{
  pkgs,
  config,
  lib,
  sec,
  ...
}:
let
  cfg = config.machine.nextcloud;
in
with lib; mkIf cfg.enable {
  services.nextcloud = {
    inherit enable;
    appstoreEnable = false;
    autoUpdateApps.enable = false;
    config.adminpassFile = sec."nextcloud/adminPassword".path;
    hostName = cfg.host;
    package = pkgs.nextcloud33;
    https = if cfg.host == "localhost" then false else true;
    settings = {
      default_phone_region = "RU";
      log_type = "file";
      loglevel = 1;
    };
    extraAppsEnable = true;
    extraApps = with pkgs.nextcloud33Packages.apps; {
      inherit
        mail
        contacts
        collectives
        impersonate
        ;
    };
  };

  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
    forceSSL = true;
    enableACME = true;
  };

  sops.secrets = {
    "nextcloud/adminPassword" = { };
  };
}