diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix
index 54c25277..ca4efd77 100644
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@@ -24,6 +24,7 @@ in
     ./attic.nix
     ./ytdl-sub.nix
     ./snipe-it.nix
+    ./radicale.nix
 
     ../../nixos-modules/networking/tailscale.nix
     ../../nixos-modules/services/docker.nix
@@ -201,7 +202,23 @@ in
               resolvers 10.88.0.1 # podman dns
             }
             uri /outpost.goauthentik.io/auth/caddy
-            copy_headers X-Authentik-Username X-Copyparty-Group X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Grafana-Role
+            copy_headers {
+              X-Authentik-Username
+              X-Copyparty-Group
+              X-Authentik-Groups
+              X-Authentik-Entitlements
+              X-Authentik-Email
+              X-Authentik-Name
+              X-Authentik-Uid
+              X-Authentik-Jwt
+              X-Authentik-Meta-Jwks
+              X-Authentik-Meta-Outpost
+              X-Authentik-Meta-Provider
+              X-Authentik-Meta-App
+              X-Authentik-Meta-Version
+              X-Grafana-Role
+              X-Authentik-Username>X-Remote-User
+            } 
           }
           reverse_proxy {args[:]} {
             transport http {
@@ -272,6 +289,10 @@ in
       handle @auth {
         import podmanRedir http://authentik-server:9000
       }
+      @radicale host radicale.hailsatan.eu
+      handle @radicale {
+        import podmanRedirWithAuth http://[::1]:5232
+      }
       @grafana host grafana.hailsatan.eu
       handle @grafana {
         import podmanRedirWithAuth http://grafana:3000 
diff --git a/hosts/ds9/radicale.nix b/hosts/ds9/radicale.nix
new file mode 100644
index 00000000..c83434f9
--- /dev/null
+++ b/hosts/ds9/radicale.nix
@@ -0,0 +1,43 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  services.radicale = {
+    enable = true;
+    settings = {
+      server.hosts = [ "[::1]:5232" ];
+      auth = {
+        type = "http_x_remote_user";
+        # remote_ip_source = "X-Remote-Addr";
+      };
+      storage = {
+        filesystem_folder = "/var/lib/radicale/collections";
+      };
+    };
+    rights = {
+      root = {
+        user = ".+";
+        collection = "";
+        permissions = "R";
+      };
+      principal = {
+        user = ".+";
+        collection = "{user}";
+        permissions = "RW";
+      };
+      calendars = {
+        user = ".+";
+        collection = "{user}/[^/]+";
+        permissions = "rw";
+      };
+
+    };
+  };
+  ragon.persist.extraDirectories = [
+    "/var/lib/radicale"
+  ];
+
+}