{
  flake,
  config,
  pkgs,
  ...
}: let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.user.${user0}) domain name;
  inherit (flake.config.system.device) server wildcard;
  inherit (flake.config.service.instance) nextcloud nginx;
  localhost = wildcard.ip.address0;
  host = "${nextcloud.subdomain}.${domain.url1}";
in {
  services = {
    nextcloud = {
      appstoreEnable = true;
      autoUpdateApps.enable = true;
      configureRedis = true;
      enable = true;
      hostName = host;
      https = true;
      package = pkgs.nextcloud30;
      phpOptions."opcache.interned_strings_buffer" = "24";
      extraAppsEnable = true;
      extraApps = {
        inherit
          (config.services.nextcloud.package.packages.apps)
          news
          calendar
          ;
      };
      config = {
        adminpassFile = config.sops.secrets."${nextcloud.name}-pass".path;
        adminuser = name;
        dbtype = "pgsql";
      };
      database = {
        createLocally = true;
      };
      settings = {
        default_phone_region = "CA";
        log_type = "file";
        mail_sendmailmode = "pipe";
        mail_smtpmode = "sendmail";
        maintenance_window_start = 4;
        overwriteprotocol = "https";
        trusted_proxies = [
          localhost
        ];
      };
    };

    nginx = {
      enable = true;
      virtualHosts.${host}.listen = [
        {
          addr = wildcard.ip.address1;
          port = nginx.ports.port0;
        }
      ];
    };

    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            reverse_proxy ${localhost}:${toString nginx.ports.port0}

            tls ${nextcloud.ssl.cert} ${nextcloud.ssl.key}
          '';
        };
      };
    };
  };

  sops = let
    sopsSecrets = ["pass"];
    sopsPath = secret: {
      path = "${nextcloud.sops.path0}/${nextcloud.name}-${secret}";
      owner = nextcloud.name;
      mode = "600";
    };
  in {
    secrets = builtins.listToAttrs (
      map
      (secret: {
        name = "${nextcloud.name}-${secret}";
        value = sopsPath secret;
      })
      sopsSecrets
    );
  };

  # fileSystems."/var/lib/${nextcloud.name}" = {
  #   device = nextcloud.paths.path0;
  #   fsType = "none";
  #   options = ["bind"];
  #   depends = [server.storage0.mount];
  # };

  # systemd.tmpfiles.rules = [
  #   "Z ${nextcloud.paths.path0} 750 ${nextcloud.name} ${nextcloud.name} -"
  #   "Z ${nextcloud.sops.path0} 750 ${nextcloud.name} ${nextcloud.name} -"
  # ];

  users.users.${nextcloud.name}.extraGroups = ["caddy" "nginx" "postgres"];

  networking = {
    firewall = {
      allowedTCPPorts = [
        nginx.ports.port0
        nextcloud.ports.port0
      ];
    };
  };
}