{pkgs, ...}: {
  project.name = "nextcloud";

  networks.dmz = {
    name = "dmz";
    external = true;
  };

  networks.transport = {};

  services = {
    nextcloud.service = {
      image = "nextcloud:latest";
      container_name = "nextcloud";
      useHostStore = true;
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.nextcloud.entrypoints" = "websecure";
        "traefik.http.routers.nextcloud.rule" = "Host(`nextcloud.ghoscht.com`)";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.nextcloud.tls" = "true";
        "traefik.http.routers.nextcloud.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/drives/hdd/docker/nextcloud/nextcloud_data:/var/www/html"
      ];
      hostname = "nextcloud.ghoscht.com";
      dns = ["1.1.1.1"];
      restart = "unless-stopped";
      networks = [
        "dmz"
        "transport"
      ];
    };
    nextcloud-db.service = {
      image = "mariadb:11.4.1-rc-jammy";
      env_file = [
        "/home/ghoscht/.docker/nextcloud/nextcloud.env"
      ];
      volumes = ["/drives/hdd/docker/nextcloud/nextcloud_db:/var/lib/mysql"];
      restart = "unless-stopped";
      command = "--transaction-isolation=READ-COMMITTED --binlog-format=ROW";
      networks = [
        "transport"
      ];
    };
  };
}