{ config, pkgs, lib, ... }: let internalPort = 5232; cfg = config.services.radicaleWithInfcloud; lock = builtins.fromJSON (builtins.readFile ../flake.lock); radicale_infcloud = pkgs.python3.pkgs.radicale_infcloud.overrideAttrs (old: { pname = lock.nodes.radicale_infcloud.locked.repo; version = lock.nodes.radicale_infcloud.locked.rev; src = pkgs.fetchFromGitHub { inherit (lock.nodes.radicale_infcloud.locked) owner repo rev; sha256 = lock.nodes.radicale_infcloud.locked.narHash; }; # Remove depend on radicale to fix infinite recursion # and set some of my own settings patches = (old.patches or []) ++ [../patches/radicale_infcloud.patch]; }); overlay = self: super: { radicale = super.radicale.overrideAttrs (old: { propagatedBuildInputs = old.propagatedBuildInputs ++ [radicale_infcloud]; }); }; htpasswd_filename = "/etc/radicale/users"; in { options.services."radicaleWithInfcloud" = with lib; { enable = mkEnableOption "Radicale service with Infcloud frontend and nginx config"; }; config = lib.mkIf cfg.enable { nixpkgs.overlays = [overlay]; services.radicale = { enable = true; settings = { server = { hosts = ["[::1]:${builtins.toString internalPort}"]; max_connections = 8; max_content_length = 100000000; timeout = 30; }; auth = { inherit htpasswd_filename; type = "htpasswd"; htpasswd_encryption = "bcrypt"; delay = 1; }; encoding = { request = "utf-8"; stock = "utf-8"; }; storage = {filesystem_folder = "/var/lib/radicale/collections";}; web = {type = "radicale_infcloud";}; logging = {mask_passwords = true;}; }; }; # Make sure our service user can access the `htpasswd_filename` file systemd.services.radicale.serviceConfig.SupplementaryGroups = [config.users.groups.keys.name]; sops.secrets."radicale-htpasswd" = { owner = config.systemd.services.radicale.serviceConfig.User; mode = "0400"; path = htpasswd_filename; }; # Enable nginx proxy with ACME services.nginx.virtualHosts."cal.tammena.rocks" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://[::1]:${builtins.toString internalPort}"; }; }; }; }