nixos/modules/radicale.nix

{
  pkgs,
  config,
  lib,
  ...
}: let
  internalPort = 5232;
  cfg = config.services.radicaleWithInfcloud;

  sopsPath = key: config.sops.secrets.${key}.path;

  htpasswd_filename = "/etc/radicale/users";
in {
  options.services."radicaleWithInfcloud" = with lib; {
    enable =
      mkEnableOption "Radicale service with Infcloud frontend and nginx config";
  };

  config = lib.mkIf cfg.enable {
    services.radicale = {
      enable = true;
      settings = {
        server = {
          hosts = ["[::1]:${builtins.toString internalPort}"];
          max_connections = 8;
          max_content_length = 100000000;
          timeout = 30;
        };
        auth = {
          inherit htpasswd_filename;
          type = "htpasswd";
          htpasswd_encryption = "bcrypt";
          delay = 1;
        };
        encoding = {
          request = "utf-8";
          stock = "utf-8";
        };
        storage = {filesystem_folder = "/var/lib/radicale/collections";};
        logging = {mask_passwords = true;};
      };
    };
    # Make sure our service user can access the `htpasswd_filename` file
    systemd.services.radicale.serviceConfig.SupplementaryGroups = [config.users.groups.keys.name];

    sops.secrets."radicale-htpasswd" = {
      owner = config.systemd.services.radicale.serviceConfig.User;
      mode = "0400";
      path = htpasswd_filename;
    };
    sops.secrets."certificate-key-cal-tammena-me" = {
      owner = "nginx";
      mode = "0400";
    };

    # Enable nginx proxy with ACME
    services.nginx.virtualHosts."cal.tammena.me" = let
      certificateName = "cal-tammena-me";
    in {
      forceSSL = true;
      sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
      sslCertificateKey = sopsPath "certificate-key-${certificateName}";
      sslCertificate = pkgs.writeText "${certificateName}.crt" (builtins.readFile ../secrets/pub/${certificateName}.crt);
      locations."/" = {
        proxyPass = "http://[::1]:${builtins.toString internalPort}";
      };
    };
  };
}
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00			`{`
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00			`pkgs,`
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00			`config,`
			`lib,`
			`...`
			`}: let`
Configure radicale 2021-06-10 20:56:40 +02:00			`internalPort = 5232;`
[MODULES] Streamline some of the modules 2022-02-19 16:01:47 +01:00			`cfg = config.services.radicaleWithInfcloud;`
[achatina-fulica] Setup Infcloud for Radicale 2021-12-16 17:29:40 +01:00
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00			`sopsPath = key: config.sops.secrets.${key}.path;`

Add radicale user script 2021-11-03 14:50:37 +01:00			`htpasswd_filename = "/etc/radicale/users";`
Configure radicale 2021-06-10 20:56:40 +02:00			`in {`
[MODULES] Streamline some of the modules 2022-02-19 16:01:47 +01:00			`options.services."radicaleWithInfcloud" = with lib; {`
			`enable =`
			`mkEnableOption "Radicale service with Infcloud frontend and nginx config";`
			`};`

			`config = lib.mkIf cfg.enable {`
			`services.radicale = {`
			`enable = true;`
			`settings = {`
			`server = {`
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00			`hosts = ["[::1]:${builtins.toString internalPort}"];`
[MODULES] Streamline some of the modules 2022-02-19 16:01:47 +01:00			`max_connections = 8;`
			`max_content_length = 100000000;`
			`timeout = 30;`
			`};`
			`auth = {`
			`inherit htpasswd_filename;`
			`type = "htpasswd";`
			`htpasswd_encryption = "bcrypt";`
			`delay = 1;`
			`};`
			`encoding = {`
			`request = "utf-8";`
			`stock = "utf-8";`
			`};`
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00			`storage = {filesystem_folder = "/var/lib/radicale/collections";};`
			`logging = {mask_passwords = true;};`
Configure radicale 2021-06-10 20:56:40 +02:00			`};`
			`};`
[MODULES] Streamline some of the modules 2022-02-19 16:01:47 +01:00			# Make sure our service user can access the `htpasswd_filename` file
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00			`systemd.services.radicale.serviceConfig.SupplementaryGroups = [config.users.groups.keys.name];`
Configure radicale 2021-06-10 20:56:40 +02:00
[MODULES] Streamline some of the modules 2022-02-19 16:01:47 +01:00			`sops.secrets."radicale-htpasswd" = {`
			`owner = config.systemd.services.radicale.serviceConfig.User;`
			`mode = "0400";`
			`path = htpasswd_filename;`
			`};`
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00			`sops.secrets."certificate-key-cal-tammena-me" = {`
			`owner = "nginx";`
			`mode = "0400";`
			`};`
[host/achatina-fulica] R.I.P I dropped the VPS instance. Grafana and Radicale have been moved to cornu-aspersum. [module/radicale] Improved the module, used secrets. 2022-01-14 17:24:43 +01:00
[MODULES] Streamline some of the modules 2022-02-19 16:01:47 +01:00			`# Enable nginx proxy with ACME`
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00			`services.nginx.virtualHosts."cal.tammena.me" = let`
			`certificateName = "cal-tammena-me";`
			`in {`
[MODULES] Streamline some of the modules 2022-02-19 16:01:47 +01:00			`forceSSL = true;`
feat: rework nginx certificates 2023-09-21 16:05:17 +02:00			`sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);`
			`sslCertificateKey = sopsPath "certificate-key-${certificateName}";`
			`sslCertificate = pkgs.writeText "${certificateName}.crt" (builtins.readFile ../secrets/pub/${certificateName}.crt);`
[MODULES] Streamline some of the modules 2022-02-19 16:01:47 +01:00			`locations."/" = {`
			`proxyPass = "http://[::1]:${builtins.toString internalPort}";`
			`};`
Configure radicale 2021-06-10 20:56:40 +02:00			`};`
			`};`
			`}`