From fa2c5b9139946f660f6082b811cc79e5e28cda97 Mon Sep 17 00:00:00 2001 From: Love Billenius Date: Tue, 14 Apr 2026 15:09:54 +0200 Subject: [PATCH] radicale-eval --- modules/nixos/mail-server/radicale.nix | 137 +++++++++++++------------ 1 file changed, 71 insertions(+), 66 deletions(-) diff --git a/modules/nixos/mail-server/radicale.nix b/modules/nixos/mail-server/radicale.nix index f4b056c..a28d788 100644 --- a/modules/nixos/mail-server/radicale.nix +++ b/modules/nixos/mail-server/radicale.nix @@ -5,74 +5,79 @@ ... }: let - domain = builtins.head config.mailserver.domains; - radicaleHost = "cal.${domain}"; - mailAccounts = config.mailserver.loginAccounts; - discoveryHosts = lib.unique ( - config.mailserver.domains - ++ [ - config.mailserver.fqdn - radicaleHost - ] - ); - - accountHash = - mail: account: - if account ? hashedPassword then - account.hashedPassword - else if account ? hashedPasswordFile then - lib.removeSuffix "\n" (builtins.readFile account.hashedPasswordFile) - else - throw "Radicale requires ${mail} to define hashedPassword or hashedPasswordFile"; - - htpasswd = pkgs.writeText "radicale.users" ( - lib.concatStrings ( - lib.mapAttrsToList (mail: account: "${mail}:${accountHash mail account}\n") mailAccounts - ) - ); - - mkWellKnownLocations = { - "/.well-known/caldav".return = "301 https://${radicaleHost}/"; - "/.well-known/carddav".return = "301 https://${radicaleHost}/"; - }; - - discoveryVirtualHosts = lib.listToAttrs ( - map (host: { - name = host; - value = { - enableACME = true; - forceSSL = true; - locations = mkWellKnownLocations; - }; - }) discoveryHosts - ); + cfg = config.mailserver; in -{ - services.radicale = { - enable = true; - settings = { - auth = { - type = "htpasswd"; - htpasswd_filename = htpasswd; - htpasswd_encryption = "bcrypt"; - }; - }; - }; +lib.mkIf cfg.enable ( + let + domain = builtins.head cfg.domains; + radicaleHost = "cal.${domain}"; + mailAccounts = cfg.loginAccounts; + discoveryHosts = lib.unique ( + cfg.domains + ++ [ + cfg.fqdn + radicaleHost + ] + ); - services.nginx.virtualHosts = discoveryVirtualHosts // { - ${radicaleHost} = { - enableACME = true; - forceSSL = true; - locations = mkWellKnownLocations // { - "/" = { - proxyPass = "http://127.0.0.1:5232/"; - extraConfig = '' - proxy_set_header X-Script-Name /; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass_header Authorization; - ''; + accountHash = + mail: account: + if account ? hashedPassword then + account.hashedPassword + else if account ? hashedPasswordFile then + lib.removeSuffix "\n" (builtins.readFile account.hashedPasswordFile) + else + throw "Radicale requires ${mail} to define hashedPassword or hashedPasswordFile"; + + htpasswd = pkgs.writeText "radicale.users" ( + lib.concatStrings ( + lib.mapAttrsToList (mail: account: "${mail}:${accountHash mail account}\n") mailAccounts + ) + ); + + mkWellKnownLocations = { + "/.well-known/caldav".return = "301 https://${radicaleHost}/"; + "/.well-known/carddav".return = "301 https://${radicaleHost}/"; + }; + + discoveryVirtualHosts = lib.listToAttrs ( + map (host: { + name = host; + value = { + enableACME = true; + forceSSL = true; + locations = mkWellKnownLocations; + }; + }) discoveryHosts + ); + in + { + services.radicale = { + enable = true; + settings = { + auth = { + type = "htpasswd"; + htpasswd_filename = htpasswd; + htpasswd_encryption = "bcrypt"; }; }; }; - }; -} + + services.nginx.virtualHosts = discoveryVirtualHosts // { + ${radicaleHost} = { + enableACME = true; + forceSSL = true; + locations = mkWellKnownLocations // { + "/" = { + proxyPass = "http://127.0.0.1:5232/"; + extraConfig = '' + proxy_set_header X-Script-Name /; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass_header Authorization; + ''; + }; + }; + }; + }; + } +)