{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (lib.meta) getExe';
  inherit (lib.modules) mkIf;

  cfg = config.modules.system.services.nextcloud;
in {
  options.modules.system.services.nextcloud.enable = lib.mkEnableOption "nextcloud";

  config = {
    systemd.user.services.nextcloud = mkIf cfg.enable {
      description = "Nextcloud client service";

      # makes the graphical session start this service when it starts
      wantedBy = ["graphical-session.target"];
      # when graphical session restarts or gets stopped, this also gets restarted/stopped.
      partOf = ["graphical-session.target"];
      # gets started only after graphical session
      after = ["graphical-session.target"];

      serviceConfig = {
        ExecStart = "${getExe' pkgs.nextcloud-client "nextcloud"} --background";
        Restart = "always";
        RestartSec = 30;

        # User = "cr";
        # Group = "cr";

        Keyringmode = "shared";
        DevicePolicy = "closed";
        PrivateDevices = true;
        PrivateTmp = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectControlGroup = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;

        ProtectSystem = "strict";
        SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap @privileged";
      };
    };
  };
}