{
  lib,
  pkgs,
  config,
  myhost,
  ...
}:
let
  cfg = config.services.nextcloud;
  srv = cfg.settings.server;
in
with lib;
{
  imports = [
    "${
      fetchTarball {
        url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
        sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
      }
    }/nextcloud-extras.nix"
  ];
  options = {
    nextcloud = {
      enable = mkEnableOption "enables nextcloud";
      domain = lib.mkOption {
        type = lib.types.str;
        default = "files.wastring.com";
        description = "The hostname that Nextcloud is served on.";
      };
      fail2ban = {
        enable = mkEnableOption "enables fail2ban integration";
      };
    };
  };
  config = mkMerge [
    (mkIf config.nextcloud.enable {
      services.nginx = {
        virtualHosts.${config.nextcloud.domain} = {
          forceSSL = true;
          enableACME = true;
        };
      };

      sops.secrets.nextcloud-admin-password = { };
      sops.secrets.nextcloud-fw-password = { };
      sops.secrets.nextcloud-disa-password = { };
      sops.secrets.nextcloud-database-password = { };

      services.nextcloud = {
        enable = true;
        package = pkgs.nextcloud31;
        hostName = config.nextcloud.domain;
        https = true;
        configureRedis = true;
        config = {
          adminpassFile = config.sops.secrets.nextcloud-admin-password.path;
          dbtype = "sqlite";
        };
        ensureUsers = {
          fw = {
            email = "fredrik@wastring.com";
            passwordFile = config.sops.secrets.nextcloud-fw-password.path;
          };
          disa = {
            email = "disahorner@hotmail.com";
            passwordFile = config.sops.secrets.nextcloud-disa-password.path;
          };
        };
        extraApps = {
          inherit (config.services.nextcloud.package.packages.apps)
            contacts
            calendar
            onlyoffice
            ;
        };
        extraAppsEnable = true;
        settings.enabledPreviewProviders = [
          "OC\\Preview\\BMP"
          "OC\\Preview\\GIF"
          "OC\\Preview\\JPEG"
          "OC\\Preview\\Krita"
          "OC\\Preview\\MarkDown"
          "OC\\Preview\\MP3"
          "OC\\Preview\\OpenDocument"
          "OC\\Preview\\PNG"
          "OC\\Preview\\TXT"
          "OC\\Preview\\XBitmap"
          "OC\\Preview\\HEIC"
        ];
      };
    })
    (mkIf config.nextcloud.fail2ban.enable {
      services.fail2ban = {
        enable = true;
        jails = {
          nextcloud.settings = {
            backend = "systemd";
            journalmatch = "SYSLOG_IDENTIFIER=Nextcloud";
            enabled = true;
            port = 443;
            protocol = "tcp";
            filter = "nextcloud";
            maxretry = 3;
            bantime = 86400;
            findtime = 43200;
          };
        };
      };

    })
  ];

}