{
  pkgs,
  config,
  lib,
  ...
}: let
  onionHostName = "znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion";
in {
  age.secrets = {
    "nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass;
    "hidden_service/nextcloud".file = ../secrets/hidden_service/nextcloud;
  };

  users.groups.nextcloud.members = ["nextcloud" "caddy"];

  services = {
    nextcloud = {
      enable = true;
      hostName = "cloud.distrust.network";
      settings = {
        trusted_domains = [onionHostName];
        trusted_proxies = ["127.0.0.1"];
        maintenance_window_start = 1;
      };
      config = {
        adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
        dbtype = "pgsql";
      };
      package = pkgs.nextcloud32;
      https = false;
      configureRedis = true;
      caching.redis = true;
      database.createLocally = true;
      phpOptions = {
        "opcache.interned_strings_buffer" = 64;
      };
    };

    nginx.enable = lib.mkForce false;
    phpfpm.pools.nextcloud.settings = {
      "listen.owner" = "caddy";
      "listen.group" = "caddy";
    };
  };

  distrust.services."nextcloud" = {
    url = "https://cloud.distrust.network";
    onion = {
      url = "http://${onionHostName}";
      secretKey = config.age.secrets."hidden_service/nextcloud".path;
    };
    virtualHostConfig = ''
      # encode zstd gzip

      root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}

      redir /.well-known/carddav /remote.php/dav 301
      redir /.well-known/caldav /remote.php/dav 301
      redir /.well-known/* /index.php{uri} 301
      redir /remote/* /remote.php{uri} 301


      header {
        Strict-Transport-Security max-age=31536000
        Permissions-Policy interest-cohort=()
        X-Content-Type-Options nosniff
        X-Frame-Options SAMEORIGIN
        Referrer-Policy no-referrer
        X-XSS-Protection "1; mode=block"
        X-Permitted-Cross-Domain-Policies none
        X-Robots-Tag "noindex, nofollow"
        -X-Powered-By
        Host {host}
        X-Real-IP {remote_host}
        X-Forwarded-For {remote_host}
        X-Forwarded-Proto {scheme}
        X-Forwarded-Host {host}
        Onion-Loation http://${onionHostName}
      }


      php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
        root ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
        env front_controller_active true
        env modHeadersAvailable true
      }

      @forbidden {
        path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
        path /.* /autotest* /occ* /issue* /indie* /db_* /console*
        not path /.well-known/*
      }
      error @forbidden 404

      @immutable {
        path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
        query v=*
      }
      header @immutable Cache-Control "max-age=15778463, immutable"

      @static {
        path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
        not query v=*
      }
      header @static Cache-Control "max-age=15778463"

      @woff2 path *.woff2
      header @woff2 Cache-Control "max-age=604800"

      file_server
    '';
  };
}