'd use Signal/RedPhone if even 5% of my contact knew what that was.

------
garrickvanburen
I started with Radicale a few years back (5+?). I found it too brittle, and
switched to Baikal - [http://baikal-server.com/](http://baikal-server.com/) .
I've been very pleased with Baikal for since the switch (again, 5+)

~~~
acidburnNSA
Baikal was going to be my second choice but I never got there because Radicale
went pretty well.

------
CaptSpify
I've been trying to do this with inf-cloud, and baikal

[https://www.inf-it.com/open-source/clients/infcloud/](https://www.inf-
it.com/open-source/clients/infcloud/)

[https://github.com/fruux/Baikal](https://github.com/fruux/Baikal)

It mostly works so far, but I'm definitely looking for a simpler, easier to
implement solution. I looked at Radicale before, but I forget why I passed it
over. I'll have to look into this.

------
Sir_Cmpwn
Don't redact information with a blur filter! It can be reversed! Use solid
color boxes.

~~~
acidburnNSA
Gaussian blur can be reversed? I assumed it was destructive. Thanks for the
tip.

~~~
Sir_Cmpwn
[http://yuzhikov.com/articles/BlurredImagesRestoration1.htm](http://yuzhikov.com/articles/BlurredImagesRestoration1.htm)

------
opinsky
How would it work for email invitations automatically being added as calendar
entries?

~~~
synchrone
There is a message-based interoperability protocol for iCalendar:
[https://datatracker.ietf.org/doc/rfc5546/](https://datatracker.ietf.org/doc/rfc5546/)
and
[https://datatracker.ietf.org/doc/rfc6047/](https://datatracker.ietf.org/doc/rfc6047/).

This is what Google Mail + Calendar are using, including features like RSVP,
etc. It's all there, just passing iCal objects around.

------
loa_in_
The only thing I miss in Google's thing is ability to allow people w/o tech
savviness and w/o google account to sporadically add things to my calendar and
have them marked as unconfirmed (like semi-transparent). I don't care if
they'll recieve any further info, I want people to add their things to my
life.

The subject of "who the hell isn't tech savvy enough and doesn't have an
account already" is quickly answered with: I'm an uncle, my niece knows her
way around the computer and knows the calendar, but has no idea why'd she need
an e-mail account, and wouldn't bother to even try at this point.

------
rebootthesystem
I've been looking a Zimbra
[[https://www.zimbra.com/](https://www.zimbra.com/)] for a while. I like the
general idea of the product. Even the free version is feature-filled. My only
problem with it is that it seems to be a resource hog. You'd have to get a
fairly fat Linode to run it.

I've used garden variety email hosting auto-magically setup on VPS's from such
luminaries as GoDaddy without problems for many years. I have never worried
about how to setup an email server, just get a cheap VPS, setup email
addresses and you are good to go. Given this experience I have to admit to not
understanding why Zimbra is so fat.

~~~
jeremye77
I'm a fan of Zimbra. In reality...a Linode 4096 handles 5 "normal" users just
fine, and a few here and there users, possibly more...that was all I needed.
Tack on Z-push and you have a nice Activesync implementation as well. Then it
is just like gmail just plugin the server and password and calendar, contacts,
email, and whatnot all sync as you would expect.
[http://z-push.org/](http://z-push.org/)

~~~
rebootthesystem
I probably have a dozen email addresses across five companies that I need to
manage. I thought Zimbra would be the answer but server requirements sky-
rocket quickly.

------
dvfjsdhgfv
> I’m trying to learn ways to minimize my reliance upon large companies for
> handling my day-to-day personal data.

Except that the moment you "share them across devices", at least one large
company will silently grab your contacts anyway. And several others will try
to, too, with one excuse or another.

~~~
jeeva
To be fair, though, I read this as "I don't want a company closing
down/sunsetting a service to end my ability to sync my data", not "I don't
want companies to have my data".

So though you have a point, I don't think it goes against the post.

~~~
acidburnNSA
Thanks, this is primarily what I was going for. I'm also trying to be just a
bit harder to snoop on but do realize that I'm nowhere near unsnoopable.

------
miguelrochefort
What about my contacts on Facebook, Google, Microsoft, Apple, Instagram,
Twitter, LinkedIn, Skype, Snapchat, WhatsApp, WeChat, etc.

~~~
OJFord
At least some of those services will export vCards, which I assume Radicale
can import, though I haven't used it.

~~~
acidburnNSA
Radicale is really just the server and doesn't have its own import
functionality. Instead, the clients support importing vCards. In the article,
the CardBook Thunderbird plugin was used for this purpose.

------
the_common_man
Cloudron and yunohost have radicale, email and nextcloud. Sandtsorm lacks all
of them, last I checked.

~~~
orblivion
Radicale for Sandstorm:
[https://apps.sandstorm.io/app/8kr4rvyrggvzfvc160htzdt4u5rfvj...](https://apps.sandstorm.io/app/8kr4rvyrggvzfvc160htzdt4u5rfvjc2dgdn27n5pt66mxa40m1h)

------
bedros
anyone has experience with this

[https://roundcube.net/about/#features](https://roundcube.net/about/#features)

I'm looking into a similar solution, and found roundcube.net features to be
exactly what I need

------
epcim
honestly win-win in 2017 would be to securely orchestrate pesonal
cal,dns,mail,notes,drive on one of the container hosting platform for
reasonable cost.

while doable. cost is still far more common shared hosting or accepting a mail
on google.

------
philtar
You lack critical reading skills.

His concern is not that they companies would grab a copy, his concern is that
he used to rely on them for syncing. He no longer has to rely on them. Google
can shut down calendar and contacts and he would still be fine.

~~~
sctb
We detached this subthread from
[https://news.ycombinator.com/item?id=14837015](https://news.ycombinator.com/item?id=14837015)
and marked it off-topic.

~~~
philtar
You are too sensitive. My statement was literally (and I do mean literally) an
objective statement of fact. Nothing more nothing less.

This ultra-politically correct mentality is what makes it hard to battle
people like Trump.

~~~
sctb
The comment violates the guidelines by jumping to a personal attack with “You
lack critical reading skills.” We need you to not do that when commenting
here.

------
cs702
Hosting calendar and contacts on a personal server accessible over the web
smells like a potential security nightmare to me. For example, how do you make
sure that whatever third party tool you use to sync your phone with the web
server has been well designed to protect against a large attack surface?

~~~
acidburnNSA
I'm sure it's a bit dangerous, but when you run it as done in the article,
behind an Apache Reverse Proxy with Apache authentication, you're relying
hugely on Apache for the sync security, and that has been well designed to
protect against a very large attack surface.

Another advantage is that you're just different. So if someone (or some State)
attacks a commonly-used service, this will be protected simply by being
different.

