I use radicale. Safe and solid. Zero php.
You need to install a separate app if you want a web based calendar ui, or you can just use dav5x on android or any other caldav client.
this post was submitted on 05 Jun 2025
31 points (89.7% liked)
Selfhosted
46672 readers
367 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Thanks for the tip. Already set it up. I like it - does just what I need and not much more. And the web UI can be disabled.
Radicale is indeed excellent. Light and safe. I use it for an association!
Security in software is about implementation, not different programming languages. Security as a whole is also not something you can achieve just by installing "secure" software - every software has bugs and vulnerabilities. Some of them are known, others are unknown and not every one of them automatically poses a security risk to you, this depends on the bug, your usage and environment. You can try to harden your system, but you need to do this in layers and the application code is just one of them.
For example, you could geoblock IP addresses so their requests never even reach your application. This does not mean that you're automatically safe from attackers from e.g. Russia, but you make yourself a less easy target.
There are many other defense mechanisms like request limiting, dynamically blocking malicious requests with something like Fail2Ban, strong authentication, frequent patching, network segregation, virtualization, and so on. I hope you see where I'm going. Security is complex and depends a lot on your personal threat model.
That being said, if you need to know how secure the code of a given software is, you need to find something that has recently been audited or audit it yourself.
I think Radicale, Baikal, SabreDAV or NextCloud are the most common choices. I read those names a lot.
But I believe only one of those isn't written in PHP.
I'd really recommend digging into the "hacking" though. Unless you learn from your specific mistakes and avoid that in the future, you might run in to the exact same issue again. And I mean it could be a security flaw in the program code of the WebDAV server. But it could as well be a few dozen other reasons why your server wasn't secure... (Missing updates, insecure passwords, missing fail2ban, a webserver or reverse proxy, unrelated other software... There are a lot of moving gears in a webserver and lots of things to consider.)
Good choice. I've been running Radicale for years, reverse proxied behind Caddy, and it's been solid.
Compatibility with Android usually means running DAVx⁵
https://f-droid.org/packages/at.bitfire.davdroid/
A larger package than just CalDAV and CardDAV would be to look into Gromox with Grommunio-DAV.
It's on my "I should check this out" list, so no personal experience.
https://github.com/grommunio/gromox
https://github.com/grommunio/grommunio-dav
They also have support for Exchange ActiveSync through another optional addon
https://github.com/grommunio/grommunio-sync
Back when I started this compatibility with clients was an issue; but I don't use Android anymore. In any case, is this still an issue?
Um... How are we supposed to tell you if your unnamed DAV client will have problems with your unnamed new DAV server? Works fine for me.
There used to be a mismatch between the spec and Google’s implementation of it.
If you're self hosting, why use anything Google?
I don't use Google apps, my calendar apps aren't even on Play, and don't use any Google processes.
I've been using Nextcloud for almost a decade (started with Owncloud), publicly exposed to the internet with no VPN, and I've had no issues with security or with DAV. I do nothing special besides keeping it up to date (And using strong passwords, I guess)
I've been using NC for about the same amount of time and I will say I'm no longer as happy with it as I once was, primarily because it's a mess of PHP, gum and popsicle sticks held together by me going in there every 3 upgrades to fix 'occ missing indices', add a sql table or some such error.
The caldav integration did allow me to break free from google some more, and it works well, but I've since moved file sync to syncthing and I'm looking for a standalone caldav solution.
My journey⋮ Nextcloud ---> syncthing + radicale
Much simpler, easier to maintain, less resources needed
Thank you, I'll try radicale.
What's wrong with following the official upgrade procedure? Don't complain about missing tables or indices then.
The most important thing is that the software does not break and you can maneuver out of every bad situation. This is important for self-hosting.
I don't care if it's PHP. Many good things are written in PHP. I find Python and Ruby much worse for web applications. Not because of the language, but because it's hard to maneuver out of some situations.
That said I didn't have many problems with Nextcloud. The only thing I criticize is that it solves too many problems at once.
I'm not sure what gave you the impression I don't follow the official procedure, I do follow the official upgrade procedure, and always have through its many stupid iterations for the last 8 years.
Example error, from last week:
Devs did not test with NC instances created before v21.x, so the SQL db is broken when going through the official upgrade if your nc has the old structure and I had to manually modify the actual db to work.
This kind of shit happens about twice a year. Mind you, this exact literal thing happened from v18.x to 19.x also, you'd think they has learned their lesson.
And php itself is fine. Not the most secure way to build a webapp, but fine. However, upgrading PHP on various platforms is an exercise in pulling your hair out.
Nextcloud is great when it's working. Most upgrades are fine. But when it poops the bed, it's another hour I can't get back. No other self-hosted software in my stack is like that.
So you seriously expect an upgrade from major version 20 or less to major version 31 going well?
It's like upgrading from Windows 3.1 to Windows 11.
You misread that.
The database was from prior to 21.x, because i installed NC 8 years ago at v14 and have upgraded since then. I've been upgrading the same system since late 2016.
Stop picking fights with strangers.
I personally don't like their kitchen sink approach.
I've never had any issues with Radicale, which is dead simple and lightweight. If you end up with Android again, DAVx5 has also never given me any trouble, and it also allows calendars to be cached offline. I'm not sure how you're having compatibility issues as I would think CalDAV is a standard protocol?
If you're concerned about dependencies and security, why not use Docker or Podman? It makes most of self-hosting in general much simpler, and it's much easier to secure since it's containerized. With containers, even if a hacker somehow hacks your CalDAV server, they can only access the minimal resources that you've given the container. I use this repo for Radicale on Docker.
I’m not sure how you’re having compatibility issues as I would think CalDAV is a standard protocol?
There used to be a mismatch between the spec and Google's implementation of it.
Stalwart recently released CalDAV & CardDAV support, and it's what I use for mail. It's pretty secure by default too.