radicale: Init module

2026-01-21 17:31:34 +01:00 · 2025-08-26 19:26:15 +02:00 · 2025-08-26 19:26:15 +02:00 · eb4b41222d
commit eb4b41222d
parent 391081fe8e
3 changed files with 59 additions and 2 deletions
--- a/hosts/srv-internal/default.nix
+++ b/hosts/srv-internal/default.nix
@ -30,17 +30,24 @@
        deviceId = "5R2MH7T-Q2ZZS2P-ZMSQ2UJ-B6VBHES-XYLNMZ6-7FYC27L-4P7MGJ2-FY4ITQD";
        gui.domain = "syncthing.${config.custom.services.tailscale.domain}";
      };
+
      nextcloud = {
        enable = true;
        doBackups = true;
        domain = "cloud.${config.custom.services.tailscale.domain}";
      };
+
      actualbudget = {
        enable = true;
        doBackups = true;
        domain = "budget.${config.custom.services.tailscale.domain}";
      };

+      radicale = {
+        enable = true;
+        domain = "calendar.${config.custom.services.tailscale.domain}";
+      };
+
      caddy.virtualHosts = {
        syncthing-gui = {
          inherit (config.custom.services.syncthing.gui) domain port;
@ -51,6 +58,9 @@
        actualbudget = {
          inherit (config.custom.services.actualbudget) domain port;
        };
+        radicale = {
+          inherit (config.custom.services.radicale) domain port;
+        };
      };
    };
  };
--- a/hosts/srv-internal/secrets.json
+++ b/hosts/srv-internal/secrets.json
@ -21,6 +21,9 @@
    "cert": "ENC[AES256_GCM,data:GZBD/nicqDLs0j/6HUMhkJkpb9P2u31Nf90THuLx0JzQL7MwD6xd1wMPWwszZquQgAF0SHPvZN6H+xstBeKYenu5VQ9rmcEBZd/60hLxaeuD1qXM2puZMwFNrzS1AOow/5BHPSI19a7jgewYPr5h2wlVD4ynMTuPWrJY2BPYB6rGEZwudiK+HxQEN0f3xtLramfCkYaeKypPLUfYN94AaXLU9MPxZx0ZNo7les4yQgvXusVXYzwk+pb59isJpdyX4fOeIfG4O9ri1v+lBxNo4bTj8DwFj4v8txXOW1BFcwEd298ixpz/z9FvrNZHCcOuTZKwJHiAQRj6+DDxpvrjEmBMBs3PaioXT7gNjahYfXLkxSPlF8JIwCyU3WN3gR9kYRBts6ypQYEOXEp+kyR2arha3LQmmg8/CXpzNnv0rKu/Ad+MEa5QJvU0MRtQePBxWxRG/yvR1oAQFsPI1YWOqo8xswxMBZGVDTMNBGW1ZCvZpNkVbX+YCCWLvXMK2fv9bxgxfUDQmI2R9Ajx+lXCDN15bM5gHEhgFNfMjWuMHQzAvXr5Ghye4ugw5TBYQpxV3/2ye2FxmKdPn7gVUYF+Rr5x+TyQux0/hpKHyAdI1SnzmkIIF3t4WwRmwI9U41LD0LYC0mZRGJT2CjDYjc8ZvC74xcPrbeQ6YFjF0SfFoEcFdtiNulzk++AZ0M7ogU/mGEXLxdLY4kaF1Ub2fpnwRxPx/LJbZssl5H/uWV579uVoX/g8f6bzNeE79W9eQUUaQIpimNwXTy9iZ+AUS88pjUy8PkabrBKgdszGSzIU/I1Yqego91njPefXbC5J8QglD06SFqUOGemOuZ2OLtUIsvj3WMzTEJTisG4YVOoyFW8Z8y5AfnVhsyGUj1mOSXVgmPEA8X3lidsg3Uk6pljAB/+hRO4OU94OrxneNkJdXBRFmw7V0sKALG/gOGE07l+MqL3NAFFZO4v2RYfOwWCvEguxhfVswg8GrIszqSNh8ZwIOsuCzCI3TOymsGkXdvEH9ayTkeSq+Bw1xRHpxeRAzXInpzWvclsPpUc=,iv:bJfo1JZ8muYmxoZfCx3x40DOrnstSChjUnzF+ZJjc2s=,tag:/Na5Vn9jxuHUCNsMDdT+yw==,type:str]",
    "key": "ENC[AES256_GCM,data:vXMeQOsLT0D5oGkJ06cihrUpWvApZkBHJeR4NBF7bls7/b9dxuxyOBjPQQqHKHB0Hh6jFuDP+DTRI0Xrhwr6592CgBdzSxoV35GJBCXtaF/z539RlT0S06UECk71OCauQ7FNVZPgnkjjZ7VzdQLsgZZDAqtzT5bzmExZwI3hcj41VHz7pzRnv8ctax3qKpkf2A61Q3C2OC6l6I+n5/aOm0pTjKskNCO3mGUqX8UWw0ocP40roNTkABnyMZTXx38F1Nvy7NFA5FaLMhCZItQLYjYIKxd8ep6GxjKcq8etvTWvJi0hE6d5cfs0Of9IKR9ESuPd5seRN9HCSWSZo2LqdMXjeu+KQPTarz4FNRf2cY7nv8R9ZWHRjbzNMTZZ7c5j,iv:IXlcy7FmBJHf6fP0B/HhkcGZxKUu3VivhFm8u3jYxkc=,tag:JUFwZn3zIXcax3IDHChOvw==,type:str]"
