{
  services.postgresql = {
    ensureDatabases = [ "nextcloud" ];
    ensureUsers = [
      {
        name = "nextcloud";
        ensureDBOwnership = true;
      }
    ];
  };

  containers.nextcloud = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.0.1";
    localAddress = "192.168.0.3";
    config =
      {
        config,
        pkgs,
        lib,
        ...
      }:
      {
        environment.etc."nextcloud-admin-pass".text = "admin";
        nixpkgs.config.allowUnfree = true;
        services = {
          nextcloud = {
            enable = true;
            hostName = "nextcloud.thewordnerd.info";
            package = pkgs.nextcloud30;
            configureRedis = true;
            maxUploadSize = "16G";
            # autoUpdateApps.enable = true;
            notify_push.enable = true;
            webfinger = true;
            settings = {
              overwriteprotocol = "https";
              trusted_proxies = [ "192.168.0.1" ];
              default_phone_region = "US";
            };
            config = {
              dbtype = "pgsql";
              dbhost = "/run/postgresql";
              adminpassFile = "/etc/nextcloud-admin-pass";
            };
            phpOptions."opcache.interned_strings_buffer" = "23";
          };
          onlyoffice = {
            enable = true;
            hostname = "onlyoffice.thewordnerd.info";
          };
          resolved.enable = true;
        };
        programs.nix-ld.enable = true;
        networking = {
          firewall.allowedTCPPorts = [ 80 ];
          useHostResolvConf = lib.mkForce false;
        };
        virtualisation.podman = {
          enable = true;
          dockerCompat = true;
          dockerSocket.enable = true;
        };
      };
    bindMounts = {
      "/run/postgresql" = {
        hostPath = "/run/postgresql";
      };
    };
  };

  services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''
    reverse_proxy nextcloud
    header Strict-Transport-Security max-age=31536000;
  '';
}