{
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.custom.services.nextcloud;
in
{
  options.custom.services = {
    nextcloud = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
      };
      domain = lib.mkOption {
        type = with lib.types; nullOr str;
        default = null;
      };
      collabora = {
        enable = lib.mkOption {
          type = lib.types.bool;
          default = false;
        };
        domain = lib.mkOption {
          type = with lib.types; nullOr str;
          default = null;
        };
      };
    };
  };

  config = lib.mkIf cfg.enable (
    lib.mkMerge [
      {
        custom.services = {
          nginxHttpsServer.enable = true;
          certStoreClient.enable = true;
        };

        environment.persistence."/persist".directories = [
          {
            directory = config.services.nextcloud.home;
            user = "nextcloud";
            group = "nextcloud";
            mode = "u=rwx,g=rx,o=";
          }
        ];
        sops.secrets.admin-pass.sopsFile = ../../secrets/nextcloud.yaml;

        services = {
          nextcloud = {
            package = pkgs.nextcloud31;
            enable = true;
            hostName = cfg.domain;
            autoUpdateApps.enable = true;
            https = true;
            maxUploadSize = "512M"; # Default
            config = {
              dbtype = "sqlite";
              adminpassFile = config.sops.secrets.admin-pass.path;
            };
            settings = {
              overwriteprotocol = "https";
              default_phone_region = "FI";
              maintenance_window_start = 1;
            };
            phpOptions = {
              "opcache.interned_strings_buffer" = 32;
            };
          };

          nginx.virtualHosts.${config.services.nextcloud.hostName} = { };
        };
      }
      (
        # Optional Collabora Client
        lib.mkIf cfg.collabora.enable {
          services = {
            collabora-online = {
              enable = true;
              port = 9980; # default
              settings = {
                ssl = {
                  enable = false;
                  termination = true;
                };

                net = {
                  listen = "loopback";
                  post_allow.host = [
                    "127.0.0.1"
                    "::1"
                  ];
                };

                storage.wopi = {
                  "@allow" = true;
                  host = [ config.services.nextcloud.hostName ] ++ config.services.nextcloud.settings.trusted_domains;
                };

                server_name = cfg.collabora.domain;
              };
            };

            nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = {
              locations."/" = {
                proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
                proxyWebsockets = true; # collabora uses websockets
              };
            };

            nextcloud = {
              appstoreEnable = true;
              extraAppsEnable = true;
              extraApps = with config.services.nextcloud.package.packages.apps; {
                inherit
                  richdocuments
                  ;
              };
            };
          };
        }
      )
    ]
  );
}