radicale service: run with dedicated user

This is done in the context of #11908.

nixos/modules/misc/ids.nix

@@ -255,6 +255,7 @@
       avahi-autoipd = 231;
       nntp-proxy = 232;
       mjpg-streamer = 233;
+      radicale = 234;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -483,6 +484,7 @@
       cfdyndns = 227;
       pdnsd = 229;
       octoprint = 230;
+      radicale = 234;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

nixos/modules/services/networking/radicale.nix

@@ -35,12 +35,27 @@ in
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.pythonPackages.radicale ];
 
+    users.extraUsers = singleton
+      { name = "radicale";
+        uid = config.ids.uids.radicale;
+        description = "radicale user";
+        home = "/var/lib/radicale";
+        createHome = true;
+      };
+
+    users.extraGroups = singleton
+      { name = "radicale";
+        gid = config.ids.gids.radicale;
+      };
+
     systemd.services.radicale = {
       description = "A Simple Calendar and Contact Server";
       after = [ "network-interfaces.target" ];
       wantedBy = [ "multi-user.target" ];
       script = "${pkgs.pythonPackages.radicale}/bin/radicale -C ${confFile} -d";
       serviceConfig.Type = "forking";
+      serviceConfig.User = "radicale";
+      serviceConfig.Group = "radicale";
     };
   };
 }