{ pkgs, ... }: {

  # setup nextcloud in a container
  containers.nextcloud = {
    bindMounts = {
      rootpassword = {
        hostPath = toString <secrets/nextcloud/root_password>;
        mountPoint = toString <secrets/nextcloud/root_password>;
        isReadOnly = true;
      };
      databasepassword = {
        hostPath = toString <secrets/nextcloud/database_password>;
        mountPoint = toString <secrets/nextcloud/database_password>;
        isReadOnly = true;
      };
      home = {
        # make sure this folder exist on the host
        hostPath = toString "/home/nextcloud";
        mountPoint = "/var/lib/nextcloud";
        isReadOnly = false;
      };
      db = {
        # make sure this folder exist on the host
        hostPath = toString "/home/nextcloud_db";
        mountPoint = "/var/lib/mysql";
        isReadOnly = false;
      };
      krops-lib = {
        mountPoint = toString <krops-lib>;
        hostPath = toString <krops-lib>;
        isReadOnly = true;
      };
      modules = {
        mountPoint = toString <modules>;
        hostPath = toString <modules>;
        isReadOnly = true;
      };
    };

    privateNetwork = true;
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";

    autoStart = true;

    config = { config, pkgs, ... }: {

      imports = [ <modules> <krops-lib> ];

      # don't forget the database backup before doing this
      # https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html
      # https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html
      # use snapshots in case of a rollback
      nixpkgs.config.packageOverrides = super: {
        nextcloud = super.nextcloud.overrideAttrs (old: rec {
          name = "nextcloud-${version}";
          version = "18.0.1";
          src = super.fetchurl {
            url =
              "https://download.nextcloud.com/server/releases/nextcloud-18.0.1.tar.bz2";
            sha256 = "1h0rxpdssn1hc65k41zbvww9r4f79vbd9bixc9ri5n7hp0say3vp";
          };
        });
      };

      networking.firewall.allowedTCPPorts = [ 80 ];
      networking.firewall.allowedUDPPorts = [ 80 ];

      # nextcloud database
      # ==================
      #
      # set user password:
      # -----------------
      # #> mysql
      # mysql> ALTER USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud-password';
      #
      # recreate database:
      # ------------------
      # mysql> DROP DATABASE nextcloud;
      # mysql> CREATE DATABASE nextcloud;
      #
      # migration:
      # ----------
      # nextcloud-occ db:convert-type --all-apps mysql nextcloud 127.0.0.1 nextcloud
      #
      # 4-byte stuff:
      # -------------
      # https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html
      # if you do this don't forget --default-character-set=utf8mb4 for mysqldump
      services.mysql = {
        enable = true;
        package = pkgs.mysql;
        ensureDatabases = [ "nextcloud" ];
        ensureUsers = [{
          name = "nextcloud";
          ensurePermissions = { "nextcloud.*" = "ALL PRIVILEGES"; };
        }];
        extraOptions = ''
          innodb_large_prefix=true
          innodb_file_format=barracuda
          innodb_file_per_table=1
        '';
      };

      # nextcloud setup
      later.services.nextcloud = {
        enable = true;
        autoUpdateApps.enable = true;
        nginx.enable = true;
        hostName = "nextcloud.ingolf-wagner.de";
        #logLevel = 0;
        https = true;
        config = {
          adminpassFile = toString <secrets/nextcloud/root_password>;
          overwriteProtocol = "https";
          trustedProxies = [ "195.201.134.247" "192.168.100.11" ];
          dbtype = "mysql";
          dbpassFile = toString config.krops.userKeys."nextcloud".target;
          dbport = 3306;
        };
      };

      # provide password file for database with proper rights
      krops.userKeys."nextcloud" = {
        user = "nextcloud";
        source = toString <secrets/nextcloud/database_password>;
        requiredBy = [ "nginx.service" ];
      };

      environment.systemPackages = [ pkgs.smbclient ];
    };
  };

  # give containers internet access
  networking.nat.enable = true;
  networking.nat.internalInterfaces = [ "ve-nextcloud" ];
  networking.nat.externalInterface = "eth0";

  # don't let networkmanager manger container network
  networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];

  # host nginx setup
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "nextcloud.workhorse.private" = {
        serverAliases = [
          "nextcloud.ingolf-wagner.de"
          # "nextcloud.gaykraft.com"
        ];
        locations."/" = {
          proxyPass = "http://192.168.100.11";
          extraConfig = ''
            # allow big uploads
            # -----------------
            client_max_body_size 0;
          '';
        };
      };
    };
  };

}