{ config, lib, pkgs, ... }: let

    subdomain = "cloud";

    name = "nextcloud";

in {

    options.sysconfig.docker.nextcloud.enable = with lib; mkOption {
        type = with types; bool;
        default = false;
    };

    config = lib.mkIf (config.sysconfig.docker.nextcloud.enable && config.sysconfig.docker.enable) {

        virtualisation.oci-containers.containers."nextcloud-aio-mastercontainer" = {
            image = "ghcr.io/nextcloud-releases/all-in-one:20260122_105751";

            serviceName = "docker-nextcloud";

            # unstable, waiting for 26.05
            #pull = "newer";

            hostname = "${subdomain}.esotericbytes.com";

            networks = [
                "docker-main"
            ];

            ports = [
                "3479:3479/tcp"
                "3479:3479/udp"
            ];

            volumes = [
                "nextcloud_aio_mastercontainer:/mnt/docker-aio-config"
                "/run/docker.sock:/var/run/docker.sock:ro"
            ];

            labels = {
                "traefik.enable" = "true";
                "traefik.http.routers.${name}.entrypoints" = "localsecure";
                "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
                "traefik.http.routers.${name}.service" = "${name}";
                "traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
                
                "traefik.http.routers.${name}.middlewares" = "nextcloud-chain";
                
                "traefik.http.middlewares.https-redirect.redirectScheme.scheme" = "https";

                "traefik.http.middlewares.nextcloud-secure-headers.headers.hostsProxyHeaders" = "X-Forwarded-Host";
                "traefik.http.middlewares.nextcloud-secure-headers.headers.referrerPolicy" = "same-origin";
                
                "traefik.http.middlewares.nextcloud-chain.chain.middlewares" = "https-redirect,nextcloud-secure-headers";

                
                "traefik.http.services.${name}.loadbalancer.server.port" = "11000";
            };

            environment = {
                APPACHE_PORT = "11000";
                APPACHE_IP = "0.0.0.0";
                APPACHE_ADDITIONAL_NETWORK = "";

                SKIP_DOMAIN_VALIDATION = "false";

                TALK_PORT = "3479";
            };
        };

        systemd.services."docker-nextcloud" = {
            serviceConfig = {
                Restart = lib.mkOverride 90 "always";
                RestartMaxDelaySec = lib.mkOverride 90 "1m";
                RestartSec = lib.mkOverride 90 "100ms";
                RestartSteps = lib.mkOverride 90 9;
            };
            after = [
                "docker-network-setup.service"
                "docker-volume-nextcloud.service" 
            ];
            requires = [
                "docker-network-setup.service"
                "docker-volume-nextcloud.service" 
            ];
            partOf = [
                "docker-compose-nextcloud-root.target"
            ];
            wantedBy = [
                "docker-compose-nextcloud-root.target"
            ];
        };

        systemd.services."docker-volume-nextcloud" = {
            path = [ pkgs.docker ];
            serviceConfig = {
                Type = "oneshot";
                RemainAfterExit = true;
            };
            script = ''
                docker volume inspect nextcloud_aio_mastercontainer || docker volume create nextcloud_aio_mastercontainer --driver=local
                '';
            partOf = [ "docker-compose-nextcloud-root.target" ];
            wantedBy = [ "docker-compose-nextcloud-root.target" ];
        };

        systemd.targets."docker-compose-nextcloud-root" = {
            wantedBy = [ "multi-user.target" ];
        };

    };
}