nixos/modules/radicale.nix

{
  config,
  pkgs,
  lib,
  ...
}: let
  internalPort = 5232;
  cfg = config.services.radicaleWithInfcloud;
  lock = builtins.fromJSON (builtins.readFile ../flake.lock);

  radicale_infcloud = pkgs.python3.pkgs.radicale_infcloud.overrideAttrs (old: {
    pname = lock.nodes.radicale_infcloud.locked.repo;
    version = lock.nodes.radicale_infcloud.locked.rev;
    src = pkgs.fetchFromGitHub {
      owner = lock.nodes.radicale_infcloud.locked.owner;
      repo = lock.nodes.radicale_infcloud.locked.repo;
      rev = lock.nodes.radicale_infcloud.locked.rev;
      sha256 = lock.nodes.radicale_infcloud.locked.narHash;
    };
    # Remove depend on radicale to fix infinite recursion
    # and set some of my own settings
    patches = (old.patches or []) ++ [../patches/radicale_infcloud.patch];
  });

  overlay = self: super: {
    radicale = super.radicale.overrideAttrs (old: {
      propagatedBuildInputs =
        old.propagatedBuildInputs
        ++ [radicale_infcloud];
    });
  };

  htpasswd_filename = "/etc/radicale/users";
in {
  options.services."radicaleWithInfcloud" = with lib; {
    enable =
      mkEnableOption "Radicale service with Infcloud frontend and nginx config";
  };

  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [overlay];

    services.radicale = {
      enable = true;
      settings = {
        server = {
          hosts = ["[::1]:${builtins.toString internalPort}"];
          max_connections = 8;
          max_content_length = 100000000;
          timeout = 30;
        };
        auth = {
          inherit htpasswd_filename;
          type = "htpasswd";
          htpasswd_encryption = "bcrypt";
          delay = 1;
        };
        encoding = {
          request = "utf-8";
          stock = "utf-8";
        };
        storage = {filesystem_folder = "/var/lib/radicale/collections";};
        web = {type = "radicale_infcloud";};
        logging = {mask_passwords = true;};
      };
    };
    # Make sure our service user can access the `htpasswd_filename` file
    systemd.services.radicale.serviceConfig.SupplementaryGroups = [config.users.groups.keys.name];

    sops.secrets."radicale-htpasswd" = {
      owner = config.systemd.services.radicale.serviceConfig.User;
      mode = "0400";
      path = htpasswd_filename;
    };

    # Enable nginx proxy with ACME
    services.nginx.virtualHosts."cal.tammena.rocks" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://[::1]:${builtins.toString internalPort}";
      };
    };
  };
}