{
  config,
  lib,
  pkgs,
  ...
}: let
  outlinePort = 3000;
in {
  imports = [
    ./miniflux.nix
    ./vikunja.nix
  ];

  networking.firewall.allowedTCPPorts = [80 config.services.outline.port];

  sops.secrets."outline/secretKey" = {
    owner = "outline";
    group = "outline";
  };
  sops.secrets."outline/utilsSecret" = {
    owner = "outline";
    group = "outline";
  };
  sops.secrets."outline/oidcSecret" = {
    owner = "outline";
    group = "outline";
  };
  sops.secrets."outline/smtpPwd" = {
    owner = "outline";
    group = "outline";
  };
  sops.secrets."nextcloud/adminpass" = {
    owner = "nextcloud";
    group = "nextcloud";
  };
  sops.secrets."nextcloud/dbpass" = {
    owner = "nextcloud";
    group = "nextcloud";
  };

  environment.systemPackages = with pkgs; [
    ffmpeg-headless
    gnumake
    nodePackages_latest.nodejs
    nodePackages_latest.node-pre-gyp
    python3
  ];
  users.users.nextcloud.extraGroups = ["render" "users"];

  services = {
    nextcloud = {
      enable = true;
      package = pkgs.nextcloud29;
      caching = {
        redis = true;
      };
      config = {
        adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
        adminuser = "admin";
        dbhost = "127.0.0.1:5432";
        dbname = "nextcloud";
        dbtype = "pgsql";
        dbuser = "nextcloud";
        dbpassFile = config.sops.secrets."nextcloud/dbpass".path;
      };
      configureRedis = true;
      settings = {
        default_phone_region = "FI";
        loglevel = 2;
        log_type = "file";
        maintenance_window_start = 0; # Maintenance window from UTC 0000 to 0400.
        redis = {
          host = "/run/redis-nextcloud/redis.sock";
        };
        trusted_domains = ["nextcloud.rustylily.home.arpa"];
        trusted_proxies = ["10.1.2.10"];
        opcache.interned_strings_buffer = 64; # Megabytes of memory to use.
        overwriteprotocol = "https";

        # Programs needed for... stuff.
        preview_ffmpeg_path = "${lib.getExe pkgs.ffmpeg}";
        memories.exiftool = "${lib.getExe pkgs.exiftool}";
        memories.exiftool_no_local = true;
        memories.ffmpeg_path = "${pkgs.ffmpeg-headless}/bin/ffmpeg";
        memories.ffprobe_path = "${pkgs.ffmpeg-headless}/bin/ffprobe";
        memories.vod.ffmpeg = "${pkgs.ffmpeg-headless}/bin/ffmpeg";
        memories.vod.ffprobe = "${pkgs.ffmpeg-headless}/bin/ffprobe";
      };
      hostName = "cloud.liljamo.com";
      https = true;
      maxUploadSize = "2048M";
      phpOptions."output_buffering" = "0";
      phpExtraExtensions = all: [all.pdlib all.bz2];
    };
    outline = {
      enable = true;
      port = outlinePort;
      user = "outline";
      group = "outline";
      databaseUrl = "postgres://outline:outline@127.0.0.1/outline?sslmode=disable";
      redisUrl = "redis://127.0.0.1:3079";
      enableUpdateCheck = false;
      maximumImportSize = 5120000;
      publicUrl = "https://docs.liljamo.com";
      secretKeyFile = config.sops.secrets."outline/secretKey".path;
      utilsSecretFile = config.sops.secrets."outline/utilsSecret".path;
      storage = {
        storageType = "local";
      };
      oidcAuthentication = {
        authUrl = "https://auth.liljamo.com/api/oidc/authorization";
        clientId = "outline";
        clientSecretFile = config.sops.secrets."outline/oidcSecret".path;
        displayName = "Liljamo Auth";
        scopes = ["openid" "offline_access" "profile" "email"];
        tokenUrl = "https://auth.liljamo.com/api/oidc/token";
        userinfoUrl = "https://auth.liljamo.com/api/oidc/userinfo";
        usernameClaim = "preferred_username";
      };
      smtp = {
        host = "smtp.migadu.com";
        port = 465;
        fromEmail = "outline@liljamo.com";
        replyEmail = "outline@liljamo.com";
        username = "outline@liljamo.com";
        passwordFile = config.sops.secrets."outline/smtpPwd".path;
      };
    };
    postgresql = {
      package = pkgs.postgresql_15;
      enable = true;
      settings.port = 5432;
      ensureDatabases = ["outline" "nextcloud"];
      ensureUsers = [
        {
          name = "outline";
          ensureDBOwnership = true;
        }
        {
          name = "nextcloud";
          ensureDBOwnership = true;
        }
      ];
    };
    redis.servers = {
      outline = {
        enable = true;
        bind = "127.0.0.1";
        port = 3079;
      };
      nextcloud = {
        enable = true;
        bind = "127.0.0.1";
        port = 3179;
      };
    };
  };

  systemd = {
    timers = {
      nextcloud-update-files = {
        wantedBy = ["timers.target"];
        timerConfig = {
          OnBootSec = "2m";
          OnUnitActiveSec = "15m";
          Unit = "nextcloud-update-files.service";
        };
      };
    };
    services = {
      nextcloud-cron.path = [pkgs.perl];
      nextcloud-update-files = {
        bindsTo = ["postgresql.service" "phpfpm-nextcloud.service"];
        after = ["postgresql.service" "phpfpm-nextcloud.service"];
        script = ''
          ${config.services.nextcloud.occ}/bin/nextcloud-occ files:scan -q --all
          ${config.services.nextcloud.occ}/bin/nextcloud-occ preview:pre-generate
        '';
        serviceConfig.User = "nextcloud";
        path = ["config.services.nextcloud" pkgs.perl];
      };
      nextcloud-occ-settings = {
        after = ["nextcloud-setup.service"];
        serviceConfig = {
          Type = "oneshot";
          User = "nextcloud";
        };
        script = ''
          ${config.services.nextcloud.occ}/bin/nextcloud-occ config:app:set dav system_addressbook_exposed --value="no"
        '';
      };
    };
  };

  system.stateVersion = "24.05";
}