diff --git a/deploy/base/ingress.yaml b/deploy/base/ingress.yaml
index acec07e..ba83e2c 100644
--- a/deploy/base/ingress.yaml
+++ b/deploy/base/ingress.yaml
@@ -84,3 +84,13 @@ spec:
             name: netflux-homepage
             port:
               name: http
+  - host: caldav.internal
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: radicale
+            port:
+              name: caldav
diff --git a/deploy/base/kustomization.yaml b/deploy/base/kustomization.yaml
index f077f71..19f3368 100644
--- a/deploy/base/kustomization.yaml
+++ b/deploy/base/kustomization.yaml
@@ -93,6 +93,9 @@ resources:
 - deploy-netflux-homepage.yaml
 - svc-netflux-homepage.yaml
 
+- statefulset-radicale.yaml
+- svc-radicale.yaml
+
 configMapGenerator:
 - name: gitea-scripts
   files:
diff --git a/deploy/base/statefulset-radicale.yaml b/deploy/base/statefulset-radicale.yaml
new file mode 100644
index 0000000..d8d3261
--- /dev/null
+++ b/deploy/base/statefulset-radicale.yaml
@@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: radicale
+  labels:
+    app: radicale
+    component: web
+    app.kubernetes.io/name: radicale
+    app.kubernetes.io/instance: radicale
+spec:
+  serviceName: radicale
+  selector:
+    matchLabels:
+      app: radicale
+      component: web
+  template:
+    metadata:
+      labels:
+        app: radicale
+        component: web
+        app.kubernetes.io/name: radicale
+        app.kubernetes.io/instance: radicale
+    spec:
+      containers:
+      - name: radicale
+        image: tomsquest/docker-radicale
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: caldav
+          protocol: TCP
+          containerPort: 5232
+        env:
+        - name: TAKE_FILE_OWNERSHIP
+          value: "false"
+        volumeMounts:
+        - mountPath: /config/config
+          subPath: config.toml
+          name: config
+        - mountPath: /etc/radicale/users
+          subPath: users
+          name: config
+        - mountPath: /data
+          name: data
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "100m"
+          limits:
+            memory: "256Mi"
+            cpu: "250m"
+        livenessProbe:
+          httpGet:
+            path: /.web/
+            port: caldav
+            scheme: HTTP
+          initialDelaySeconds: 10
+          successThreshold: 1
+          failureThreshold: 3
+          periodSeconds: 30
+          timeoutSeconds: 1
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+            add:
+            - SETUID
+            - SETGID
+            - KILL
+      volumes:
+      - name: config
+        configMap:
+          name: radicale-config
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 1Gi
diff --git a/deploy/base/svc-radicale.yaml b/deploy/base/svc-radicale.yaml
new file mode 100644
index 0000000..1ac1557
--- /dev/null
+++ b/deploy/base/svc-radicale.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: radicale
+    component: web
+    app.kubernetes.io/instance: radicale
+    app.kubernetes.io/name: radicale
+  name: radicale
+spec:
+  ports:
+  - name: caldav
+    port: 5232
+    protocol: TCP
+    targetPort: 5232
+  selector:
+    app: radicale
+    component: web
+  type: ClusterIP
diff --git a/deploy/dev/kustomization.yaml b/deploy/dev/kustomization.yaml
index b877f8e..8993a16 100644
--- a/deploy/dev/kustomization.yaml
+++ b/deploy/dev/kustomization.yaml
@@ -52,6 +52,13 @@ configMapGenerator:
   options:
     labels:
       app: drone
+- name: radicale-config
+  files:
+  - config.toml=radicale-config.toml
+  - users=radicale-users
+  options:
+    labels:
+      app: radicale
 secretGenerator:
 - name: grafana-credentials
   literals:
diff --git a/deploy/dev/radicale-config.toml b/deploy/dev/radicale-config.toml
new file mode 100644
index 0000000..c250638
--- /dev/null
+++ b/deploy/dev/radicale-config.toml
