{ pkgs, config, ... }: 
let
  domain = config.networking.domain;
in {
  imports = [
    ./ldap.nix
  ];
  sops.secrets.nextcloud-smb-credentials = {};
  sops.secrets.nextcloud-adminpass.owner = "nextcloud";
  sops.secrets.nextcloud-secrets.owner = "nextcloud";

  services.nextcloud = {                
    enable = true;                   
    hostName = "cloud.${domain}";
    https = true;
    package = pkgs.nextcloud29;
    # Instead of using pkgs.nextcloud27Packages.apps,
    # we'll reference the package version specified above
    extraApps = {
      inherit (config.services.nextcloud.package.packages.apps) calendar contacts deck forms groupfolders richdocuments;
      oidc_login = pkgs.fetchNextcloudApp rec {
        url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.1.1/oidc_login.tar.gz";
        sha256 = "sha256-EVHDDFtz92lZviuTqr+St7agfBWok83HpfuL6DFCoTE=";
        license = "gpl3";
      };
      guests = pkgs.fetchNextcloudApp rec {
        url = "https://github.com/nextcloud-releases/guests/releases/download/v4.0.0/guests-v4.0.0.tar.gz";
        sha256 = "sha256-dM2BmckOGZpcFDVs2oYVDqPafyBtLFB3ZCcsnOflteM=";
        license = "gpl3";
      };
      files_accesscontrol = pkgs.fetchNextcloudApp rec {
        url = "https://github.com/nextcloud/files_accesscontrol/archive/refs/tags/v1.20.1.tar.gz";
        sha256 = "sha256-3vcnXiLsmUnt3GiF8H9Mw8jOwAmIn1cqr13SBgvdm+g=";
        license = "gpl3";
      };
      appointments = pkgs.fetchNextcloudApp rec {
        url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.1.12/build/artifacts/appstore/appointments.tar.gz";
        sha256 = "sha256-hMLimaBz5RBRzkEwpWJ9ZUrNY0oRTbPeYFCvH8hl1YE=";
        license = "gpl3";
      };
    };
    autoUpdateApps.enable = true;
    extraAppsEnable = true;
    database.createLocally = true;

    caching.apcu = true;
    configureRedis = true;
    phpOptions."opcache.interned_strings_buffer" = "23";
    config = {
      adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
      dbtype = "mysql";
    };

    secretFile = config.sops.secrets.nextcloud-secrets.path;

    settings = {
      log_type = "file";
      log_level = 0;
      allow_user_to_change_display_name = false;
      maintenance_window_start = 1;
      lost_password_link = "disabled";
      sharing.enable_share_mail = true;
      oidc_login_provider_url = "https://auth.${domain}";
      oidc_login_client_id = "nextcloud";
      oidc_login_button_text = "Log in with Authelia";
      oidc_login_auto_redirect = false;
      oidc_login_proxy_ldap = true;
      oidc_login_attributes = {
        id = "preferred_username";
        name = "name";
        mail = "email";
        groups = "groups";
        ldap_uid = "email";
      };
      oidc_login_scope = "openid profile email groups";
      default_phone_region = "AT";
    };
  };

  environment.systemPackages = [ pkgs.cifs-utils ];
  fileSystems."/var/lib/nextcloud/data" = {
    device = "//u428777.your-storagebox.de/u428777-sub2/";
    fsType = "cifs";
    options = let
      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users,file_mode=0770,dir_mode=0770";
      in ["${automount_opts},credentials=${config.sops.secrets.nextcloud-smb-credentials.path},uid=992,gid=992"];
  };

  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;
  };

  services.mysql = {
    ensureUsers = [
      {
        name = "nextcloud";
        ensurePermissions = {
          "nextcloud.*" = "ALL PRIVILEGES";
        };
      }
    ];
    ensureDatabases = [ "nextcloud" ];
  };

  services.mysqlBackup.databases = [ "nextcloud" ];
}