1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
{
povSelf,
hostConfig,
config,
pkgs,
lib,
...
}:
let
inherit (lib) types;
cfg = lib.getAttrFromPath povSelf config;
in
{
options = {
enable = {
type = types.bool;
default = false;
};
domain = {
type = types.str;
default = "zaphyra.eu";
};
subdomain = {
type = types.str;
default = "dav";
};
};
config = lib.mkIf cfg.enable {
dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];
modules.filesystem.impermanence.system.dirs = [
{
directory = "/var/lib/radicale";
mode = "0770";
user = config.systemd.services.radicale.serviceConfig.User;
group = config.systemd.services.radicale.serviceConfig.Group;
}
];
systemd.services.radicale.after = [ "sops-install-secrets.service" ];
sops.secrets = {
"resticPasswords/radicale" = { };
radicaleUsers = {
owner = config.systemd.services.radicale.serviceConfig.User;
restartUnits = [ "radicale.service" ];
};
};
modules.services.resticBackup.paths = {
radicale = {
enable = true;
user = config.systemd.services.radicale.serviceConfig.User;
passwordFile = config.sops.secrets."resticPasswords/radicale".path;
paths = [ config.services.radicale.settings.storage.filesystem_folder ];
};
};
services = {
radicale = {
enable = true;
settings = {
server.hosts = [ "[::1]:5232" ];
web.type = "internal";
storage.filesystem_folder = "/var/lib/radicale";
headers.Access-Control-Allow-Origin = "*";
auth.type = "htpasswd";
auth.htpasswd_filename = config.sops.secrets.radicaleUsers.path;
auth.htpasswd_encryption = "plain";
};
};
nginx = {
enable = true;
virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
useACMEHost = "${config.networking.fqdn}";
forceSSL = true;
kTLS = true;
locations."/".proxyPass = "http://[::1]:5232/";
};
};
};
};
}