{ pkgs, ... }: {

  # setup nextcloud in a container
  containers.nextcloud = {
    bindMounts = {
      password = {
        hostPath = toString <secrets/nextcloud/rootpassword>;
        mountPoint = toString <secrets/nextcloud/rootpassword>;
        isReadOnly = true;
      };
      home = {
        hostPath = toString "/home/nextcloud";
        mountPoint = "/var/lib/nextcloud";
        isReadOnly = false;
      };
    };

    privateNetwork = true;
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";

    autoStart = true;

    config = { config, pkgs, ... }: {

      networking.firewall.allowedTCPPorts = [ 80 ];
      networking.firewall.allowedUDPPorts = [ 80 ];

      services.nextcloud = {
        enable = true;
        autoUpdateApps.enable = true;
        config.adminpassFile = toString <secrets/nextcloud/rootpassword>;
        nginx.enable = true;
        hostName = "nextcloud.workhorse.private";
        logLevel = 2;
        config.overwriteProtocol = "https";
        config.extraTrustedDomains = [
          "nextcloud.ingolf-wagner.de"
          "nextcloud.gaykraft.com"
          "192.168.100.11"
        ];
      };

      environment.systemPackages = [ pkgs.smbclient ];
    };
  };

  # give containers internet access
  networking.nat.enable = true;
  networking.nat.internalInterfaces = [ "ve-nextcloud" ];
  networking.nat.externalInterface = "eth0";

  # don't let networkmanager manger container network
  networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];

  # host nginx setup
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "nextcloud.workhorse.private" = {
        serverAliases =
          [ "nextcloud.ingolf-wagner.de" "nextcloud.gaykraft.com" ];
        locations."/" = {
          proxyPass = "http://192.168.100.11";
          extraConfig = ''
            # allow big uploads
            # -----------------
            client_max_body_size 0;
          '';
        };
      };
    };
  };

}