{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  name = "opencloud";
  cfg = config.${namespace}.services.${name};
  net = lib.${namespace}.network;

  opencloudConfig = lib.${namespace}.mkModule {
    inherit config name;
    serviceName = "opencloud";
    description = "OpenCloud - Secure and private file sharing and storage";
    options = { };

    moduleConfig = {
      services.opencloud = {
        enable = true;
        url = "https://cloud.mjallen.dev";
        address = cfg.listenAddress;
        inherit (cfg) port;
        stateDir = "${cfg.configDir}/opencloud";
        environment = {
          PROXY_TLS = "false"; # disable https when behind reverse-proxy
          INITIAL_ADMIN_PASSWORD = "BogieDudie1";
          OC_DB_TYPE = "postgres";
          OC_DB_HOST = net.hosts.nas.lan;
          OC_DB_PORT = toString net.ports.nas.postgresql;
          OC_DB_USER = "opencloud";
          OC_DB_NAME = "opencloud";
          OC_INSECURE = "true";
          OC_LOG_LEVEL = "debug";
        };
      };
      # Create the secret template
      sops.templates = {
        "opencloud.env" = {
          content = ''
            OC_JWT_SECRET=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
            OC_TRANSFER_SECRET=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
            OC_MACHINE_AUTH_API_KEY=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
          '';
        };
      };
    };
  };
in
{
  imports = [ opencloudConfig ];
}