{
  config,
  lib,
  pkgs,
  ...
}:
with lib;
let
  cfg = config.nixfiles.modules.nextcloud;
in
{
  options.nixfiles.modules.nextcloud = {
    enable = mkEnableOption "Nextcloud";

    domain = mkOption {
      description = "Domain name sans protocol scheme.";
      type = with types; str;
      default = "nextcloud.${config.networking.domain}";
    };
  };

  config = mkIf cfg.enable {
    nixfiles.modules = {
      nginx = {
        enable = true;
        virtualHosts.${cfg.domain} = { };
      };
      postgresql.enable = true;
    };

    services =
      let
        db = "nextcloud";
      in
      {
        nextcloud = mkMerge [
          {
            enable = true;
            package = pkgs.nextcloud23;

            hostName = cfg.domain;

            appstoreEnable = false;

            config = {
              adminpassFile = null; # This needs to be set as secret.

              dbtype = "pgsql";
              dbhost = "/run/postgresql";
              dbuser = db;
              dbname = db;

              defaultPhoneRegion = "RU";
            };

            extraApps =
              let
                mkNextcloudApp =
                  {
                    name,
                    version,
                    hash,
                  }:
                  pkgs.fetchNextcloudApp {
                    inherit name version hash;
                    url = "https://github.com/nextcloud/${name}/archive/refs/tags/v${version}.tar.gz";
                  };
              in
              {
                contacts = mkNextcloudApp {
                  name = "contacts";
                  version = "4.0.1";
                  sha256 = "sha256-dXKsG8KmlUojeY5dUn/XsMD3KaSh4QcZFOGDdcqlSvE=";
                };
                calendar = mkNextcloudApp {
                  name = "calendar";
                  version = "3.0.5";
                  sha256 = "sha256-aKUKm7fWJQxOWwma56Tv+GGIo+p0n30Nhoyt4XoxsjI=";
                };
                files_rightclick = mkNextcloudApp {
                  name = "files_rightclick";
                  version = "23.0.1";
                  sha256 = "sha256-VYODzkvvGrtpyRoug/8UPKhAgfCx1ltP1JdGPiB/lts=";
                };
                unsplash = mkNextcloudApp {
                  name = "unsplash";
                  version = "1.2.4";
                  sha256 = "sha256-KGSkBOrNu0nK0YvAPYaxEL/kZNoJQD1oBV2aUBxh6cI=";
                };
                previewgenerator = mkNextcloudApp {
                  name = "previewgenerator";
                  version = "3.4.1";
                  sha256 = "sha256-IUdj0xWt5zHxQoiMv1bYyYTzekuOFrsRIe530QOwC/w=";
                };
                bruteforcesettings = mkNextcloudApp {
                  name = "bruteforcesettings";
                  version = "2.3.0";
                  sha256 = "sha256-J7ujmiPaw8GI7vDfVPXEum2XAMWvahciP8C6iXgckdE=";
                };
              };
          }
          (mkIf config.nixfiles.modules.acme.enable {
            https = true;
            config.overwriteProtocol = "https";
          })
        ];

        postgresql = {
          ensureDatabases = [ db ];
          ensureUsers = [
            {
              name = db;
              ensureDBOwnership = true;
            }
          ];
        };
      };

    systemd = {
      services = {
        nextcloud-setup.after = [
          "network-online.target"
          "postgresql.service"
        ];

        nextcloud-preview-generate-cron.serviceConfig = {
          Type = "oneshot";
          User = "nextcloud";
          ExecStart = "${config.services.nextcloud.occ}/bin/nextcloud-occ preview:pre-generate";
        };
      };

      timers.nextcloud-preview-generate = {
        wantedBy = [ "timers.target" ];
        timerConfig = {
          OnBootSec = "15m";
          OnUnitActiveSec = "15m";
          Unit = "nextcloud-preview-generate-cron.service";
        };
      };
    };
  };
}