{ config, pkgs, ... }:
{
  age.secrets = {
    "services/nextcloud/admin-password".owner = "nextcloud";
    "services/nextcloud/s3-secret".owner = "nextcloud";
  };

  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud29;

    hostName = "cloud.winston.sh";
    https = true;

    phpOptions = {
      "opcache.interned_strings_buffer" = "23";
    };

    extraApps = {
      inherit (config.services.nextcloud.package.packages.apps)
        end_to_end_encryption
        previewgenerator
        twofactor_webauthn
        ;
    };
    extraAppsEnable = true;

    config = {
      adminpassFile = config.age.secrets."services/nextcloud/admin-password".path;
      objectstore.s3 = {
        enable = true;

        # use `s3.winston.sh/bucket` istead of `bucket.s3.winston.sh`
        usePathStyle = true;

        hostname = "s3.winston.sh";
        useSsl = true;
        region = "eu-central-1";
        bucket = "nextcloud";
        autocreate = false;

        key = "nextcloud";
        secretFile = config.age.secrets."services/nextcloud/s3-secret".path;
      };
    };
  };

  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
    forceSSL = true;
    enableACME = false;
    useACMEHost = "winston.sh";
  };
}