{ config
, lib
, pkgs
, repoFlake
  # TODO: make configurable
, homeUser ? "steveej"
, ...
}:

let
  radicalePkgs = repoFlake.inputs.radicale-nixpkgs.legacyPackages.${pkgs.system};

  libdecsync = pkgs.python3Packages.buildPythonPackage rec {
    pname = "libdecsync";
    version = "2.2.1";

    src = pkgs.python3Packages.fetchPypi {
      inherit pname version;
      hash = "sha256-Mukjzjumv9VL+A0maU0K/SliWrgeRjAeiEdN5a83G0I=";
    };

    propagatedBuildInputs = [
      # pkgs.libxcrypt-legacy
    ];
  };
  radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec {
    pname = "radicale_storage_decsync";
    version = "2.1.0";

    src = pkgs.python3Packages.fetchPypi {
      inherit pname version;
      hash = "sha256-X+0MT5o2PjsKxca5EDI+rYyQDmUtbRoELDr6e4YXKCg=";
    };

    buildInputs = [
      pkgs.radicale
      # pkgs.libxcrypt-legacy
      # pkgs.libxcrypt
    ];

    nativeCheckInputs = [
      # pkgs.libxcrypt-legacy
      # pkgs.libxcrypt
    ];

    propagatedBuildInputs = [ libdecsync pkgs.python3Packages.setuptools ];
  };
  radicale-decsync = pkgs.radicale.overrideAttrs (old: {
    propagatedBuildInputs =
      old.propagatedBuildInputs
      ++ [ radicale-storage-decsync ];
  });

  mkRadicaleService =
    { suffix
    , port
    ,
    }:
    let
      radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
        [server]
        hosts = localhost:${builtins.toString port}

        [auth]
        type = htpasswd
        htpasswd_filename = ${config.sops.secrets.radicale_htpasswd.path}
        htpasswd_encryption = bcrypt

        [storage]
        type = radicale_storage_decsync
        filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix}
        decsync_dir = ${config.xdg.dataHome}/decsync-${suffix}
      '';
    in
    {
      home-manager.users.${homeUser}.systemd.user.services."radicale-${suffix}" = {
        Unit.Description = "Radicale with DecSync (${suffix})";
        Service = {
          ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}";
          Restart = "on-failure";
        };
        Install.WantedBy = [ "default.target" ];
      };
    };
in
{
  sops.secrets.radicale_htpasswd = {
    sopsFile = ../../../../secrets/desktop/radicale_htpasswd;
    format = "binary";
    owner = config.users.users.${homeUser}.name;
  };
} // (builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [
  {
    suffix = "personal";
    port = 5232;
  }
  {
    suffix = "family";
    port = 5233;
  }
])