{
  kubernetes.resources = {
    configMaps = {
      nextcloud.data = {
        POSTGRES_USER = "nextcloud";
        POSTGRES_DB = "nextcloud";
        POSTGRES_HOST = "lewis.dmz";
      };

      nextcloud-db-env.data = {
        POSTGRES_DB = "nextcloud";
        POSTGRES_USER = "nextcloud";
        POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/nextcloud/databasePassword";
        PGDATA = "/pgdata/data";
      };
    };

    secrets.nextcloud.stringData.databasePassword = "ref+sops://secrets/kubernetes.yaml#/nextcloud/databasePassword";

    deployments = {
      nextcloud = {
        metadata.labels = {
          app = "nextcloud";
          component = "website";
        };

        spec = {
          selector.matchLabels = {
            app = "nextcloud";
            component = "website";
          };

          strategy = {
            type = "RollingUpdate";

            rollingUpdate = {
              maxSurge = 0;
              maxUnavailable = 1;
            };
          };

          template = {
            metadata.labels = {
              app = "nextcloud";
              component = "website";
            };

            spec = {
              volumes.data.persistentVolumeClaim.claimName = "nextcloud";

              containers.nextcloud = {
                image = "nextcloud:28";
                envFrom = [{ configMapRef.name = "nextcloud"; }];
                ports.web.containerPort = 80;

                env.POSTGRES_PASSWORD.valueFrom.secretKeyRef = {
                  name = "nextcloud";
                  key = "databasePassword";
                };

                volumeMounts = [{
                  name = "data";
                  mountPath = "/var/www/html";
                }];
              };

              securityContext = {
                fsGroup = 33;
                fsGroupChangePolicy = "OnRootMismatch";
              };

              affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution = [{
                weight = 1;
                preference.matchExpressions = [{
                  key = "storageType";
                  operator = "In";
                  values = [ "fast" ];
                }];
              }];
            };
          };
        };
      };

      nextcloud-db = {
        metadata.labels = {
          app = "nextcloud";
          component = "database";
        };

        spec = {
          selector.matchLabels = {
            app = "nextcloud";
            component = "database";
          };

          template = {
            metadata.labels = {
              app = "nextcloud";
              component = "database";
            };

            spec = {
              containers.postgres = {
                image = "postgres:15";
                imagePullPolicy = "IfNotPresent";
                ports.postgres.containerPort = 5432;
                envFrom = [{ configMapRef.name = "nextcloud-db-env"; }];

                volumeMounts = [{
                  name = "data";
                  mountPath = "/pgdata";
                }];
              };

              volumes.data.persistentVolumeClaim.claimName = "nextcloud-db";
            };
          };
        };
      };
    };

    services = {
      nextcloud.spec = {
        selector = {
          app = "nextcloud";
          component = "website";
        };

        ports.web = {
          port = 80;
          targetPort = "web";
        };
      };

      nextcloud-db.spec = {
        selector = {
          app = "nextcloud";
          component = "database";
        };

        ports.postgres = {
          port = 5432;
          targetPort = "postgres";
        };
      };
    };
  };

  lab = {
    ingresses.nextcloud = {
      host = "cloud.kun.is";

      service = {
        name = "nextcloud";
        portName = "web";
      };
    };
  };
}