{ povSelf, hostConfig, config, pkgs, lib, ... }: let inherit (lib) types; cfg = lib.getAttrFromPath povSelf config; in { options = { enable = { type = types.bool; default = false; }; domain = { type = types.str; default = "zaphyra.eu"; }; subdomain = { type = types.str; default = "dav"; }; }; config = lib.mkIf cfg.enable { dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ]; modules.filesystem.impermanence.system.dirs = [ { directory = "/var/lib/radicale"; mode = "0770"; user = config.systemd.services.radicale.serviceConfig.User; group = config.systemd.services.radicale.serviceConfig.Group; } ]; systemd.services.radicale.after = [ "sops-install-secrets.service" ]; sops.secrets = { "resticPasswords/radicale" = { }; radicaleUsers = { owner = config.systemd.services.radicale.serviceConfig.User; restartUnits = [ "radicale.service" ]; }; }; modules.services.resticBackup.paths = { radicale = { enable = true; user = config.systemd.services.radicale.serviceConfig.User; passwordFile = config.sops.secrets."resticPasswords/radicale".path; paths = [ config.services.radicale.settings.storage.filesystem_folder ]; }; }; services = { radicale = { enable = true; settings = { server.hosts = [ "[::1]:5232" ]; web.type = "internal"; storage.filesystem_folder = "/var/lib/radicale"; headers.Access-Control-Allow-Origin = "*"; auth.type = "htpasswd"; auth.htpasswd_filename = config.sops.secrets.radicaleUsers.path; auth.htpasswd_encryption = "plain"; }; }; nginx = { enable = true; virtualHosts."${cfg.subdomain}.${cfg.domain}" = { useACMEHost = "${config.networking.fqdn}"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://[::1]:5232/"; }; }; }; }; }