{
  pkgs,
  config,
  ...
}: let
  inherit (pkgs) fetchNextcloudApp;
  nextcloud = pkgs.nextcloud24;
  hostName = "nextcloud.${config.services.nginx.domain}";
in {
  services.nextcloud = {
    inherit hostName;

    package = nextcloud;
    enable = true;
    maxUploadSize = "2G";
    https = true;

    config = {
      overwriteProtocol = "https";

      dbtype = "pgsql";
      dbhost = "/run/postgresql";

      adminuser = "tlater";
      adminpassFile = config.sops.secrets."nextcloud/tlater".path;

      defaultPhoneRegion = "AT";
    };

    extraApps = {
      # TODO(tlater): Seems like this won't work anymore from
      # Nextcloud 25 onwards.
      #
      # Adopt whatever upstream does with this:
      # https://github.com/nextcloud/server/issues/4917
      apporder = pkgs.fetchNextcloudApp {
        name = "apporder";
        url = "https://github.com/juliushaertl/apporder/releases/download/v0.15.0/apporder.tar.gz";
        version = "0.15.0";
        sha256 = "sha256-p3VWxTYDCO2NePq6oLM8tBVqYkvoB7itqxp7IZwGDnE=";
      };

      bookmarks = pkgs.fetchNextcloudApp {
        name = "bookmarks";
        url = "https://github.com/nextcloud/bookmarks/releases/download/v11.0.4/bookmarks-11.0.4.tar.gz";
        version = "11.0.4";
        sha256 = "sha256-URqtzaCx8FEZHCDP1wSBUFNs+x50jesRtWi+xOU1oXM=";
      };

      calendar = pkgs.fetchNextcloudApp {
        name = "calendar";
        url = "https://github.com/nextcloud-releases/calendar/releases/download/v3.5.0/calendar-v3.5.0.tar.gz";
        version = "3.5.0";
        sha256 = "sha256-+LRGl9h40AQdWN9SW+NqGwTafAGwV07Af8nVs3pUCm0=";
      };

      contacts = pkgs.fetchNextcloudApp {
        name = "contacts";
        url = "https://github.com/nextcloud-releases/contacts/releases/download/v4.2.2/contacts-v4.2.2.tar.gz";
        version = "4.2.2";
        sha256 = "sha256-GTiyZsUHBXPgQ17DHAihmt2W/ZnAjDwfgwnujkRwk6A=";
      };

      cookbook = pkgs.fetchNextcloudApp {
        name = "cookbook";
        url = "https://github.com/nextcloud/cookbook/releases/download/v0.9.15/Cookbook-0.9.15.tar.gz";
        version = "0.9.15";
        sha256 = "sha256-v64rLGyMQOdStyivpJsKrNxwumVQvyK3CnHtZ+K+elE=";
      };

      news = pkgs.fetchNextcloudApp {
        name = "news";
        url = "https://github.com/nextcloud/news/releases/download/18.2.0/news.tar.gz";
        version = "18.2.0";
        sha256 = "sha256-eS0cFwJmYfGGJmA02AOWO/OXfqfyI71u2GataDj18DE=";
      };

      notes = pkgs.fetchNextcloudApp {
        name = "notes";
        url = "https://github.com/nextcloud/notes/releases/download/v4.5.1/notes.tar.gz";
        version = "4.5.1";
        sha256 = "sha256-rd3uVkVtARX4enRAWm1ivV468lboYZnYe7/zsqaHYpk=";
      };
    };

    # TODO(tlater): Add redis config. This will be much easier
    # starting with 22.11, since this will add an `extraOptions` where
    # the necessary redis config can go.
  };

  # Ensure that this service doesn't start before postgres is ready
  systemd.services.nextcloud-setup.after = ["postgresql.service"];

  # Set up SSL
  services.nginx.virtualHosts."${hostName}" = {
    forceSSL = true;
    enableACME = true;
  };
}