{ config, ... }:

let
  inherit (config.networking) ports;
in
{
  sops.secrets.radicale-htpasswd = {
    owner = "nginx";
    sopsFile = ../secrets.yaml;
  };

  services.nginx.virtualHosts = {
    "cal.jalr.de" = {
      enableACME = true;
      forceSSL = true;
      basicAuthFile = config.sops.secrets.radicale-htpasswd.path;
      locations = {
        "/radicale/" = {
          proxyPass = "http://127.0.0.1:${toString ports.radicale.tcp}/";
          recommendedProxySettings = true;
          #basicAuthFile = "";
          extraConfig = ''
            proxy_set_header     X-Script-Name /radicale;
            proxy_set_header     X-Remote-User $remote_user;
          '';
          # proxy_pass_request_headers = on;
          # underscores_in_headers = on;
        };
        "/.well-known/caldav".return = "301 $scheme://$host:$server_port/radicale";
        "/.well-known/carddav".return = "301 $scheme://$host:$server_port/radicale";
      };
    };
  };

  services.radicale = {
    enable = true;
    settings = {
      server = {
        hosts = "127.0.0.1:${toString ports.radicale.tcp},[::1]:${toString ports.radicale.tcp}";
        ssl = false;
      };
      encoding = {
        request = "utf-8";
        stock = "utf-8";
      };
      auth = {
        type = "http_x_remote_user";
      };
      rights = {
        type = "owner_only";
      };
      storage = {
        filesystem_folder = "/var/lib/radicale/collections";
      };
      logging = {
        level = "warning";
      };
    };
  };
}