{ pkgs, config, ... }:
{
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud27;
    hostName = "cloud.nekover.se";
    https = true;
    config = {
      dbtype = "pgsql";
      adminpassFile = "/secrets/nextcloud-adminpass.secret";
      defaultPhoneRegion = "DE";
    };
    database.createLocally = true;
    configureRedis = true;
    extraAppsEnable = true;
    extraApps = with config.services.nextcloud.package.packages.apps; {
      inherit bookmarks contacts calendar tasks twofactor_webauthn;
    };
    maxUploadSize = "16G";
    extraOptions = {
      mail_smtpmode = "smtp";
      mail_sendmailmode = "smtp";
      mail_smtpsecure = "ssl";
      mail_from_address = "cloud";
      mail_domain = "nekover.se";
      mail_smtpauthtype = "LOGIN";
      mail_smtpauth = 1;
      mail_smtphost = "mail.grzb.de";
      mail_smtpport = 465;
      mail_smtpname = "nextcloud";
    };
    # Only contains mail_smtppassword
    secretFile = "/secrets/nextcloud-secretfile.secret";
    phpOptions = {
      # The amount of memory for interned strings in Mbytes
      "opcache.interned_strings_buffer" = "64";
    };
  };

  services.nginx = {
    virtualHosts.${config.services.nextcloud.hostName} = {
      forceSSL = true;
      enableACME = true;
      listen = [
        { 
          addr = "localhost";
          port = 1234;
        } # workaround for enableACME check
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];
      extraConfig = ''
        set_real_ip_from 10.202.41.100;
        real_ip_header proxy_protocol;
      '';
    };
  };
}