diff --git a/mastus/configuration.nix b/mastus/configuration.nix
index 8dfeee0..134338c 100644
--- a/mastus/configuration.nix
+++ b/mastus/configuration.nix
@@ -12,6 +12,7 @@
       ./gogs.nix
       ./letsencrypt.nix
       ./blog.nix
+      ./radicale.nix
     ];
 
   boot.loader.grub.enable = true;
diff --git a/mastus/radicale.nix b/mastus/radicale.nix
new file mode 100644
index 0000000..dd9610b
--- /dev/null
+++ b/mastus/radicale.nix
@@ -0,0 +1,77 @@
+{ config, pkgs, ... }:
+let
+  radicalePort = 8002;
+in
+{
+  services.radicale = {
+    enable = true;
+    config = ''
+      [server]
+      hosts = 127.0.0.1:${toString radicalePort}
+      ssl = false
+      dns_lookup = false
+
+      [storage]
+      filesystem_folder = /var/lib/radicale/storage
+
+      [auth]
+      type = IMAP
+
+      [rights]
+      type = owner_only
+    '';
+  };
+
+  security.acme.certs."gebner.org".extraDomains."radicale.gebner.org" = null;
+
+  services.nginx.httpConfig = ''
+    server {
+      listen [::]:80;
+      listen 80;
+      server_name radicale.gebner.org;
+
+      location /.well-known/acme-challenge {
+        default_type text/plain;
+        alias /var/lib/acme/www/.well-known/acme-challenge;
+      }
+
+      location / {
+        rewrite ^(.*) https://$host$1 permanent;
+      }
+    }
+
+    server {
+      listen [::]:443;
+      listen 443;
+      server_name radicale.gebner.org;
+
+      ssl on;
+      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
+      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
+      ssl_dhparam /etc/nginx/dhparam.pem;
+      ssl_protocols TLSv1.1 TLSv1.2;
+      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+      ssl_prefer_server_ciphers on;
+      add_header Strict-Transport-Security max-age=15768000;
+      ssl_stapling on;
+      ssl_stapling_verify on;
+
+      location / {
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+        proxy_redirect off;
+        proxy_buffering off;
+        proxy_pass http://gogs;
+        client_max_body_size 30M;
+        break;
+      }
+    }
+
+    upstream radicale {
+      server 127.0.0.1:${toString radicalePort};
+    }
+  '';
+}
diff --git a/mastus/vmtest.nix b/mastus/vmtest.nix
index bb7f4bd..df573eb 100644
--- a/mastus/vmtest.nix
+++ b/mastus/vmtest.nix
@@ -3,7 +3,7 @@ let
   configuration = { config, pkgs, ... }: {
     imports = [ ./configuration.nix ];
 
-    users.extraUsers.gebner.password = "";
+    users.extraUsers.gebner.password = "password";
     users.users.root.password = "";
 
     boot.enableContainers = true;
@@ -21,7 +21,7 @@ let
       '';
     };
 
-    environment.systemPackages = with pkgs; [ elinks ];
+    environment.systemPackages = with pkgs; [ elinks carddav-util ];
   };
 
   nixos = import <nixpkgs/nixos> { configuration = configuration; };