{ config, lib, ... }:
let
  domain = "dav.pvv.ntnu.no";
  radicalePort = 5232;
in {
  services.radicale = {
    enable = true;

    settings = {
      server = {
        hosts = [ "127.0.0.1:${toString radicalePort}" ];
      };

      auth = {
        type = "imap";
        imap_host = "imap.pvv.ntnu.no";
        imap_security = "tls";
      };

      storage = {
        filesystem_folder = "/var/lib/radicale/collections";
      };
    };
  };

  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    kTLS = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString radicalePort}";
      extraConfig = ''
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_pass_header Authorization;
      '';
    };
  };

  networking.firewall.allowedTCPPorts = [ radicalePort ];
}