{config, ...}: let
  inherit (config.services.secrets) secrets;
in {
  services.radicale = {
    enable = true;
    settings = {
      server = {
        hosts = ["0.0.0.0:5232" "[::]:5232"];
      };
      auth = {
        type = "htpasswd";
        htpasswd_filename = "${secrets.radicale_htpasswd.path}";
        htpasswd_encryption = "bcrypt";
      };
      rights = {
        type = "owner_only";
      };
      storage = {
        filesystem_folder = "/var/lib/radicale/collections";
      };
    };
  };

  users.users.radicale.uid = 1000;
  users.groups.radicale.gid = 1000;

  systemd.tmpfiles.rules = [
    "d /var/lib/radicale - radicale radicale"
    "d /var/lib/radicale/collections - radicale radicale"
  ];
}