{ config, containerCfg, pkgs, lib, builder, name,... }:
let 
version = "31";
serverCfg = config.syscfg.server;
in {
  paths = [{
    path="${serverCfg.dataPath}/nextcloud/www";
    owner = "33:33";
    mode = "0755";
  }{
    path="${serverCfg.dataPath}/nextcloud/data";
    owner = "33:33";
    mode = "0755";
    backup = true;
  }];

  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "nextcloud:${version}";
      port = containerCfg.port;
      ip = containerCfg.ip;
      secret = name;
      extraEnv = {
        REDIS_HOST = builder.host;
        POSTGRES_HOST = builder.host;
        POSTGRES_USER = "nextcloud_user";
        POSTGRES_DB = "nextcloud_db";
        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
        "NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
        "SMTP_HOST" = serverCfg.mailServer;
        "SMTP_NAME" = "mail_user";
        "SMTP_PASSWORD" = "mail_password";
        "MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.hostDomain}";
        "MAIL_DOMAIN" = serverCfg.mailDomain;
        "TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
      };
      extraLabels = {
        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$${1}/remote.php/dav";
        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
      };
      extraOptions = [
        "--tmpfs=/tmp:rw,noexec,nosuid,size=256m"
      ];
      overrides = {
        ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
        volumes = [
          "${serverCfg.dataPath}/nextcloud/www:/var/www/html"
          "${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"
        ];
      };
    };
  };

  setup = {
    trigger="server";
    script = pkgs.writeShellScript "setup" ''
      # Define the command wrapper
      OCC="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php occ"

      echo "Waiting for Nextcloud container to start..."
      until $OCC status > /dev/null 2>&1; do
        sleep 2
      done

      echo "Maintenance..."
      $OCC maintenance:repair --include-expensive --no-interaction
      $OCC db:add-missing-indices --no-interaction
      
      echo "Applying settings..."
      
      $OCC app:install calendar || true
      $OCC config:system:set phone_region --value="CH"
      $OCC config:app:set core backgroundjobs_mode --value="cron"


      echo "Completed Setup"
    '';
  };
}