{ pkgs, ... }: {

  # setup nextcloud in a container
  containers.nextcloud = {
    bindMounts = {
      password = {
        hostPath = toString <secrets/nextcloud/rootpassword>;
        mountPoint = toString <secrets/nextcloud/rootpassword>;
        isReadOnly = true;
      };
      home = {
        hostPath = toString "/home/nextcloud";
        mountPoint = "/var/lib/nextcloud";
        isReadOnly = false;
      };
    };

    privateNetwork = true;
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";

    autoStart = true;

    config = { config, pkgs, ... }: {

      # don't forget the database backup before doing this
      # https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html
      # https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html
      # use snapshots in case of a rollback
      nixpkgs.config.packageOverrides = super: {
        nextcloud = super.nextcloud.overrideAttrs (old: rec {
          name = "nextcloud-${version}";
          version = "18.0.1";
          src = super.fetchurl {
            url =
              "https://download.nextcloud.com/server/releases/nextcloud-18.0.1.tar.bz2";
            sha256 = "1h0rxpdssn1hc65k41zbvww9r4f79vbd9bixc9ri5n7hp0say3vp";
          };
        });
      };

      networking.firewall.allowedTCPPorts = [ 80 ];
      networking.firewall.allowedUDPPorts = [ 80 ];

      services.nextcloud = {
        enable = true;
        autoUpdateApps.enable = true;
        config.adminpassFile = toString <secrets/nextcloud/rootpassword>;
        nginx.enable = true;
        hostName = "nextcloud.ingolf-wagner.de";
        #logLevel = 0;
        config.overwriteProtocol = "https";
        config.extraTrustedDomains = [
          "nextcloud.ingolf-wagner.de"
          #"nextcloud.gaykraft.com"
          "192.168.100.11"
        ];
      };

      environment.systemPackages = [ pkgs.smbclient ];
    };
  };

  # give containers internet access
  networking.nat.enable = true;
  networking.nat.internalInterfaces = [ "ve-nextcloud" ];
  networking.nat.externalInterface = "eth0";

  # don't let networkmanager manger container network
  networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];

  # host nginx setup
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "nextcloud.workhorse.private" = {
        serverAliases = [
          "nextcloud.ingolf-wagner.de"
          # "nextcloud.gaykraft.com"
        ];
        locations."/" = {
          proxyPass = "http://192.168.100.11";
          extraConfig = ''
            # allow big uploads
            # -----------------
            client_max_body_size 0;
          '';
        };
      };
    };
  };

}