nixos/modules/radicale.nix

{ config, pkgs, lib, ... }:

let
  internalPort = 5232;

  radicale_infcloud = pkgs.python3.pkgs.radicale_infcloud.overrideAttrs (old: {
    src = pkgs.fetchFromGitHub {
      owner = "Unrud";
      repo = "RadicaleInfCloud";
      rev = "40f88a5dc0003120d62533ea635f0d94d77f1aca";
      sha256 = "h6t8LlXAWErVlVq88fGFGrVEvZeJ7HJsr61/fiKRIGY=";
    };
    # Remove depend on radicale to fix infinite recursion
    # and set some of my own settings
    patches = (old.patches or [ ]) ++ [ ../patches/radicale_infcloud.patch ];
  });

  overlay = self: super: {
    radicale = super.radicale.overrideAttrs (old: {
      propagatedBuildInputs = old.propagatedBuildInputs
        ++ [ radicale_infcloud ];
    });
  };

  htpasswd_filename = "/etc/radicale/users";

in {
  nixpkgs.overlays = [ overlay ];

  services.radicale = {
    enable = true;
    settings = {
      server = {
        hosts = [ "[::1]:${builtins.toString internalPort}" ];
        max_connections = 8;
        max_content_length = 100000000;
        timeout = 30;
      };
      auth = {
        inherit htpasswd_filename;
        type = "htpasswd";
        htpasswd_encryption = "bcrypt";
        delay = 1;
      };
      encoding = {
        request = "utf-8";
        stock = "utf-8";
      };
      storage = { filesystem_folder = "/var/lib/radicale/collections"; };
      web = { type = "radicale_infcloud"; };
      logging = { mask_passwords = true; };
    };
  };

  services.nginx.virtualHosts."cal.tammena.rocks" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://[::1]:${builtins.toString internalPort}";
      #proxyWebsockets = true; # needed if you need to use WebSocket
      #extraConfig =
      # required when the target is also TLS server with multiple hosts
      #"proxy_ssl_server_name on;" +
      # required when the server wants to use HTTP Authentication
      #"proxy_pass_header Authorization;";
    };
  };

  environment.systemPackages = [
    # Add a script to easily add users
    (pkgs.writeScriptBin "radicale-set-user" ''
      #!${pkgs.stdenv.shell}
      mkdir -p $(dirname "${htpasswd_filename}")
      ${pkgs.apacheHttpd}/bin/htpasswd -Bc "${htpasswd_filename}" $1
    '')
  ];
}