{
  pkgs,
  config,
  lib,
  ...
}:
{
  sops = {
    secrets = {
      "nc/adminPass" = {
        owner = "nextcloud";
        group = "nextcloud";
      };
      "nc/id" = { };
      "nc/passSalt" = { };
      "nc/secret" = { };
      "nc/smtpHost" = { };
      "nc/smtpPass" = { };
      "nc/smtpUser" = { };
    };
    templates.nc-secrets = {
      owner = "nextcloud";
      group = "nextcloud";
      content = builtins.toJSON {
        instanceid = config.sops.placeholder."nc/id";
        passwordsalt = config.sops.placeholder."nc/passSalt";
        secret = config.sops.placeholder."nc/secret";
        mail_domain = "auri.ee";
        mail_from_address = "nc";
        mail_smtpsecure = "ssl";
        mail_smtpauth = true;
        mail_smtphost = config.sops.placeholder."nc/smtpHost";
        mail_smtpname = config.sops.placeholder."nc/smtpUser";
        mail_smtppassword = config.sops.placeholder."nc/smtpPass";
        mail_smtpport = 465;
      };
    };
  };

  services.nextcloud = {
    enable = true;
    enableImagemagick = true;
    package = pkgs.nextcloud33;
    https = true;
    appstoreEnable = true;
    autoUpdateApps.enable = true;
    extraApps = {
      inherit (config.services.nextcloud.package.packages.apps)
        contacts
        calendar
        tasks
        deck
        ;
    };
    extraAppsEnable = true;
    configureRedis = true;
    hostName = "files.auri.ee";
    maxUploadSize = "10G";
    phpOptions = {
      "opcache.interned_strings_buffer" = "27";
    };
    poolSettings = {
      "pm" = "dynamic";
      "pm.max_children" = "201";
      "pm.start_servers" = "50";
      "pm.min_spare_servers" = "50";
      "pm.max_spare_servers" = "150";
    };
    caching = {
      apcu = true;
      redis = true;
    };
    database.createLocally = true;
    config = {
      adminpassFile = config.sops.secrets."nc/adminPass".path;
      adminuser = "me@auri.ee";
      dbtype = "pgsql";
    };
    settings = {
      default_phone_region = "AU";
      enable_previews = true;
      preview_max_memory = -1;
      preview_max_x = 4096;
      preview_max_y = 4096;
      preview_concurrency_new = 4;
      preview_concurrency = 8;
      enabledPreviewProviders = [
        "OC\\Preview\\Movie"
        "OC\\Preview\\PNG"
        "OC\\Preview\\JPEG"
        "OC\\Preview\\GIF"
        "OC\\Preview\\BMP"
        "OC\\Preview\\XBitmap"
        "OC\\Preview\\HEIC"
        "OC\\Preview\\MP4"
        "OC\\Preview\\TXT"
        "OC\\Preview\\MarkDown"
        "OC\\Preview\\PDF"
      ];
      maintenance_window_start = 23;
    };
    secretFile = config.sops.templates."nc-secrets".path;
  };

  forest.nginxHosts = [
    (lib.mkIf config.services.nextcloud.enable {
      "${config.services.nextcloud.hostName}" = {
        onlySSL = true;
        useACMEHost = "auri.ee";
        http2 = true;
      };
    })
  ];
}