{ config, ... }:
let
  adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
  dbpass = config.sops.secrets."jallen-nas/nextcloud/dbpassword".path;
  smtppassword = config.sops.templates."nextcloud-smtp".content;
in
{
  containers.nextcloud = {
    autoStart = true;
    privateNetwork = true;
    # hostAddress = "127.0.0.1";
    # localAddress = "10.233.0.2";
    # hostAddress6 = "fc00::1";
    # localAddress6 = "fc00::2";
    # hostForward = [
    #   {
    #     hostPort = 9943;
    #     containerPort = 80;
    #   }
    # ];

    hostBridge = "br0";

    bindMounts = {
      secrets = {
        hostPath = "/run/secrets/jallen-nas/nextcloud";
        isReadOnly = true;
        mountPoint = "/run/secrets/jallen-nas/nextcloud";
      };

      data = {
        hostPath = "/media/nas/main/nextcloud";
        isReadOnly = false;
        mountPoint = "/data";
      };
    };

    config =
      { pkgs, lib, ... }:
      {
        services = {
          nextcloud = {
            enable = true;
            package = pkgs.nextcloud29;
            datadir = "/data";
            hostName = "localhost";
            appstoreEnable = true;
            caching.redis = true;
            configureRedis = true;
            config = {
              adminuser = "mjallen";
              adminpassFile = adminpass;
              dbhost = "10.0.1.18:3306";
              dbtype = "mysql";
              dbname = "jallen_nextcloud";
              dbuser = "nextcloud";
              dbpassFile = dbpass;
            };
            settings = {
              trusted_domains = [
                "10.0.1.18:9980"
                "10.0.1.18:9943"
                "cloud.mjallen.dev"
              ];
              trusted_proxies = [ "10.0.1.18" ];
              maintenance_window_start = 6;
              default_phone_region = "US";
              mail_from_address = "matt.l.jallen";
              mail_smtpmode = "smtp";
              mail_sendmailmode = "smtp";
              mail_domain = "gmail.com";
              mail_smtpauth = 1;
              mail_smtpname = "matt.l.jallen";
              mail_smtppassword = smtppassword;
              mail_smtpsecure = "ssl";
              mail_smtphost = "smtp.gmail.com";
              mail_smtpport = 465;
              enable_previews = true;
              enabledPreviewProviders = [
                "OC\\\\Preview\\\\PNG"
                "OC\\\\Preview\\\\JPEG"
                "OC\\\\Preview\\\\GIF"
                "OC\\\\Preview\\\\BMP"
                "OC\\\\Preview\\\\XBitmap"
                "OC\\\\Preview\\\\MP3"
                "OC\\\\Preview\\\\TXT"
                "OC\\\\Preview\\\\MarkDown"
                "OC\\\\Preview\\\\OpenDocument"
                "OC\\\\Preview\\\\Krita"
                "OC\\\\Preview\\\\HEIC"
              ];
            };
          };

          nginx = {
            enable = true;
            virtualHosts = {
              "nextcloud-container.local" = {
                # Change this to the desired port number
                listen = [
                  {
                    addr = "0.0.0.0";
                    port = 9943;
                  }
                ];

                root = "/var/www/nextcloud";

                # You may need to adjust other options for your specific setup
              };
            };
          };
        };
        system.stateVersion = "23.11";
        networking = {
          firewall = {
            enable = true;
            allowedTCPPorts = [ 9943 ];
          };
          # Use systemd-resolved inside the container
          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
          useHostResolvConf = lib.mkForce false;
        };
        services.resolved.enable = true;

      };
  };
}