{
  config,
  lib,
  pkgs,
  ...
}:

{
  environment.systemPackages = with pkgs; [
    (lib.mkIf config.beancloud.software.nextcloud.client nextcloud-client)
    (lib.mkIf config.beancloud.software.nextcloud.talk-desktop nextcloud-talk-desktop)
  ];

  # in production use https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes like https://github.com/Mic92/sops-nix
  environment.etc = {
    "nextcloud-admin-pass" = {
      enable = config.beancloud.software.nextcloud.server.enable;
      text = "demo123456";
      target = "nextcloud/admin.password";
    };
    "nextcloud-secrets" = {
      enable = config.beancloud.software.nextcloud.server.enable;
      text = ''
        {
          "passwordsalt": "qXILOyHFVeOhoChoUodPfxWQhEUMcomBpyeyzZfBQYWwqBtguvKQOJQQiCrUWokP",
          "secret": "WKXGlKIkvMhyTbJssZiLrcjBnWoHYkWOTgSAIIBGyaqjLuOsYTmyYXdsAIroskpk",
          "instanceid": "nc1234567890"
        }
      '';
      target = "nextcloud/secrets";
    };
  };

  # https://search.nixos.org/options?channel=25.05&show=services.nextcloud.secretFile&from=0&size=50&sort=relevance&type=packages&query=services.nextcloud.
  services = {
    nextcloud = {
      enable = config.beancloud.software.nextcloud.server.enable;
      package = pkgs.nextcloud30;
      hostName = "localhost";
      caching.redis = config.beancloud.software.nextcloud.server.enable;
      configureRedis = config.beancloud.software.nextcloud.server.enable;
      config = {
        dbtype = "mysql";
        adminpassFile = "/etc/" + config.environment.etc."nextcloud-admin-pass".target;
      };
      secretFile = "/etc/" + config.environment.etc."nextcloud-secrets".target;
      database.createLocally = true;
      autoUpdateApps.enable = true;
    };
  };
}