{ pkgs, ... }:
let
  apacheHttpd = pkgs.apacheHttpd.overrideAttrs (oldAttrs: {
    env.NIX_CFLAGS_COMPILE = "-DBIG_SECURITY_HOLE";
  });

  # https://docs.nextcloud.com/server/latest/admin_manual/installation/php_configuration.html
  php =
    (pkgs.php83.override {
      inherit apacheHttpd;
      apxs2Support = true;
    }).buildEnv
      {
        extensions =
          { all, ... }:
          with all;
          [
            ctype
            curl
            dom
            fileinfo
            filter
            gd
            mbstring
            openssl
            posix
            session
            simplexml
            xmlreader
            xmlwriter
            zip
            zlib
            pdo_pgsql
            intl
            sodium
            apcu
            imagick
            exif
            pcntl
            opcache
            gmp
            sysvsem
          ];

        extraConfig = ''
          expose_php = Off
          memory_limit = 2048M
          apc.shm_size = 128M
          opcache.jit = 1255
          opcache.jit_buffer_size = 8M
          opcache.interned_strings_buffer = 16
          upload_max_filesize = 100G
          post_max_size = 100G
          max_input_time = 3600
          max_execution_time = 3600
          output_buffering = 0
        '';
      };

  apacheHttpdConfig = pkgs.writeTextDir "/etc/httpd/httpd.conf" ''
    ServerRoot ${apacheHttpd}

    ServerName localhost
    Listen 80

    LoadModule mpm_event_module modules/mod_mpm_event.so
    LoadModule authz_core_module modules/mod_authz_core.so
    LoadModule unixd_module modules/mod_unixd.so
    LoadModule headers_module modules/mod_headers.so
    LoadModule env_module modules/mod_env.so
    LoadModule dir_module modules/mod_dir.so
    LoadModule mime_module modules/mod_mime.so
    LoadModule rewrite_module modules/mod_rewrite.so
    LoadModule php_module ${php}/modules/libphp.so

    User root
    Group root

    PidFile /run/httpd/httpd.pid

    LogLevel warn
    ErrorLog /dev/stderr

    TypesConfig conf/mime.types
    AddType application/x-httpd-php .php .phtml

    DocumentRoot "/var/www/nextcloud"
    DirectoryIndex index.php index.html

    LimitRequestBody 0
    TimeOut 3600

    <Directory />
      Require all granted
      AllowOverride All
      Options FollowSymLinks MultiViews
    </Directory>

    <Files ".ht*">
      Require all denied
    </Files>
  '';

  occ = pkgs.writeShellApplication {
    name = "occ";
    text = ''
      exec ${pkgs.lib.meta.getExe php} /var/www/nextcloud/occ "$@"
    '';
  };

  nextcloud31 =
    let
      nextcloud31 = pkgs.nextcloud31.overrideAttrs (oldAttrs: {
        patches = oldAttrs.patches or [ ] ++ [ ./declarative-secrets.patch ];
      });
    in
    pkgs.runCommandLocal "nextcloud" { } ''
      mkdir -p $out/var/www
      cp -r ${nextcloud31} $out/var/www/nextcloud
    '';

  crontab = pkgs.writeTextDir "/var/cron/tabs/root" ''
    */5  *  *  *  * ${pkgs.lib.meta.getExe php} -f /var/www/nextcloud/cron.php
  '';

  entrypoint = pkgs.writeTextFile {
    name = "entrypoint";
    executable = true;
    destination = "/bin/entrypoint";
    text = builtins.readFile ./entrypoint.sh;
  };
in
pkgs.dockerTools.buildImage {
  name = "nextcloud";
  fromImage = pkgs.docker-image-base;

  copyToRoot = pkgs.buildEnv {
    name = "root";
    paths = with pkgs; [
      apacheHttpd
      apacheHttpdConfig
      php
      nextcloud31
      occ
      entrypoint
      crontab
      cron
      ffmpeg
    ];
    pathsToLink = [
      "/bin"
      "/etc"
      "/var"
    ];
  };

  runAsRoot = ''
    mkdir -p /run/httpd
  '';

  config = {
    Entrypoint = [ "entrypoint" ];
    Cmd = [
      "-D"
      "FOREGROUND"
      "-f"
      "/etc/httpd/httpd.conf"
    ];
    WorkingDir = "/var/lib/nextcloud";
    Volumes = {
      "/var/www/nextcloud/config" = { };
      "/var/www/nextcloud/apps" = { };
      "/var/lib/nextcloud" = { };
    };
    ExposedPorts = {
      "80/tcp" = { };
    };
  };
}