{
  config,
  lib,
  inputs,
  pkgs,
  self,
  ...
}: let
  hostAddress = "10.10.42.1";
  serviceAddress = "10.10.42.2";

  hostname = "cloud.momo.koeln";

  dbUserName = "nextcloud";

  hostStateDir = "/mnt/internal/nextcloud";
  containerStateDir = "/var/lib/nextcloud";
in {
  age.secrets.nextcloud-db-password = {
    file = "${self}/secrets/nextcloud-db-password.age";
    mode = "700";
    owner = "nextcloud";
  };

  age.secrets.nextcloud-admin-password = {
    file = "${self}/secrets/nextcloud-admin-password";
    mode = "700";
    owner = "nextcloud";
  };

  services.caddy.virtualHosts.${hostname} = {
    logFormat = lib.mkForce ''
      output discard
    '';
    extraConfig = ''
      reverse_proxy ${serviceAddress}:80
    '';
  };

  containers."nextcloud" = {
    privateNetwork = true;
    hostAddress = hostAddress;
    localAddress = serviceAddress;

    bindMounts."${containerStateDir}" = {
      hostPath = hostStateDir;
      isReadOnly = false;
    };

    config = {
      config,
      pkgs,
      ...
    }: {
      networking.firewall.allowedTCPPorts = [80];

      # nextcloud
      services.nextcloud = {
        enable = true;
        hostName = hostname;
        home = containerStateDir;
        config = {
          dbuser = dbUserName;
          dbtype = "pgsql";
          dbport = 5432;
          dbpassFile = config.age.secrets.nextcloud-db-password.path;

          adminUser = "admin";
          adminpassFile = config.age.secrets.nextcloud-admin-password.path;
        };
      };

      services.postgresql = {
        enable = true;
        ensureUsers = [
          {
            name = dbUserName;
            ensurePermissions = {
              "DATABASE nextcloud" = "ALL PRIVILEGES";
            };
          }
        ];

        ensureDatabases = ["nextcloud"];
      };
    };
  };
}