{ self, ... }:
{
  flake.machines.tharos = {
    nixos =
      { config, lib, ... }:
      let
        apps = config.services.nextcloud.package.packages.apps;
        nextcloud = config.services.nextcloud.hostName;
        nginx = lib.head config.services.nginx.virtualHosts.${nextcloud}.listen;
      in
      {
        services.nextcloud = {
          enable = true;
          hostName = "nextcloud.${self.domain}";
          database.createLocally = true;
          config.dbtype = "pgsql";
          extraAppsEnable = true;
          extraApps = {
            inherit (apps)
              contacts
              calendar
              tables
              spreed # Videokonferenzen
              # cospend # Rudimentäre Buchhaltung
              # deck # Issue-Tracker
              ;
          };
          settings = {
            trusted_proxies = [ nginx.addr ];
            mail_smtpmode = "smtp";
            mail_smtphost = "smtp.tharos-net.de";
            mail_smtpport = 587;
            mail_smtpauth = true;
            mail_smtptimeout = 30;
            mail_smtpname = "nextcloud@${self.domain}";
            mail_from_address = "nextcloud";
            mail_domain = self.domain;
            mail_smtpstreamoptions = {
              /*
                ACHTUNG: Hier ist Angriffsfläche!
                Dringend den Mailserver ordentlich einrichten!
              */
              ssl = {
                allow_self_signed = true;
                verify_peer = false;
                verify_peer_name = false;
              };
            };
          };
          /*
            Vor erstmaligem Anwenden der Konfiguration:

            echo $PASSWORT | ssh tharos 'sudo install -m 600 /dev/stdin /var/lib/nextcloud/initialrootpassword'
            cat $SECRETS | ssh tharos 'sudo install -m 600 -o nextcloud -g nextcloud /dev/stdin /var/lib/nextcloud/secrets.json'

            Die Dateien bleiben auf dem System!
            Das einmalige Root-Passwort wird nicht wieder verwendet.

            Besser wäre natürlich zentralisiertes Management von geheimen Daten.
          */
          secretFile = "/var/lib/nextcloud/secrets.json";
          config.adminpassFile = "/var/lib/nextcloud/initialrootpassword";
        };
        services.nginx.virtualHosts.${nextcloud} = {
          listen = [
            {
              addr = "127.0.0.1";
              port = 8080;
            }
          ];
        };
        services.caddy = {
          virtualHosts.${nextcloud}.extraConfig = ''
            reverse_proxy http://${nginx.addr}:${toString nginx.port}
          '';
        };
      };
    vm =
      { config, lib, ... }:

      let
        httpPort = 900;
        nextcloud = config.services.nextcloud.hostName;
      in
      {
        services.nextcloud = {
          https = lib.mkForce false;
          hostName = lib.mkForce "localhost";
        };

        systemd.tmpfiles.rules = [
          "f /var/lib/nextcloud/secrets.json 0600 nextcloud nextcloud - {}"
          "f /var/lib/nextcloud/initialrootpassword 0600 nextcloud nextcloud - root"
        ];

        services.caddy.virtualHosts = {
          "http://localhost:${toString httpPort}".extraConfig =
            config.services.caddy.virtualHosts.${nextcloud}.extraConfig;
        };
        networking.firewall.allowedTCPPorts = [
          httpPort
        ];
        services.getty.helpLine = lib.mkBefore ''
          Nextcloud: http://localhost:${toString (config.virtualisation.portOffset + httpPort)}
        '';
      };
  };
}