{
  services.postgresql = {
    ensureDatabases = [ "nextcloud" ];
    ensureUsers = [
      {
        name = "nextcloud";
        ensureDBOwnership = true;
      }
    ];
  };

  containers.nextcloud = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.0.1";
    localAddress = "192.168.0.3";
    config =
      {
        config,
        pkgs,
        lib,
        ...
      }:
      {
        environment.etc."nextcloud-admin-pass".text = "admin";
        nixpkgs.config.allowUnfree = true;
        services = {
          nextcloud = {
            enable = true;
            hostName = "nextcloud.thewordnerd.info";
            package = pkgs.nextcloud30;
            configureRedis = true;
            maxUploadSize = "16G";
            # autoUpdateApps.enable = true;
            notify_push = {
              enable = true;
              bendDomainToLocalhost = true;
            };
            webfinger = true;
            settings = {
              overwriteprotocol = "https";
              trusted_proxies = [
                "192.168.0.1"
              ];
              default_phone_region = "US";
              # loglevel = 0;
            };
            config = {
              dbtype = "pgsql";
              dbhost = "/run/postgresql";
              adminpassFile = "/etc/nextcloud-admin-pass";
            };
            phpOptions."opcache.interned_strings_buffer" = "23";
          };
          resolved.enable = true;
        };
        programs.nix-ld.enable = true;
        networking = {
          firewall.allowedTCPPorts = [ 80 ];
          useHostResolvConf = lib.mkForce false;
        };
        virtualisation.docker.enable = true;
        users.users.nextcloud.extraGroups = [ "docker" ];
        environment.systemPackages = [
          (pkgs.writeScriptBin "occ" ''
            #!${pkgs.bash}/bin/bash
            exec nextcloud-occ "$@"
          '')
        ];
      };
    # https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12
    additionalCapabilities = [
      ''all" --system-call-filter="add_key keyctl bpf" --capability="all''
    ];
    bindMounts = {
      "/run/postgresql" = {
        hostPath = "/run/postgresql";
      };
    };
  };

  services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''
    reverse_proxy nextcloud
    header Strict-Transport-Security max-age=31536000;
  '';

  services.caddy.virtualHosts."collabora.thewordnerd.info".extraConfig = ''
    reverse_proxy nextcloud:9980
  '';
}