{ secrets, config, lib, pkgs, ... }: { dns.zones."ctu.cx".subdomains.dav.CNAME = [ "${config.networking.fqdn}." ]; age.secrets = { resticRadicale.file = secrets."${config.networking.hostName}".restic.radicale; radicaleUsers = { file = secrets."${config.networking.hostName}".radicaleUsers; owner = "radicale"; }; }; restic-backups.radicale = { user = "radicale"; passwordFile = config.age.secrets.resticRadicale.path; paths = [ "/var/lib/radicale" ]; }; systemd.services.radicale.onFailure = [ "email-notify@%i.service" ]; services = { radicale.enable = true; radicale.settings = { server.hosts = [ "[::1]:5232" ]; web.type = "internal"; storage.filesystem_folder = "/var/lib/radicale/collections"; headers.Access-Control-Allow-Origin = "*"; auth.type = "htpasswd"; auth.htpasswd_filename = config.age.secrets.radicaleUsers.path; auth.htpasswd_encryption = "plain"; }; nginx = { enable = true; virtualHosts."dav.ctu.cx" = { useACMEHost = "${config.networking.fqdn}"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://[::1]:5232/"; }; }; }; }