{ pkgs, config, ... }:
{
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud27;
    hostName = "cloud.nekover.se";
    https = true;
    config = {
      dbtype = "pgsql";
      adminpassFile = "/secrets/nextcloud-adminpass.secret";
      defaultPhoneRegion = "DE";
    };
    database.createLocally = true;
    configureRedis = true;
    extraAppsEnable = true;
    extraApps = with config.services.nextcloud.package.packages.apps; {
      inherit bookmarks contacts calendar tasks twofactor_webauthn;
    };
    maxUploadSize = "16G";
  };

  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
    forceSSL = true;
    enableACME = true;
    listen = [
      { 
        addr = "localhost";
        port = 1234;
      } # workaround for enableACME check
      {
        addr = "0.0.0.0";
        port = 8443;
        ssl = true;
        proxyProtocol = true;
      }
    ];
  };
}