{ pkgs, ... }: {

  # setup nextcloud in a container
  containers.nextcloud = {
    bindMounts = {
      password = {
        hostPath = toString <secrets/nextcloud/rootpassword>;
        mountPoint = toString <secrets/nextcloud/rootpassword>;
        isReadOnly = true;
      };
      home = {
        hostPath = toString "/home/nextcloud";
        mountPoint = "/var/lib/nextcloud";
        isReadOnly = false;
      };
    };

    privateNetwork = true;
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";

    autoStart = true;

    config = { config, pkgs, ... }: {

      networking.firewall.allowedTCPPorts = [ 80 ];
      networking.firewall.allowedUDPPorts = [ 80 ];

      services.nextcloud = {
        enable = true;
        autoUpdateApps.enable = true;
        config.adminpassFile = toString <secrets/nextcloud/rootpassword>;
        nginx.enable = true;
        hostName = "nextcloud.workhorse.private";
        logLevel = 0;
        config.extraTrustedDomains = [
          "nextcloud.ingolf-wagner.de"
          "nextcloud.gaykraft.com"
          "192.168.100.11"
        ];
      };

      environment.systemPackages = [ pkgs.smbclient ];
    };
  };

  # host nginx setup
  services.nginx = {
    enable = true;
    virtualHosts = {
      "nextcloud.workhorse.private" = {
        locations."/" = {
          proxyPass = "http://192.168.100.11";
          extraConfig = ''
            sub_filter "192.168.100.11" "nextcloud.workhorse.private";
            client_max_body_size 0;
          '';
        };
      };
    };
  };

}