{ pkgs, ... }@all: with all; let 
  x = rec { version = "0.0.11";
  user = "nxcaldav";
  nxcsrc = pkgs.fetchFromGitea {
    domain = "git.${hyper.domain}";
    owner = "nx2";
    repo = "NxCalDav";
    rev = version;
    hash = "sha256-Hk27BQCBtdRQ1aSHVEQ1EVjPrsC2jOUPDT4yuU9OCXQ=";
  };
  nxc = pkgs.buildGoModule {
    pname = "NxCalDav";
    inherit version;
    src = nxcsrc;
    vendorHash = "sha256-prstYDJuwS5E5uRwUkX0M+QdnIaQ0QewKe8HaoZ0Db4=";
  };
  nxc_helpers = pkgs.python3Packages.buildPythonApplication {
    inherit version;
    format = "other";
    pname = "nxc_helpers";
    src = nxcsrc;
    propagatedBuildInputs = with pkgs.python313Packages; [ pyyaml psycopg2 ];
    installPhase = ''
      sed -i "15s|.*|    parser.add_argument('--config', default='${cfg}', help='Path to config.yaml')|" ./export_events.py
      sed -i "17s|.*|    parser.add_argument('--config', default='${cfg}', help='Path to config.yaml')|" ./import_events.py
      install -Dm755 "./export_events.py" "$out/bin/nxc_export"
      install -Dm755 "./import_events.py" "$out/bin/nxc_import"
    '';
  };
  cfg = (pkgs.formats.yaml { }).generate "nxcaldav-config.yaml" {
    server = {
      bind_address = "0.0.0.0:14243";
      public_url = "http://nxc.${hyper.domain}/";
      redaction_text = "[-]";
      default_class = "CONFIDENTIAL";
    };
    database.url = "postgres://nxcaldav@localhost:5432/nxcaldav?sslmode=disable";
    users = let dfu = name: {
      name = name;
      password_cmd = ''cat ${config.sops.secrets."nx2site/nxcaldav/${name}_password".path}'';
      groups = [ "family" ];
    }; in  [
      (dfu "lennart")
      (dfu "daniel")
      (dfu "diane")
      (dfu "georg")
      (dfu "tessa")
      (dfu "shared")
    ];
    calendars = [
      { owner = "lennart"; color = "#dddddd"; id = "preservation";  }
      { owner = "lennart"; color = "#dd2222"; id = "effort";        }
      { owner = "lennart"; color = "#2222dd"; id = "experience";    }
      { owner = "lennart"; color = "#22aa22"; id = "leisure";       }
      { id = "family";
        owner = "shared";
        color = "#dddd22";
        access = [
          { group = "family"; mode = "read-write"; }
        ];
      }
    ];
    address_books = [
      { owner = "lennart"; id = "Others";   }
      { owner = "lennart"; id = "TUDa";     }
      { owner = "lennart"; id = "HSMW";     }
      { owner = "lennart"; id = "CWG";      }
      { owner = "lennart"; id = "Handball"; }
      { id = "Family & Freinds";
        owner = "shared";
        access = [
          { group = "family"; mode = "read-write"; }
        ];
      }
    ];
    aggregates = [
      { id = "lennart-aggregate";
        owner = "shared";
        sources = [ "preservation" "effort" "experience" "leisure" ];
        access = [
          { group = "family" ; mode = "read-only"; }
          { ics = "future-only"; }
        ];
      }
    ];
  };
}; in with x; {
  sops.secrets = let ss = { owner = user; group = user; mode = "600"; }; in {
    "nx2site/nxcaldav/lennart_password" = ss;
    "nx2site/nxcaldav/daniel_password" = ss;
    "nx2site/nxcaldav/diane_password" = ss;
    "nx2site/nxcaldav/georg_password" = ss;
    "nx2site/nxcaldav/tessa_password" = ss;
    "nx2site/nxcaldav/shared_password" = ss;
  };
  users = {
    groups."${user}" = {};
    users = {
      "${hyper.user}".extraGroups = [ user ];
      "${user}" = {
        isSystemUser = true;
        isNormalUser = false;
        group = user;
      };
    };
  }; 
  environment.systemPackages = [ nxc_helpers ];
  systemd.services."nxcaldav" = {
    enable = true;
    path = [ pkgs.bash pkgs.coreutils ];
    serviceConfig = {
      User = user;
      Group = user;
      ExecStart = ''${nxc}/bin/nxcaldav -c ${cfg}'';
    };
  };
}