dav.zaphyra.eu.nix

1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
{
  config,
  lib,
  ...
}:

{

  options.zpha.websites."dav.zaphyra.eu".enable = lib.mkEnableOption "";

  config = lib.mkIf config.zpha.websites."dav.zaphyra.eu".enable {
    dns.zones."zaphyra.eu".subdomains."dav".CNAME = [ "${config.networking.fqdn}." ];

    sops.secrets = {
      "restic/radicale/repositoryPassword" = { };
      "restic/radicale/sshPrivateKey" = { };
      radicaleUsers = {
        owner = config.systemd.services.radicale.serviceConfig.User;
        restartUnits = [ "radicale.service" ];
      };
    };

    users = {
      users.radicale.uid = 234;
      groups.radicale.gid = 234;
    };

    common = {
      configure.persist.system.dirs = lib.singleton {
        mode = "700";
        user = config.systemd.services.radicale.serviceConfig.User;
        group = config.systemd.services.radicale.serviceConfig.Group;
        directory = config.services.radicale.settings.storage.filesystem_folder;
      };

      services.resticBackup.radicale = {
        user = config.systemd.services.radicale.serviceConfig.User;
        enable = true;
        targets = [
          "restic-target.fc9f.de"
          "isodon.fc9f.de"
        ];
        sshKeyFile = config.sops.secrets."restic/radicale/sshPrivateKey".path;
        passwordFile = config.sops.secrets."restic/radicale/repositoryPassword".path;
        paths = [ config.services.radicale.settings.storage.filesystem_folder ];
      };
    };

    services = {
      radicale = {
        enable = true;
        settings = {
          server.hosts = [ "[::1]:5232" ];
          web.type = "internal";
          storage.filesystem_folder = "/var/lib/radicale";
          headers.Access-Control-Allow-Origin = "*";
          auth = {
            type = "htpasswd";
            htpasswd_filename = config.sops.secrets.radicaleUsers.path;
            htpasswd_encryption = "plain";
          };
        };
      };
      nginx.virtualHosts."dav.zaphyra.eu" = {
        useACMEHost = config.networking.fqdn;
        forceSSL = true;
        kTLS = true;
        locations."/".proxyPass = "http://${lib.elemAt config.services.radicale.settings.server.hosts 0}/";
      };
    };
  };

}