{
  config,
  pkgs,
  lib,
  ...
}:
{
  imports = [ ./cert-store-client.nix ];

  options.custom.nextcloud_domain = lib.mkOption {
    type = lib.types.str;
    description = "Domain used by Nextcloud";
  };

  config = {
    networking.firewall.allowedTCPPorts = [ 443 ];

    services = {
      nextcloud = {
        package = pkgs.nextcloud31;
        enable = true;
        hostName = config.custom.nextcloud_domain;
        autoUpdateApps.enable = true;
        https = true;
        maxUploadSize = "512M"; # Default
        config = {
          adminpassFile = "/var/lib/nextcloud/adminpass";
        };
        settings = {
          overwriteprotocol = "https";
          default_phone_region = "FI";
          maintenance_window_start = 1;
        };
        phpOptions = {
          "opcache.interned_strings_buffer" = 32;
        };
      };

      nginx = {
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedTlsSettings = true;
        recommendedProxySettings = true;

        virtualHosts.${config.services.nextcloud.hostName} = {
          forceSSL = true;
          kTLS = true;
          sslCertificate = "/mnt/acme/fullchain.pem";
          sslCertificateKey = "/mnt/acme/key.pem";
        };
      };
    };
  };
}