{ config, inputs, lib, ... }: with lib; let cfg = config.nixfiles.modules.radicale; in { options.nixfiles.modules.radicale = { enable = mkEnableOption "Radicale"; domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; default = "radicale.${config.networking.domain}"; }; }; config = let port = 5232; in mkIf cfg.enable { secrets.radicale-htpasswd = { file = "${inputs.self}/secrets/radicale-htpasswd"; owner = "radicale"; group = "radicale"; }; nixfiles.modules.nginx = { enable = true; upstreams.radicale.servers."127.0.0.1:${toString port}" = {}; virtualHosts.${cfg.domain} = { locations."/".proxyPass = "http://radicale"; extraConfig = nginxInternalOnly; }; }; services.radicale = { enable = true; settings = { server.hosts = ["127.0.0.1:${toString port}"]; web.type = "none"; auth = { type = "htpasswd"; htpasswd_filename = config.secrets.radicale-htpasswd.path; htpasswd_encryption = "bcrypt"; }; }; }; }; }