{ secrets, config, lib, pkgs, ... }:

{

  dns.zones."ctu.cx".subdomains.dav.CNAME = [ "${config.networking.fqdn}." ];

  age.secrets = {
    resticRadicale.file = secrets."${config.networking.hostName}".restic.radicale;
    radicaleUsers = {
      file  = secrets."${config.networking.hostName}".radicaleUsers;
      owner = "radicale";
    };
  };

  restic-backups.radicale = {
    user         = "radicale";
    passwordFile = config.age.secrets.resticRadicale.path;
    paths        = [ "/var/lib/radicale" ];
  };

  systemd.services.radicale.onFailure = [ "email-notify@%i.service" ];

  services = {
    radicale.enable = true;
    radicale.settings = {
      server.hosts                        = [ "[::1]:5232" ];
      web.type                            = "internal";
      storage.filesystem_folder           = "/var/lib/radicale/collections";
      headers.Access-Control-Allow-Origin = "*";
      auth.type                           = "htpasswd";
      auth.htpasswd_filename              = config.age.secrets.radicaleUsers.path;
      auth.htpasswd_encryption            = "plain";
    };

    nginx = {
      enable = true;
      virtualHosts."dav.ctu.cx" = {
        useACMEHost = "${config.networking.fqdn}";
        forceSSL    = true;
        kTLS        = true;
        locations."/".proxyPass = "http://[::1]:5232/";
      };
    };
  };

}