{ config, lib, ... }: { options.zpha.websites."dav.zaphyra.eu".enable = lib.mkEnableOption ""; config = lib.mkIf config.zpha.websites."dav.zaphyra.eu".enable { dns.zones."zaphyra.eu".subdomains."dav".CNAME = [ "${config.networking.fqdn}." ]; sops.secrets = { "restic/radicale/repositoryPassword" = { }; "restic/radicale/sshPrivateKey" = { }; radicaleUsers = { owner = config.systemd.services.radicale.serviceConfig.User; restartUnits = [ "radicale.service" ]; }; }; users = { users.radicale.uid = 234; groups.radicale.gid = 234; }; common = { configure.persist.system.dirs = lib.singleton { mode = "700"; user = config.systemd.services.radicale.serviceConfig.User; group = config.systemd.services.radicale.serviceConfig.Group; directory = config.services.radicale.settings.storage.filesystem_folder; }; services.resticBackup.radicale = { user = config.systemd.services.radicale.serviceConfig.User; enable = true; targets = [ "restic-target.fc9f.de" "isodon.fc9f.de" ]; sshKeyFile = config.sops.secrets."restic/radicale/sshPrivateKey".path; passwordFile = config.sops.secrets."restic/radicale/repositoryPassword".path; paths = [ config.services.radicale.settings.storage.filesystem_folder ]; }; }; services = { radicale = { enable = true; settings = { server.hosts = [ "[::1]:5232" ]; web.type = "internal"; storage.filesystem_folder = "/var/lib/radicale"; headers.Access-Control-Allow-Origin = "*"; auth = { type = "htpasswd"; htpasswd_filename = config.sops.secrets.radicaleUsers.path; htpasswd_encryption = "plain"; }; }; }; nginx.virtualHosts."dav.zaphyra.eu" = { useACMEHost = config.networking.fqdn; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://${lib.elemAt config.services.radicale.settings.server.hosts 0}/"; }; }; }; }