{ pkgs, config, ... }: {

  age.secrets = {
    nextcloud_admin_secret = { file = ../secrets/nextcloud_admin_secret.age; owner = "nextcloud"; };
    nextcloud_bucket_secret = { file = ../secrets/nextcloud_bucket_secret.age; owner = "nextcloud"; };
  };

  # services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
  #   enableACME = true;
  #   forceSSL = true;
  # };

  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud26;

    hostName = "my-nextcloud.bertof.net";
    maxUploadSize = "24G";
    config.trustedProxies = [ "172.23.4.159" "fd80:56c2:e21c:f9c7:5399:93be:21a9:9fa0" "fe80::3079:d8ff:feb5:7d62" ];
    config.extraTrustedDomains = [ config.services.nextcloud.hostName "freya.local" ];
    config.adminpassFile = config.age.secrets.nextcloud_admin_secret.path;
    config.overwriteProtocol = "https";
    config.objectstore.s3 = {
      enable = true;
      bucket = "nextcloud-storage";
      autocreate = false;
      key = "GK622e38479552cbbbba48fd04";
      secretFile = config.age.secrets.nextcloud_bucket_secret.path;
      hostname = "localhost";
      port = 3900;
      useSsl = false;
      region = "garage";
      usePathStyle = true;
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 ];
}