{ config, pkgs, ... }:

{
  security.acme.certs."${config.networking.domain}".extraDomainNames = [ "kalender.ktiu.net" ];

  services.nginx.virtualHosts."kalender.ktiu.net" = {
    onlySSL = true;
    useACMEHost = config.networking.domain;
    locations."/" = {
      proxyPass = "http://127.0.0.1:5232/";
      extraConfig = ''
        proxy_set_header X-Script-Name /;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass_header Authorization;
      '';
    };
  };

  services.radicale = {
    enable = true;
    settings = {
      server = {
        hosts = [ "0.0.0.0:5232" "[::]:5232" ];
      };
      auth = {
        type = "htpasswd";
        htpasswd_filename = "/var/custom-access/radicale.htpasswd";
        # htpasswd_encryption = "bcrypt";
      };
      storage = {
        filesystem_folder = "/var/lib/radicale/collections";
      };
    };
  };

}