diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix
index 8ef7cc4..0333dad 100644
--- a/nix/home-manager/configuration/graphical-fullblown.nix
+++ b/nix/home-manager/configuration/graphical-fullblown.nix
@@ -1,17 +1,18 @@
-{
-  pkgs,
-  config,
-  # these come in via home-manager.extraSpecialArgs and are specific to each node
-  nodeFlake,
-  packages',
-  # repoFlake,
+{ pkgs
+, config
+, # these come in via home-manager.extraSpecialArgs and are specific to each node
+  nodeFlake
+, packages'
+, # repoFlake,
   # repoFlakeInputs',
   ...
-}: let
+}:
+let
   # pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system};
-  pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small {inherit (pkgs) system config;};
+  pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small { inherit (pkgs) system config; };
   pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system};
-in {
+in
+{
   imports = [
     ../profiles/common.nix
     ../profiles/dotfiles.nix
@@ -37,13 +38,13 @@ in {
     ../programs/vscode
 
     # TODO: bump these to 23.05 and make it work
-    (args: import ../programs/radicale.nix (args // {pkgs = pkgs2211;}))
+    (args: import ../programs/radicale.nix (args // { pkgs = pkgs2211; }))
     # (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;}))
   ];
 
   home.sessionVariables.HM_CONFIG = "graphical-fullblown";
   home.sessionVariables.GOPATH = "$HOME/src/go";
-  home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];
+  home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ "$HOME/.local/bin" "$PATH" ];
 
   nixpkgs.config.permittedInsecurePackages = [
     "electron-24.8.6"
@@ -51,7 +52,7 @@ in {
   ];
 
   home.packages =
-    []
+    [ ]
     ++ (with pkgs; [
       # Authentication
       cacert
@@ -249,11 +250,12 @@ in {
       pcmanfm
       # mendeley
       evince
-      (runCommand "logseq-wrapper" {
-            nativeBuildInputs = [ makeWrapper ];
-      } ''
-            makeWrapper ${logseq}/bin/logseq $out/bin/logseq  \
-                  --set NIXOS_OZONE_WL ""
+      (runCommand "logseq-wrapper"
+        {
+          nativeBuildInputs = [ makeWrapper ];
+        } ''
+        makeWrapper ${logseq}/bin/logseq $out/bin/logseq  \
+              --set NIXOS_OZONE_WL ""
       '')
       # (logseq.override({ electron_25 = electron_26; }))
 
diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix
index 6c4d820..ffab825 100644
--- a/nix/home-manager/profiles/wayland-desktop.nix
+++ b/nix/home-manager/profiles/wayland-desktop.nix
@@ -1,19 +1,20 @@
-{
-  pkgs,
-  config,
-  lib,
-  repoFlake,
-  nodeFlake,
-  ...
-}: let
-  inherit (import ../lib.nix {}) mkSimpleTrayService;
+{ pkgs
+, config
+, lib
+, repoFlake
+, nodeFlake
+, ...
+}:
+let
+  inherit (import ../lib.nix { }) mkSimpleTrayService;
 
   nixpkgs-2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system};
   nixpkgs-unstable-small = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system};
   nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system};
 
   wayprompt = nixpkgs-wayland'.wayprompt;
-in {
+in
+{
   fonts.fontconfig.enable = true;
 
   # services.gpg-agent.pinentryFlavor = lib.mkForce null;
@@ -29,7 +30,7 @@ in {
   systemd.user.targets.tray = {
     Unit = {
       Description = "Home Manager System Tray";
-      Requires = ["graphical-session-pre.target"];
+      Requires = [ "graphical-session-pre.target" ];
     };
   };
 
diff --git a/nix/os/devices/steveej-t14/secrets.nix b/nix/os/devices/steveej-t14/secrets.nix
deleted file mode 100644
index a97d67d..0000000
--- a/nix/os/devices/steveej-t14/secrets.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{config, ...}: {
-  sops.secrets.radicale_htpasswd = {
-    sopsFile = ../../../../secrets/steveej-t14/radicale_htpasswd;
-    format = "binary";
-    owner = config.users.users.steveej.name;
-  };
-}
diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix
new file mode 100644
index 0000000..97f4fdc
--- /dev/null
+++ b/nix/os/snippets/radicale.nix
@@ -0,0 +1,101 @@
+{ config
+, lib
+, pkgs
+, repoFlake
+  # TODO: make configurable
+, homeUser ? "steveej"
+, ...
+}:
+
+let
+  radicalePkgs = repoFlake.inputs.radicale-nixpkgs.legacyPackages.${pkgs.system};
+
+  libdecsync = pkgs.python3Packages.buildPythonPackage rec {
+    pname = "libdecsync";
+    version = "2.2.1";
+
+    src = pkgs.python3Packages.fetchPypi {
+      inherit pname version;
+      hash = "sha256-Mukjzjumv9VL+A0maU0K/SliWrgeRjAeiEdN5a83G0I=";
+    };
+
+    propagatedBuildInputs = [
+      # pkgs.libxcrypt-legacy
+    ];
+  };
+  radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec {
+    pname = "radicale_storage_decsync";
+    version = "2.1.0";
+
+    src = pkgs.python3Packages.fetchPypi {
+      inherit pname version;
+      hash = "sha256-X+0MT5o2PjsKxca5EDI+rYyQDmUtbRoELDr6e4YXKCg=";
+    };
+
+    buildInputs = [
+      pkgs.radicale
+      # pkgs.libxcrypt-legacy
+      # pkgs.libxcrypt
+    ];
+
+    nativeCheckInputs = [
+      # pkgs.libxcrypt-legacy
+      # pkgs.libxcrypt
+    ];
+
+    propagatedBuildInputs = [ libdecsync pkgs.python3Packages.setuptools ];
+  };
+  radicale-decsync = pkgs.radicale.overrideAttrs (old: {
+    propagatedBuildInputs =
+      old.propagatedBuildInputs
+      ++ [ radicale-storage-decsync ];
+  });
+
+  mkRadicaleService =
+    { suffix
+    , port
+    ,
+    }:
+    let
+      radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
+        [server]
+        hosts = localhost:${builtins.toString port}
+
+        [auth]
+        type = htpasswd
+        htpasswd_filename = ${config.sops.secrets.radicale_htpasswd.path}
+        htpasswd_encryption = bcrypt
+
+        [storage]
+        type = radicale_storage_decsync
+        filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix}
+        decsync_dir = ${config.xdg.dataHome}/decsync-${suffix}
+      '';
+    in
+    {
+      home-manager.users.${homeUser}.systemd.user.services."radicale-${suffix}" = {
+        Unit.Description = "Radicale with DecSync (${suffix})";
+        Service = {
+          ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}";
+          Restart = "on-failure";
+        };
+        Install.WantedBy = [ "default.target" ];
+      };
+    };
+in
+{
+  sops.secrets.radicale_htpasswd = {
+    sopsFile = ../../../../secrets/desktop/radicale_htpasswd;
+    format = "binary";
+    owner = config.users.users.${homeUser}.name;
+  };
+} // (builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [
+  {
+    suffix = "personal";
+    port = 5232;
+  }
+  {
+    suffix = "family";
+    port = 5233;
+  }
+])
diff --git a/secrets/steveej-t14/radicale_htpasswd b/secrets/desktop/radicale_htpasswd
similarity index 100%
rename from secrets/steveej-t14/radicale_htpasswd
rename to secrets/desktop/radicale_htpasswd