{pkgs, ...}: {
  containers."nextcloud" = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "10.0.3.1";
    localAddress = "10.0.3.2";
    bindMounts = {
      "/var/lib/nextcloud" = {
        hostPath = "/nextcloud/data";
        isReadOnly = false;
      };
      "/var/lib/postgresql" = {
        hostPath = "/nextcloud/db";
        isReadOnly = false;
      };
      "/var/secret" = {
        hostPath = "/nextcloud/secret";
        isReadOnly = true;
      };
    };
    config = {
      config,
      pkgs,
      ...
    }: {
      networking.firewall.enable = false;
      environment.etc."resolv.conf".text = "nameserver 9.9.9.9";
      services.nextcloud = {
        enable = true;
        https = true;
        config = {
          dbtype = "pgsql";
          dbhost = "/run/postgresql";
          adminpassFile = "/var/secret/nextcloud-admin-pass";
          trustedProxies = ["10.0.3.1"];
        };
        hostName = "wolke.katzen.cafe";
        package = pkgs.nextcloud29;
        extraApps = with config.services.nextcloud.package.packages.apps; {
          inherit bookmarks calendar contacts;
          user_oidc = pkgs.fetchNextcloudApp rec {
            url = "https://github.com/nextcloud-releases/user_oidc/releases/download/v5.0.3/user_oidc-v5.0.3.tar.gz";
            sha256 = "sha256-oaN4nYIKzP7r9pB/6szZnkR+liSMARd3Nb8aM3m9WeE=";
            license = "gpl3";
          };
        };
      };
      services.postgresql = {
        enable = true;
        ensureDatabases = ["nextcloud"];
        ensureUsers = [
          {
            name = "nextcloud";
            # ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
            ensureDBOwnership = true;
          }
        ];
      };
      system.stateVersion = "23.05";
    };
  };
  deployment.keys = {
    "nextcloud-admin-pass" = {
      keyCommand = ["pass" "nextcloud/admin-password"];
      destDir = "/nextcloud/secret";
      permissions = "0604";
    };
  };
}