{
  self,
  lib,
  ...
}: {
  flake.nixosModules.radicale = {config, ...}: let
    cfg = config.hostOptions.server;
  in {
    imports = [
      self.nixosModules.hostOptions
      self.nixosModules.nginx
    ];

    services.radicale = {
      enable = true;
      settings = {
        server.hosts = ["127.0.0.1:5232"];
        auth = {
          type = "htpasswd";
          htpasswd_filename = "${cfg.dataPath}/radicale/users";
          htpasswd_encryption = "autodetect";
        };
        storage.filesystem_folder = "${cfg.dataPath}/radicale/calendars/";
      };
    };

    users.users.radicale = {
      isSystemUser = true;
      group = "radicale";
    };
    users.groups.radicale = {};
    systemd.services.radicale.serviceConfig = {
      DynamicUser = lib.mkForce false;
      User = lib.mkForce "radicale";
      Group = lib.mkForce "radicale";
      ReadWritePaths = ["${cfg.dataPath}/arr/radicale/"];
    };

    services.nginx.virtualHosts."radicale.${cfg.domain}" = {
      enableACME = true;
      forceSSL = true;
      locations."/".proxyPass = "http://127.0.0.1:5232";
    };
  };
}