nixos/modules/radicale.nix

70 lines
2 KiB
Nix

{
pkgs,
config,
lib,
...
}: let
internalPort = 5232;
cfg = config.services.radicaleWithInfcloud;
sopsPath = key: config.sops.secrets.${key}.path;
htpasswd_filename = "/etc/radicale/users";
in {
options.services."radicaleWithInfcloud" = with lib; {
enable =
mkEnableOption "Radicale service with Infcloud frontend and nginx config";
};
config = lib.mkIf cfg.enable {
services.radicale = {
enable = true;
settings = {
server = {
hosts = ["[::1]:${builtins.toString internalPort}"];
max_connections = 8;
max_content_length = 100000000;
timeout = 30;
};
auth = {
inherit htpasswd_filename;
type = "htpasswd";
htpasswd_encryption = "bcrypt";
delay = 1;
};
encoding = {
request = "utf-8";
stock = "utf-8";
};
storage = {filesystem_folder = "/var/lib/radicale/collections";};
logging = {mask_passwords = true;};
};
};
# Make sure our service user can access the `htpasswd_filename` file
systemd.services.radicale.serviceConfig.SupplementaryGroups = [config.users.groups.keys.name];
sops.secrets."radicale-htpasswd" = {
owner = config.systemd.services.radicale.serviceConfig.User;
mode = "0400";
path = htpasswd_filename;
};
sops.secrets."certificate-key-cal-tammena-me" = {
owner = "nginx";
mode = "0400";
};
# Enable nginx proxy with ACME
services.nginx.virtualHosts."cal.tammena.me" = let
certificateName = "cal-tammena-me";
in {
forceSSL = true;
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
sslCertificateKey = sopsPath "certificate-key-${certificateName}";
sslCertificate = pkgs.writeText "${certificateName}.crt" (builtins.readFile ../secrets/pub/${certificateName}.crt);
locations."/" = {
proxyPass = "http://[::1]:${builtins.toString internalPort}";
};
};
};
}