{ config, ... }:
let domain = "radicale.leaf.ninja";
in {
  age.secrets.radicale-htpasswd = {
    file = ./secrets/radicale-htpasswd;
    mode = "400";
    owner = "radicale";
  };

  services.radicale = {
    enable = true;
    settings = {
      server.hosts = [ "localhost:5232" ];
      auth = {
        type = "htpasswd";
        htpasswd_filename = config.age.secrets.radicale-htpasswd.path;
        htpasswd_encryption = "plain";
      };
    };
  };

  services.caddy.virtualHosts.${domain}.extraConfig = ''
    reverse_proxy localhost:5232
  '';
}