{
  config,
  lib,
  ...
}: let
  internalPort = 5232;
  cfg = config.services.radicaleWithInfcloud;

  htpasswd_filename = "/etc/radicale/users";
in {
  options.services."radicaleWithInfcloud" = with lib; {
    enable =
      mkEnableOption "Radicale service with Infcloud frontend and nginx config";
  };

  config = lib.mkIf cfg.enable {
    services.radicale = {
      enable = true;
      settings = {
        server = {
          hosts = ["[::1]:${builtins.toString internalPort}"];
          max_connections = 8;
          max_content_length = 100000000;
          timeout = 30;
        };
        auth = {
          inherit htpasswd_filename;
          type = "htpasswd";
          htpasswd_encryption = "bcrypt";
          delay = 1;
        };
        encoding = {
          request = "utf-8";
          stock = "utf-8";
        };
        storage = {filesystem_folder = "/var/lib/radicale/collections";};
        logging = {mask_passwords = true;};
      };
    };
    # Make sure our service user can access the `htpasswd_filename` file
    systemd.services.radicale.serviceConfig.SupplementaryGroups = [config.users.groups.keys.name];

    sops.secrets."radicale-htpasswd" = {
      owner = config.systemd.services.radicale.serviceConfig.User;
      mode = "0400";
      path = htpasswd_filename;
    };
    sops.secrets."certificate-key-cal-tammena-me" = {
      owner = "nginx";
      mode = "0400";
    };

    # Enable nginx proxy with ACME
    services.nginx.virtualHosts."cal.tammena.me" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://[::1]:${builtins.toString internalPort}";
      };
    };
  };
}