radicale-eval

modules/nixos/mail-server/radicale.nix

@@ -5,74 +5,79 @@
   ...
 }:
 let
-  domain = builtins.head config.mailserver.domains;
+  cfg = config.mailserver;
-  radicaleHost = "cal.${domain}";
-  mailAccounts = config.mailserver.loginAccounts;
-  discoveryHosts = lib.unique (
-    config.mailserver.domains
-    ++ [
-      config.mailserver.fqdn
-      radicaleHost
-    ]
-  );
-
-  accountHash =
-    mail: account:
-    if account ? hashedPassword then
-      account.hashedPassword
-    else if account ? hashedPasswordFile then
-      lib.removeSuffix "\n" (builtins.readFile account.hashedPasswordFile)
-    else
-      throw "Radicale requires ${mail} to define hashedPassword or hashedPasswordFile";
-
-  htpasswd = pkgs.writeText "radicale.users" (
-    lib.concatStrings (
-      lib.mapAttrsToList (mail: account: "${mail}:${accountHash mail account}\n") mailAccounts
-    )
-  );
-
-  mkWellKnownLocations = {
-    "/.well-known/caldav".return = "301 https://${radicaleHost}/";
-    "/.well-known/carddav".return = "301 https://${radicaleHost}/";
-  };
-
-  discoveryVirtualHosts = lib.listToAttrs (
-    map (host: {
-      name = host;
-      value = {
-        enableACME = true;
-        forceSSL = true;
-        locations = mkWellKnownLocations;
-      };
-    }) discoveryHosts
-  );
 in
-{
+lib.mkIf cfg.enable (
-  services.radicale = {
+  let
-    enable = true;
+    domain = builtins.head cfg.domains;
-    settings = {
+    radicaleHost = "cal.${domain}";
-      auth = {
+    mailAccounts = cfg.loginAccounts;
-        type = "htpasswd";
+    discoveryHosts = lib.unique (
-        htpasswd_filename = htpasswd;
+      cfg.domains
-        htpasswd_encryption = "bcrypt";
+      ++ [
-      };
+        cfg.fqdn
-    };
+        radicaleHost
-  };
+      ]
+    );
 
-  services.nginx.virtualHosts = discoveryVirtualHosts // {
+    accountHash =
-    ${radicaleHost} = {
+      mail: account:
-      enableACME = true;
+      if account ? hashedPassword then
-      forceSSL = true;
+        account.hashedPassword
-      locations = mkWellKnownLocations // {
+      else if account ? hashedPasswordFile then
-        "/" = {
+        lib.removeSuffix "\n" (builtins.readFile account.hashedPasswordFile)
-          proxyPass = "http://127.0.0.1:5232/";
+      else
-          extraConfig = ''
+        throw "Radicale requires ${mail} to define hashedPassword or hashedPasswordFile";
-            proxy_set_header X-Script-Name /;
+
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    htpasswd = pkgs.writeText "radicale.users" (
-            proxy_pass_header Authorization;
+      lib.concatStrings (
-          '';
+        lib.mapAttrsToList (mail: account: "${mail}:${accountHash mail account}\n") mailAccounts
+      )
+    );
+
+    mkWellKnownLocations = {
+      "/.well-known/caldav".return = "301 https://${radicaleHost}/";
+      "/.well-known/carddav".return = "301 https://${radicaleHost}/";
+    };
+
+    discoveryVirtualHosts = lib.listToAttrs (
+      map (host: {
+        name = host;
+        value = {
+          enableACME = true;
+          forceSSL = true;
+          locations = mkWellKnownLocations;
+        };
+      }) discoveryHosts
+    );
+  in
+  {
+    services.radicale = {
+      enable = true;
+      settings = {
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = htpasswd;
+          htpasswd_encryption = "bcrypt";
         };
       };
     };
-  };
+
-}
+    services.nginx.virtualHosts = discoveryVirtualHosts // {
+      ${radicaleHost} = {
+        enableACME = true;
+        forceSSL = true;
+        locations = mkWellKnownLocations // {
+          "/" = {
+            proxyPass = "http://127.0.0.1:5232/";
+            extraConfig = ''
+              proxy_set_header X-Script-Name /;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_pass_header Authorization;
+            '';
+          };
+        };
+      };
+    };
+  }
+)