@@ -0,0 +1,122 @@
+# -*- mode: conf -*-
+# vim:ft=cfg
+
+# Config file for Radicale - A simple calendar server
+#
+# Place it into /etc/radicale/config (global)
+# or ~/.config/radicale/config (user)
+#
+# The current values are the default ones
+
+
+[server]
+
+# CalDAV server hostnames separated by a comma
+# IPv4 syntax: address:port
+# IPv6 syntax: [address]:port
+# For example: 0.0.0.0:9999, [::]:9999
+#hosts = localhost:5232
+hosts = 0.0.0.0:5232
+
+# Max parallel connections
+#max_connections = 8
+
+# Max size of request body (bytes)
+#max_content_length = 100000000
+
+# Socket timeout (seconds)
+#timeout = 30
+
+# SSL flag, enable HTTPS protocol
+#ssl = False
+
+# SSL certificate path
+#certificate = /etc/ssl/radicale.cert.pem
+
+# SSL private key
+#key = /etc/ssl/radicale.key.pem
+
+# CA certificate for validating clients. This can be used to secure
+# TCP traffic between Radicale and a reverse proxy
+#certificate_authority =
+
+
+[encoding]
+
+# Encoding for responding requests
+#request = utf-8
+
+# Encoding for storing local collections
+#stock = utf-8
+
+
+[auth]
+
+# Authentication method
+# Value: none | htpasswd | remote_user | http_x_remote_user
+type = htpasswd
+
+# Htpasswd filename
+htpasswd_filename = /etc/radicale/users
+
+# Htpasswd encryption method
+# Value: plain | bcrypt | md5
+# bcrypt requires the installation of radicale[bcrypt].
+htpasswd_encryption = bcrypt
+
+# Incorrect authentication delay (seconds)
+delay = 1
+
+# Message displayed in the client when a password is needed
+#realm = Radicale - Password Required
+
+
+[rights]
+
+# Rights backend
+# Value: none | authenticated | owner_only | owner_write | from_file
+type = owner_only
+
+# File for rights management from_file
+#file = /etc/radicale/rights
+
+
+[storage]
+
+# Storage backend
+# Value: multifilesystem | multifilesystem_nolock
+#type = multifilesystem
+
+# Folder for storing local collections, created if not present
+#filesystem_folder = /var/lib/radicale/collections
+filesystem_folder = /data/collections
+
+# Delete sync token that are older (seconds)
+#max_sync_token_age = 2592000
+
+# Command that is run after changes to storage
+# Example: ([ -d .git ] || git init) && git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s)
+#hook =
+
+
+[web]
+
+# Web interface backend
+# Value: none | internal
+#type = internal
+
+
+[logging]
+
+# Threshold for the logger
+# Value: debug | info | warning | error | critical
+level = info
+
+# Don't include passwords in logs
+mask_passwords = True
+
+
+[headers]
+
+# Additional HTTP headers
+#Access-Control-Allow-Origin = *
diff --git a/deploy/dev/radicale-users b/deploy/dev/radicale-users
new file mode 100644
index 0000000..30cd770
--- /dev/null
+++ b/deploy/dev/radicale-users
@@ -0,0 +1 @@
+rob:$2y$05$6ITQM3WPMDZL.vAi/L0whOXI2NxHwU6fq7PJUuQorP7oGoxWqGik2
diff --git a/deploy/prod/ingress.yaml b/deploy/prod/ingress.yaml
index 7d26481..37ce4da 100644
--- a/deploy/prod/ingress.yaml
+++ b/deploy/prod/ingress.yaml
@@ -16,6 +16,7 @@
       - drone.netflux.io
       - synapse.netflux.io
       - netflux.io
+      - caldav.netflux.io
       secretName: prod-ingress-tls
 - op: replace
   path: /spec/rules/0/host
@@ -38,3 +39,6 @@
 - op: replace
   path: /spec/rules/6/host
   value: netflux.io
+- op: replace
+  path: /spec/rules/7/host
+  value: caldav.netflux.io
diff --git a/deploy/prod/kustomization.yaml b/deploy/prod/kustomization.yaml
index 030a9ce..4c91670 100644
--- a/deploy/prod/kustomization.yaml
+++ b/deploy/prod/kustomization.yaml
@@ -38,6 +38,13 @@ configMapGenerator:
   options:
     labels:
       app: drone
+- name: radicale-config
+  files:
+  - config.toml=secrets/radicale-config.toml
+  - users=secrets/radicale-users
+  options:
+    labels:
+      app: radicale
 secretGenerator:
 - name: prometheus-credentials
   files: