{ config, ... }:
let
  repo = config.repo;
  repoHelpers = repo.helpers;
  service = repo.services.radicale;
in
{
  flake.modules.nixos.radicale =
    { lib, ... }:
    lib.mkMerge [
      {
        services.radicale = {
          enable = true;
          settings = {
            server.hosts = [ "${service.host}:${toString service.port}" ];

            auth = {
              type = "htpasswd";
              htpasswd_filename = "/var/lib/radicale/users";
              htpasswd_encryption = "bcrypt";
            };

            storage.filesystem_folder = "/var/lib/radicale/collections";
          };
        };
      }

      (repoHelpers.mkCaddyReverseProxy {
        inherit (service)
          domain
          port
          ;
        extraHeaders = [
          {
            name = "X-Script-Name";
            value = "/";
          }
          {
            name = "X-Forwarded-For";
            value = "{remote}";
          }
          {
            name = "X-Remote-User";
            value = "{http.auth.user.id}";
          }
        ];
      })
    ];
}