{
  config,
  lib,
  pkgs,
  ...
}:
{
  sops = {
    secrets = {
      "rclone-nextcloud/url" = { };
      "rclone-nextcloud/user" = { };
      "rclone-nextcloud/password" = { };
    };
    templates.rclone-nextcloud-config.content = lib.generators.toINI { } {
      nextcloud = {
        type = "webdav";
        url = config.sops.placeholder."rclone-nextcloud/url";
        vendor = "nextcloud";
        user = config.sops.placeholder."rclone-nextcloud/user";
        pass = config.sops.placeholder."rclone-nextcloud/password";
      };
    };
  };

  environment.persistence."/data/persistent".directories = [
    {
      directory = "/var/cache/rclone";
      mode = "0700";
    }
  ];

  systemd.services.rclone-nextcloud = {
    enable = true;
    description = "NextCloud VFS (rclone)";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "notify";
      ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /media/nextcloud";
      ExecStart =
        let
          args = [
            "--config ${config.sops.templates.rclone-nextcloud-config.path}"
            "--cache-dir /var/cache/rclone/nextcloud"
            # "--dir-cache-time 5m" # This is the default
            # "--poll-interval 1m" # This is the default
            "--vfs-cache-mode writes"
            "--webdav-nextcloud-chunk-size 2Gi"
            "--checksum"
            "--track-renames"
            "--allow-other"
            "--uid 1000"
            "--gid 1000"
            "--dir-perms 0770"
            "--file-perms 0660"
            "--umask 007"
          ];
        in
        "${pkgs.rclone}/bin/rclone mount nextcloud:/ /media/nextcloud ${lib.strings.join " " args}";
      ExecStop = "${pkgs.fuse3}/bin/fusermount3 -z /media/nextcloud";
      Restart = "on-failure";
    };
    restartTriggers = [ config.sops.secrets."rclone-nextcloud/password".sopsFileHash ];
  };
}