From 4cdf17e2abc39248539fa6b7c6305b4e39eed13b Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Fri, 22 Dec 2023 02:37:14 +0100
Subject: [PATCH] feat: add radicale

---
 flake.lock                     |  6 +--
 hosts/ward/default.nix         |  1 +
 hosts/ward/guests/radicale.nix | 79 ++++++++++++++++++++++++++++++++++
 modules/distributed-config.nix |  1 +
 4 files changed, 84 insertions(+), 3 deletions(-)
 create mode 100644 hosts/ward/guests/radicale.nix

diff --git a/flake.lock b/flake.lock
index 5c842c9..9f6b0de 100644
--- a/flake.lock
+++ b/flake.lock
@@ -405,11 +405,11 @@
         "pre-commit-hooks": "pre-commit-hooks_3"
       },
       "locked": {
-        "lastModified": 1703205251,
-        "narHash": "sha256-V8Uxy/g6WRn+ISgBHjs0IY9ZGqjovguNp2FZ2aL+Oqg=",
+        "lastModified": 1703206032,
+        "narHash": "sha256-hCuX9y1lUwa8Ck0jruebL2YLhwnDunav/uiIp9EvmNc=",
         "owner": "oddlama",
         "repo": "nixos-extra-modules",
-        "rev": "42374eff1f3ca895d631789e38c04f3f10318abb",
+        "rev": "073a8ae3b34ed85619dd22bba0d4fb6b6e8e14d1",
         "type": "github"
       },
       "original": {
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index 2d48e15..a8d9bd4 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -94,6 +94,7 @@
       // mkContainer "kanidm"
       // mkContainer "loki"
       // mkContainer "paperless"
+      // mkContainer "radicale"
       // mkContainer "vaultwarden"
     );
 
diff --git a/hosts/ward/guests/radicale.nix b/hosts/ward/guests/radicale.nix
new file mode 100644
index 0000000..f2ac00a
--- /dev/null
+++ b/hosts/ward/guests/radicale.nix
@@ -0,0 +1,79 @@
+{
+  config,
+  nodes,
+  ...
+}: let
+  sentinelCfg = nodes.sentinel.config;
+  radicaleDomain = "radicale.${sentinelCfg.repo.secrets.local.personalDomain}";
+in {
+  meta.wireguard-proxy.sentinel.allowedTCPPorts = [
+    8000
+  ];
+
+  nodes.sentinel = {
+    networking.providedDomains.radicale = radicaleDomain;
+
+    services.nginx = {
+      upstreams.radicale = {
+        servers."${config.meta.wireguard.proxy-sentinel.ipv4}:8000" = {};
+        extraConfig = ''
+          zone radicale 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${radicaleDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        extraConfig = ''
+          client_max_body_size 16M;
+        '';
+        locations."/".proxyPass = "http://radicale";
+      };
+    };
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/radicale";
+      user = "radicale";
+      group = "radicale";
+      mode = "0700";
+    }
+  ];
+
+  services.radicale = {
+    enable = true;
+    settings = {
+      server = {
+        hosts = ["0.0.0.0:8000" "[::]:8000"];
+      };
+      auth = {
+        type = "htpasswd";
+        htpasswd_filename = "/etc/radicale/users";
+        htpasswd_encryption = "bcrypt";
+      };
+      storage = {
+        filesystem_folder = "/var/lib/radicale/collections";
+      };
+    };
+    rights = {
+      root = {
+        user = ".+";
+        collection = "";
+        permissions = "R";
+      };
+      principal = {
+        user = ".+";
+        collection = "{user}";
+        permissions = "RW";
+      };
+      calendars = {
+        user = ".+";
+        collection = "{user}/[^/]+";
+        permissions = "rw";
+      };
+    };
+  };
+
+  systemd.services.radicale.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+}
diff --git a/modules/distributed-config.nix b/modules/distributed-config.nix
index b69ca76..ae05a3b 100644
--- a/modules/distributed-config.nix
+++ b/modules/distributed-config.nix
@@ -19,6 +19,7 @@
 
   nodeName = config.node.name;
 in {
+  # TODO expose exactly what we can configure! not everything
   options.nodes = mkOption {
     default = {};
     description = mdDoc "Allows extending the configuration of other machines.";