ctucx.git: nixfiles

ctucx' nixfiles

1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
{ secrets, config, lib, pkgs, ... }:

{

  dns.zones."ctu.cx".subdomains.dav.CNAME = [ "${config.networking.fqdn}." ];

  age.secrets = {
    resticRadicale.file = secrets."${config.networking.hostName}".restic.radicale;
    radicaleUsers = {
      file  = secrets."${config.networking.hostName}".radicaleUsers;
      owner = "radicale";
    };
  };

  restic-backups.radicale = {
    user         = "radicale";
    passwordFile = config.age.secrets.resticRadicale.path;
    paths        = [ "/var/lib/radicale" ];
  };

  systemd.services.radicale.onFailure = [ "email-notify@%i.service" ];

  services = {
    radicale.enable = true;
    radicale.settings = {
      server.hosts                        = [ "[::1]:5232" ];
      web.type                            = "internal";
      storage.filesystem_folder           = "/var/lib/radicale/collections";
      headers.Access-Control-Allow-Origin = "*";
      auth.type                           = "htpasswd";
      auth.htpasswd_filename              = config.age.secrets.radicaleUsers.path;
      auth.htpasswd_encryption            = "plain";
    };

    nginx = {
      enable = true;
      virtualHosts."dav.ctu.cx" = {
        useACMEHost = "${config.networking.fqdn}";
        forceSSL    = true;
        kTLS        = true;
        locations."/".proxyPass = "http://[::1]:5232/";
      };
    };
  };

}