{
  lib,
  pkgs,
  inputs,
  namespace,
  system,
  target,
  format,
  virtual,
  systems,
  config,
  ...
}:
with lib;
with lib.custom; {
  sops.secrets."services/nextcloud/dbPassword" = {owner = "nextcloud";};
  sops.secrets."services/nextcloud/whiteboard" = {owner = "nextcloud";};
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud31;
    database.createLocally = true;
    config = {
      dbtype = "pgsql";
      adminpassFile = config.sops.secrets."services/nextcloud/dbPassword".path;
    };
    hostName = "nextcloud.kylekrein.com";
    https = true;
    # https://github.com/NixOS/nixpkgs/blob/nixpkgs-unstable/pkgs/servers/nextcloud/packages/nextcloud-apps.json
    extraApps = {
      inherit
        (config.services.nextcloud.package.packages.apps)
        contacts
        calendar
        tasks
        whiteboard
        #twofactor_totp
        spreed
        integration_paperless
        deck
        notes
        bookmarks
        richdocuments
        ;
    };
    autoUpdateApps.enable = true;
    extraAppsEnable = true;
    configureRedis = true;
    appstoreEnable = true;
  };
  services.nextcloud-whiteboard-server = {
    enable = true;
    settings = {
      NEXTCLOUD_URL = "https://nextcloud.kylekrein.com";
    };
    secrets = [
      config.sops.secrets."services/nextcloud/whiteboard".path
    ];
  };
  # https://diogotc.com/blog/collabora-nextcloud-nixos/
  services.collabora-online = {
    enable = true;
    port = 9980;
    settings = {
      # Rely on reverse proxy for SSL
      ssl = {
        enable = false;
        termination = true;
      };

      # Listen on loopback interface only, and accept requests from ::1
      net = {
        listen = "loopback";
        post_allow.host = ["::1"];
      };

      # Restrict loading documents from WOPI Host nextcloud.example.com
      storage.wopi = {
        "@allow" = true;
        host = ["nextcloud.kylekrein.com"];
      };

      # Set FQDN of server
      server_name = "collabora.kylekrein.com";
    };
  };

  systemd.services.nextcloud-config-collabora = let
    inherit (config.services.nextcloud) occ;

    wopi_url = "http://[::1]:${toString config.services.collabora-online.port}";
    public_wopi_url = "https://collabora.kylekrein.com";
    wopi_allowlist = lib.concatStringsSep "," [
      "192.168.178.129"
      "127.0.0.1"
      "::1"
    ];
  in {
    wantedBy = ["multi-user.target"];
    after = ["nextcloud-setup.service" "coolwsd.service"];
    requires = ["coolwsd.service"];
    script = ''
      ${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url}
      ${occ}/bin/nextcloud-occ config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url}
      ${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist}
      ${occ}/bin/nextcloud-occ richdocuments:setup
    '';
    serviceConfig = {
      Type = "oneshot";
    };
  };
}