{ pkgs, config, ... }:
let
  hosts = import ../../hosts.nix;
in
{

  age.secrets = {
    nextcloud_admin_secret = { file = ../../secrets/nextcloud_admin_secret.age; owner = "nextcloud"; };
    # nextcloud_bucket_secret = { file = ../../secrets/nextcloud_bucket_secret.age; owner = "nextcloud"; };
  };

  # services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
  #   enableACME = true;
  #   forceSSL = true;
  # };

  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud27;

    hostName = "my-nextcloud.bertof.net";
    maxUploadSize = "24G";
    caching.apcu = true;
    datadir = "/mnt/raid/nextcloud";

    autoUpdateApps.enable = true;
    extraOptions.enabledPreviewProviders = [
      "OC\\Preview\\BMP"
      "OC\\Preview\\GIF"
      "OC\\Preview\\JPEG"
      "OC\\Preview\\Krita"
      "OC\\Preview\\MarkDown"
      "OC\\Preview\\MP3"
      "OC\\Preview\\OpenDocument"
      "OC\\Preview\\PNG"
      "OC\\Preview\\TXT"
      "OC\\Preview\\XBitmap"
      "OC\\Preview\\HEIC" # Enable preview of HEIC/HEIF images (others are default)
    ];

    config = {
      trustedProxies = [
        hosts.zerotier.ipv4."baldur.zto"
        hosts.zerotier.ipv6."baldur.zto"
        hosts.tailscale.ipv4."baldur.tsn"
        hosts.tailscale.ipv6."baldur.tsn"
        "baldur.zto"
        "baldur.tsn"
      ];
      extraTrustedDomains = [ config.services.nextcloud.hostName "freya.zto" ];
      adminpassFile = config.age.secrets.nextcloud_admin_secret.path;
      overwriteProtocol = "https";
      # objectstore.s3 = {
      #   enable = true;
      #   bucket = "nextcloud-storage";
      #   autocreate = false;
      #   key = "GK622e38479552cbbbba48fd04";
      #   secretFile = config.age.secrets.nextcloud_bucket_secret.path;
      #   hostname = "localhost";
      #   port = 3900;
      #   useSsl = false;
      #   region = "garage";
      #   usePathStyle = true;
      # };
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 ];
}