{
  config,
  pkgs,
  lib,
  ...
}: let
  cfg = config.vhack.nextcloud;
in {
  options.vhack.nextcloud = {
    enable = lib.mkEnableOption "a sophisticated nextcloud setup";
    package = lib.mkOption {
      type = lib.types.package;
      default = pkgs.nextcloud31;
      description = "The nextcloud package to use";
    };
    hostname = lib.mkOption {
      type = lib.types.str;
      description = "The nextcloud hostname (fqdn)";
    };
    adminpassFile = lib.mkOption {
      type = lib.types.path;
      description = "The age encrypted admin password file";
    };
  };
  config = lib.mkIf cfg.enable {
    vhack = {
      nginx.enable = true;
      postgresql.enable = true;
      persist.directories = [
        "/var/lib/nextcloud"
      ];
    };
    age.secrets = {
      adminpassFile = {
        file = cfg.adminpassFile;
        mode = "0700";
        owner = "nextcloud";
        group = "nextcloud";
      };
    };

    services = {
      nextcloud = {
        enable = true;
        configureRedis = true;
        config = {
          adminuser = "admin";
          adminpassFile = config.age.secrets.adminpassFile.path;
          dbname = "nextcloud";
          dbuser = "nextcloud";
          dbtype = "pgsql";
        };
        database.createLocally = true;
        hostName = cfg.hostname;
        https = true;
        maxUploadSize = "5G";
        package = cfg.package;
        settings = {
          default_phone_region = "DE";
        };
      };
      nginx.virtualHosts.${cfg.hostname} = {
        forceSSL = true;
        enableACME = true;
      };
    };
    users = {
      users = {
        "nextcloud".uid = config.vhack.constants.ids.uids.nextcloud;
        "redis-nextcloud".uid = config.vhack.constants.ids.uids.redis-nextcloud;
      };
      groups = {
        "nextcloud".gid = config.vhack.constants.ids.gids.nextcloud;
        "redis-nextcloud".gid = config.vhack.constants.ids.gids.redis-nextcloud;
      };
    };
  };
}