{
  pkgs,
  config,
  ...
}: let
  nextcloud = pkgs.nextcloud25;
  hostName = "nextcloud.${config.services.nginx.domain}";
in {
  services.nextcloud = {
    inherit hostName;

    package = nextcloud;
    enableBrokenCiphersForSSE = false;
    enable = true;
    maxUploadSize = "2G";
    https = true;

    config = {
      overwriteProtocol = "https";

      dbtype = "pgsql";
      dbhost = "/run/postgresql";

      adminuser = "tlater";
      adminpassFile = config.sops.secrets."nextcloud/tlater".path;

      defaultPhoneRegion = "AT";
    };

    extraApps = {
      inherit (pkgs.local) bookmarks calendar contacts cookbook news notes;
    };

    # TODO(tlater): Add redis config. This will be much easier
    # starting with 22.11, since this will add an `extraOptions` where
    # the necessary redis config can go.
  };

  # Ensure that this service doesn't start before postgres is ready
  systemd.services.nextcloud-setup.after = ["postgresql.service"];

  # Set up SSL
  services.nginx.virtualHosts."${hostName}" = {
    forceSSL = true;
    enableACME = true;
  };

  # Block repeated failed login attempts
  environment.etc = {
    "fail2ban/filter.d/nextcloud.conf".text = ''
      [Definition]
      _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
      failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
                  \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
      datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
      journalmatch = SYSLOG_IDENTIFIER=Nextcloud
    '';
  };

  services.fail2ban.jails = {
    nextcloud = ''
      enabled = true

      # Nextcloud does some throttling already, so we need to set
      # these to something bigger.
      findtime = 43200
      bantime = 86400
    '';
  };
}