{ pkgs
, config
, ...
}:
let
  # Update pending on rewrite of nextcloud news, though there is an
  # alpha to switch to if it becomes necessary:
  # https://github.com/nextcloud/news/issues/2610
  nextcloud = pkgs.nextcloud27;
  hostName = "nextcloud.${config.services.nginx.domain}";
in
{
  services.nextcloud = {
    inherit hostName;

    package = nextcloud;
    enable = true;
    maxUploadSize = "2G";
    https = true;

    configureRedis = true;

    config = {
      dbtype = "pgsql";
      dbhost = "/run/postgresql";

      adminuser = "tlater";
      adminpassFile = config.sops.secrets."nextcloud/tlater".path;
    };

    settings = {
      default_phone_region = "AT";
      overwriteprotocol = "https";
    };

    phpOptions = {
      "opcache.interned_strings_buffer" = "16";
    };

    extraApps = {
      inherit (pkgs.local) bookmarks calendar contacts cookbook news notes;
    };
  };

  # Ensure that this service doesn't start before postgres is ready
  systemd.services.nextcloud-setup.after = [ "postgresql.service" ];

  # Set up SSL
  services.nginx.virtualHosts."${hostName}" = {
    forceSSL = true;
    useACMEHost = "tlater.net";
    # The upstream module already adds HSTS
  };

  # Block repeated failed login attempts
  environment.etc = {
    "fail2ban/filter.d/nextcloud.conf".text = ''
      [Definition]
      _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
      failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
                  \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
      datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
      journalmatch = SYSLOG_IDENTIFIER=Nextcloud
    '';
  };

  services.fail2ban.jails = {
    nextcloud = ''
      enabled = true

      # Nextcloud does some throttling already, so we need to set
      # these to something bigger.
      findtime = 43200
      bantime = 86400
    '';
  };

  services.backups.nextcloud = {
    user = "nextcloud";
    paths = [
      "/var/lib/nextcloud/nextcloud-db.sql"
      "/var/lib/nextcloud/data/"
      "/var/lib/nextcloud/config/config.php"
    ];
    preparation = {
      packages = [
        config.services.postgresql.package
        config.services.nextcloud.occ
      ];
      text = ''
        nextcloud-occ maintenance:mode --on
        pg_dump ${config.services.nextcloud.config.dbname} --file=/var/lib/nextcloud/nextcloud-db.sql
      '';
    };
    cleanup = {
      packages = [
        pkgs.coreutils
        config.services.nextcloud.occ
      ];
      text = ''
        rm /var/lib/nextcloud/nextcloud-db.sql
        nextcloud-occ maintenance:mode --off
      '';
    };
  };
}