{ config, lib, pkgs, ... }:

{

  dns.zones."ctu.cx".subdomains.dav.CNAME = [ "${config.networking.fqdn}." ];

  age.secrets = {
    restic-radicale.file = ./. + "/../../secrets/${config.networking.hostName}/restic/radicale.age";
    radicale-users = {
      file  = ./. + "/../../secrets/${config.networking.hostName}/radicale-users.age";
      owner = "radicale";
    };
  };

  restic-backups.radicale = {
    user         = "radicale";
    passwordFile = config.age.secrets.restic-radicale.path;
    paths        = [ "/var/lib/radicale" ];
  };

  systemd.services.radicale.onFailure = [ "email-notify@%i.service" ];

  services = {
    radicale = {
      enable = true;
      settings = {
        server.hosts                        = [ "[::1]:5232" ];
        web.type                            = "internal";
        storage.filesystem_folder           = "/var/lib/radicale/collections";
        headers.Access-Control-Allow-Origin = "*";
        auth.type                           = "htpasswd";
        auth.htpasswd_filename              = config.age.secrets.radicale-users.path;
        auth.htpasswd_encryption            = "plain";
      };
    };

    nginx = {
      enable = true;
      virtualHosts."dav.ctu.cx" = {
        enableACME = true;
        forceSSL   = true;
        kTLS       = true;
        locations."/".proxyPass = "http://[::1]:5232/";
      };
    };
  };

}