70 lines
2 KiB
Nix
70 lines
2 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
...
|
|
}: let
|
|
internalPort = 5232;
|
|
cfg = config.services.radicaleWithInfcloud;
|
|
|
|
sopsPath = key: config.sops.secrets.${key}.path;
|
|
|
|
htpasswd_filename = "/etc/radicale/users";
|
|
in {
|
|
options.services."radicaleWithInfcloud" = with lib; {
|
|
enable =
|
|
mkEnableOption "Radicale service with Infcloud frontend and nginx config";
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
services.radicale = {
|
|
enable = true;
|
|
settings = {
|
|
server = {
|
|
hosts = ["[::1]:${builtins.toString internalPort}"];
|
|
max_connections = 8;
|
|
max_content_length = 100000000;
|
|
timeout = 30;
|
|
};
|
|
auth = {
|
|
inherit htpasswd_filename;
|
|
type = "htpasswd";
|
|
htpasswd_encryption = "bcrypt";
|
|
delay = 1;
|
|
};
|
|
encoding = {
|
|
request = "utf-8";
|
|
stock = "utf-8";
|
|
};
|
|
storage = {filesystem_folder = "/var/lib/radicale/collections";};
|
|
logging = {mask_passwords = true;};
|
|
};
|
|
};
|
|
# Make sure our service user can access the `htpasswd_filename` file
|
|
systemd.services.radicale.serviceConfig.SupplementaryGroups = [config.users.groups.keys.name];
|
|
|
|
sops.secrets."radicale-htpasswd" = {
|
|
owner = config.systemd.services.radicale.serviceConfig.User;
|
|
mode = "0400";
|
|
path = htpasswd_filename;
|
|
};
|
|
sops.secrets."certificate-key-cal-tammena-me" = {
|
|
owner = "nginx";
|
|
mode = "0400";
|
|
};
|
|
|
|
# Enable nginx proxy with ACME
|
|
services.nginx.virtualHosts."cal.tammena.me" = let
|
|
certificateName = "cal-tammena-me";
|
|
in {
|
|
forceSSL = true;
|
|
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
|
|
sslCertificateKey = sopsPath "certificate-key-${certificateName}";
|
|
sslCertificate = pkgs.writeText "${certificateName}.crt" (builtins.readFile ../secrets/pub/${certificateName}.crt);
|
|
locations."/" = {
|
|
proxyPass = "http://[::1]:${builtins.toString internalPort}";
|
|
};
|
|
};
|
|
};
|
|
}
|