{ pkgs, ...}@all: with all;
{
  sops.secrets = { 
    "nx2site/radicale/htpasswd" = {
      owner = "radicale";
    };
  };

  services = {
    radicale = {
      # is run by user radicale
      enable = true;
      package = pkgs.radicale;
      settings = {
        server.hosts = let 
          port = builtins.toString 5232;
        in [ 
          "0.0.0.0:${port}"
          "${hyper.domain}:${port}"
          # "192.168.178.32:${port}"
        ];
        auth = {
          type = "htpasswd";
          htpasswd_filename = config.sops.secrets."nx2site/radicale/htpasswd".path;
          htpasswd_encryption = "bcrypt";
        };
      };
    };
  };
}