  },
+  "radicale": {
+    "admin-password": "ENC[AES256_GCM,data:ZzjLqhG4RsAlK16uNTJLO7NDKEOrEdOYrw1pnh0V,iv:/qElkFDygxJvcQKLIoQph3WyeWdtSx9DquuDs/x8HPU=,tag:if844T6gIvUz+sqm3f9Jmg==,type:str]"
+  },
  "sops": {
    "age": [
      {
@ -32,8 +35,8 @@
        "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBac0VBTXZVdmpjc29oMkJT\nVXhoZnJaWkFjVEVtelphMzlBM1BaNjM3VjBNCjV3U2JwUnRjeEhWWVlMbmZHcjJP\nT1VNUDlNUTM1UjlVdkNGN1BrWHNpVTQKLS0tIDkyWGZVTWFIQzJrVDQ2U0ErQXRm\ndEhnSkQ5SDlnbmhGSVdYaDNuc3ZkM00K7WPEZRYWAd7uGY0IcDwGgQVPrpkF/tnz\nncj03JXM4BXwvEQOmD/i6wS4U4WCwkh9EauGJljVFTeu6TciomDULQ==\n-----END AGE ENCRYPTED FILE-----\n"
      }
    ],
-    "lastmodified": "2025-08-17T19:04:51Z",
-    "mac": "ENC[AES256_GCM,data:bjJIM29Nk83ShConcNXVyWPRNTfb0As5ZkP/y070VLMz8gBC02xkUCIFyH6qwvaOSLMNAJXhx6Q58PjkP/0F1f0lkJNuKU15ek9bqhIVX+DxaifhdJhsOdGSk7JGnMvOOovNODEuSiVURvpSVhfjrJC6ztc1nHvG62SKjZOvf5M=,iv:DcVCUthebgYKujj7WhMsAPJBYc//7FI+uxutV8Ttxs8=,tag:XGfO8bfxsk+IK+n5qQaEuQ==,type:str]",
+    "lastmodified": "2025-08-26T12:56:43Z",
+    "mac": "ENC[AES256_GCM,data:pHhf3/lCWM2WSRk8sh+v4v9voJJtUBNRBKQX3JNvXYl63HwyGwKca8GJ9jBGWFXRZBFxb8ElCvdR+582RJUgBVC3ixmeDqc/NM1CYdKsLSoEJAO+awgREVA01tdq9CIpl0B0GColE38NO/lf9EcZkYa1ZuPF+gES5CE2DGR9zb0=,iv:ZuLm7XPTDe1x744X5OE+gDyf5ONFg/vkwmou+eQj6Bk=,tag:vAtObHBI4vzeyXrD96UfwQ==,type:str]",
    "unencrypted_suffix": "_unencrypted",
    "version": "3.10.2"
  }
--- a/modules/system/services/radicale.nix
+++ b/modules/system/services/radicale.nix
@ -0,0 +1,44 @@
+{ config, lib, ... }:
+let
+  cfg = config.custom.services.radicale;
+in
+{
+  options.custom.services.radicale = {
+    enable = lib.mkEnableOption "";
+    domain = lib.mkOption {
+      type = lib.types.nonEmptyStr;
+      default = "";
+    };
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 5232;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    meta = {
+      domains.list = [ cfg.domain ];
+      ports.list = [ cfg.port ];
+    };
+
+    sops = {
+      secrets."radicale/admin-password".owner = config.users.users.radicale.name;
+      templates."radicale/htpasswd" = {
+        owner = config.users.users.radicale.name;
+        content = "seb:${config.sops.placeholder."radicale/admin-password"}";
+      };
+    };
+
+    services.radicale = {
+      enable = true;
+      settings = {
+        server.hosts = "localhost:${builtins.toString cfg.port}";
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = config.sops.templates."radicale/htpasswd".path;
+          htpasswd_encryption = "plain";
+        };
+      };
+    };
+  };
+}