{ pkgs, ... }:
{
  containers."nextcloud" = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "10.0.3.1";
    localAddress = "10.0.3.2";
    bindMounts = {
      "/var/lib/nextcloud" = {
        hostPath = "/nextcloud/data";
        isReadOnly = false;
      };
      "/var/lib/postgresql" = {
        hostPath = "/nextcloud/db";
        isReadOnly = false;
      };
      "/var/secret" = {
        hostPath = "/nextcloud/secret";
        isReadOnly = true;
      };
    };
    config = { config, pkgs, ... }: {
      networking.firewall.enable = false;
      environment.etc."resolv.conf".text = "nameserver 9.9.9.9";      
      services.nextcloud = {
        enable = true;
        https = true;
        config = {
          dbtype = "pgsql";
          dbhost = "/run/postgresql";
          adminpassFile = "/var/secret/nextcloud-admin-pass";
          trustedProxies = [ "10.0.3.1" ];
        };
        hostName = "wolke.katzen.cafe";
        package = pkgs.nextcloud27;
        extraApps = with config.services.nextcloud.package.packages.apps; {
          inherit bookmarks calendar contacts;
          user_oidc =  pkgs.fetchNextcloudApp rec {
            url = "https://github.com/nextcloud-releases/user_oidc/releases/download/v1.3.3/user_oidc-v1.3.3.tar.gz";
            sha256 = "sha256-s8xr25a40/ot7KDv3Vn7WBm4Pb13LzzK62ZNYufXQ2w";
          };        
        };
      };
      services.postgresql = {
        enable = true;
        ensureDatabases = [ "nextcloud" ];
        ensureUsers = [
          {
            name = "nextcloud";
            ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
          }
        ];
      };
      system.stateVersion = "23.05";
    };
  };
  deployment.keys = {
    "nextcloud-admin-pass" = {
      keyCommand = [ "pass" "nextcloud/admin-password" ];
      destDir = "/nextcloud/secret";
      permissions = "0604";
    };
  };
}