nixos/system/modules/radicale.nix

{ config, pkgs, ... }:

let
  internalPort = 5232;

  radicaleOverlay = self: super: {
    #radicaleWithInfcloud = super.radicale.overrideAttrs (old: {
    #  propagatedBuildInputs = old.propagatedBuildInputs ++ [
    #    pkgs.python3Packages.radicale_infcloud
    #  ];
    #});
    radicaleWithInfcloud = super.radicale.override {
      python3 = super.python3.withPackages
        (packages: with packages; [ bcrypt radicale_infcloud ]);
    };
  };

in {

  nixpkgs.overlays = [ radicaleOverlay ];

  services.radicale = {
    enable = true;
    package = pkgs.radicaleWithInfcloud;
    settings = {
      server = {
        hosts = [ "[::1]:${builtins.toString internalPort}" ];
        max_connections = 8;
        max_content_length = 100000000;
        timeout = 30;
      };
      auth = {
        type = "htpasswd";
        htpasswd_filename = "/etc/radicale/users";
        htpasswd_encryption = "bcrypt";
        delay = 1;
      };
      encoding = {
        request = "utf-8";
        stock = "utf-8";
      };
      storage = { filesystem_folder = "/var/lib/radicale/collections"; };
      web = { type = "radicale_infcloud"; };
      logging = { mask_passwords = true; };
    };
  };

  services.nginx.virtualHosts."cal.tammena.rocks" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://[::1]:${builtins.toString internalPort}";
      #proxyWebsockets = true; # needed if you need to use WebSocket
      #extraConfig =
      # required when the target is also TLS server with multiple hosts
      #"proxy_ssl_server_name on;" +
      # required when the server wants to use HTTP Authentication
      #"proxy_pass_header Authorization;";
    };
  };
}